如何处理 certbot 中的“一些挑战失败”?

tag-icon tag-icon nginx ssl certificate lets-encrypt certbot
如何处理 certbot 中的“一些挑战失败”?

我正在尝试使用 Certbot 请求 TLS 证书(来源:https://certbot.eff.org/instructions) sudo certbot --nginx。它应该用于作为拉取缓存的 docker 注册表 (https://docs.docker.com/registry/recipes/mirror/)。

这是日志输出,搜索关键字“error”(cat /var/log/letsencrypt/letsencrypt.log | grep -I error --context=12 -in):

199-    ##
200-    # SSL Settings
201-    ##
202-
203-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
204-    ssl_prefer_server_ciphers on;
205-
206-    ##
207-    # Logging Settings
208-    ##
209-
210-    access_log /var/log/nginx/access.log;
211:    error_log /var/log/nginx/error.log;
212-
213-    ##
214-    # Gzip Settings
215-    ##
216-
217-    gzip on;
218-
219-    # gzip_vary on;
220-    # gzip_proxied any;
221-    # gzip_comp_level 6;
222-    # gzip_buffers 16 8k;
223-    # gzip_http_version 1.1;
--
615-
616-{
617-  "identifier": {
618-    "type": "dns",
619-    "value": "my.subdomain.com"
620-  },
621-  "status": "invalid",
622-  "expires": "2022-10-28T08:43:11Z",
623-  "challenges": [
624-    {
625-      "type": "http-01",
626-      "status": "invalid",
627:      "error": {
628:        "type": "urn:ietf:params:acme:error:connection",
629-        "detail": "ser.ver.ip.add: Fetching http://my.subdomain.com/.well-known/acme-challenge/hHUWDkKoQhke4YWRQJ7P9UoXCb8DV12gZq8Yjdw3YNo: Timeout during connect (likely firewall problem)",
630-        "status": 400
631-      },
632-      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/167006252436/sNVb5g",
633-      "token": "hHUWDkKoQhke4YWRQJ7P9UoXCb8DV12gZq8Yjdw3YNo",
634-      "validationRecord": [
635-        {
636-          "url": "http://my.subdomain.com/.well-known/acme-challenge/hHUWDkKoQhke4YWRQJ7P9UoXCb8DV12gZq8Yjdw3YNo",
637-          "hostname": "my.subdomain.com",
638-          "port": "80",
639-          "addressesResolved": [
640-            "ser.ver.ip.add"
--
648-}
649-2022-10-21 08:43:23,431:DEBUG:acme.client:Storing nonce: 327C_YtRNQL-hZbLzBTyyGyExuukFDBjXHKXyNmZl0m8R70
650-2022-10-21 08:43:23,431:INFO:certbot._internal.auth_handler:Challenge failed for domain my.subdomain.com
651-2022-10-21 08:43:23,431:INFO:certbot._internal.auth_handler:http-01 challenge for my.subdomain.com
652-2022-10-21 08:43:23,431:DEBUG:certbot._internal.display.obj:Notifying user: 
653-Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
654-  Domain: my.subdomain.com
655-  Type:   connection
656-  Detail: ser.ver.ip.add: Fetching http://my.subdomain.com/.well-known/acme-challenge/hHUWDkKoQhke4YWRQJ7P9UoXCb8DV12gZq8Yjdw3YNo: Timeout during connect (likely firewall problem)
657-
658-Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
659-
660:2022-10-21 08:43:23,432:DEBUG:certbot._internal.error_handler:Encountered exception:
661-Traceback (most recent call last):
662-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
663-    self._poll_authorizations(authzrs, max_retries, best_effort)
664-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
665:    raise errors.AuthorizationError('Some challenges have failed.')
666:certbot.errors.AuthorizationError: Some challenges have failed.
667-
668:2022-10-21 08:43:23,432:DEBUG:certbot._internal.error_handler:Calling registered functions
669-2022-10-21 08:43:23,432:INFO:certbot._internal.auth_handler:Cleaning up challenges
670-2022-10-21 08:43:24,507:DEBUG:certbot._internal.log:Exiting abnormally:
671-Traceback (most recent call last):
672-  File "/snap/certbot/2414/bin/certbot", line 8, in <module>
673-    sys.exit(main())
674-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/main.py", line 19, in main
675-    return internal_main.main(cli_args)
676-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/main.py", line 1744, in main
677-    return config.func(config, plugins)
678-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/main.py", line 1441, in run
679-    new_lineage = _get_and_save_cert(le_client, config, domains,
680-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
681-    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
682-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/client.py", line 530, in obtain_and_enroll_certificate
683-    cert, chain, key, _ = self.obtain_certificate(domains)
684-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/client.py", line 442, in obtain_certificate
685-    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
686-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/client.py", line 510, in _get_order_and_authorizations
687-    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
688-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
689-    self._poll_authorizations(authzrs, max_retries, best_effort)
690-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
691:    raise errors.AuthorizationError('Some challenges have failed.')
692:certbot.errors.AuthorizationError: Some challenges have failed.
693:2022-10-21 08:43:24,508:ERROR:certbot._internal.log:Some challenges have failed.

它说的likely firewall problem是第 629 行,但输出sudo ufw status

Status: active

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
443                        ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
22                         ALLOW       ser.ver.ip.add            
80/tcp (v6)                ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)

第 662 行到第 666 行和第 686 行到第 692 行暗示了一些授权问题,但我不知道这些问题是否与我应该提供的某些身份验证有关,还是与证书服务器方面的问题有关。

这是输出netstat -tulnp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      80509/nginx: master 
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      724/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      797/sshd: /usr/sbin 
tcp6       0      0 :::80                   :::*                    LISTEN      80509/nginx: master 
tcp6       0      0 :::22                   :::*                    LISTEN      797/sshd: /usr/sbin 
udp        0      0 127.0.0.53:53           0.0.0.0:*                           724/systemd-resolve 
udp        0      0 ser.ver.ip.add:68       0.0.0.0:*                           722/systemd-network

我是否必须registry:2先运行 docker 镜像?是否必须先进行一些 nginx 身份验证?我是否必须在 docker 容器内运行 certbot?

相关内容