我见过这些问题(^,^,^,^),但不幸的是它们都不能解决我的问题。
我正在尝试使用 certbot 为我的一个子域获取 SSL 证书。但是,测试 .well-known/acme-challenges/ 时,挑战失败。Web 服务器 (nginx) 返回 404。具体错误如下:
Waiting for verification...
Challenge failed for domain api.example.com
http-01 challenge for api.example.com
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: api.example.com
Type: unauthorized
Detail: 139.x.x.x: Invalid response from http://api.example.com/.well-known/acme-challenge/7AujpY6MnpBkHAmVihpVSQXcEMYuMZFHjywSsAICtvQ: 404
Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.
Cleaning up challenges
Some challenges have failed.
我甚至从单独的系统手动运行以下命令来获取证书:
certbot -v certonly --manual --dry-run -d api.example.com
然而,我又遇到了同样的错误。我按照说明在相应文件夹(/var/www/certbot/)中创建了该文件并复制了其内容。我甚至给该文件和 certbot 文件夹赋予了 777 权限并重启了 Web 服务器,但还是没用。
Create a file containing just this data:
7AujpY6MnpBkHAmVihpVSQXcEMYuMZFHjywSsAICtvQ.HQdAzFVYjmgUdQRvdJTBMm2eC2ZLOw-G-4TZr6JB0ak
And make it available on your web server at this URL:
http://api.example.com/.well-known/acme-challenge/7AujpY6MnpBkHAmVihpVSQXcEMYuMZFHjywSsAICtvQ
似乎根本无法访问/.well-known/acme-challenge/
。即使我在中创建一个普通的 HTML 文件/.well-known/acme-challenge/
,仍然无法访问它。
我对域本身(http://example.com/.well-known/acme-challenge/
)执行此操作,虽然已收到其证书,但我仍然无权访问/.well-known/acme-challenge/
。
我nginx.conf
的如下:
worker_processes auto;
events{
worker_connections 1024;
}
http {
include mime.types;
client_max_body_size 15M;
include fastcgi.conf;
gzip on;
gzip_disable "msie6";
gzip_comp_level 5;
gzip_static on;
gzip_vary on;
gzip_proxied any;
gzip_buffers 16 8k;
gzip_min_length 1000;
gzip_http_version 1.1;
gzip_types
text/css
text/xml
text/plain
text/javascript
application/javascript
application/json
application/x-javascript
application/xml
application/xml+rss
application/xhtml+xml
application/x-font-ttf
application/x-font-opentype
font/opentype
application/vnd.ms-fontobject
image/svg+xml
image/x-icon
application/rss+xml
application/atom_xml;
proxy_cache_path /etc/nginx/cache levels=1:2 keys_zone=website:100m max_size=1024m inactive=60m use_temp_path=off;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_cache_valid 200 60m;
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=30r/m;
server {
listen [::]:80;
listen 80;
server_name example.com www.example.com;
location /.well-known/acme-challenge/ {
allow all;
root /var/www/certbot/;
}
location /{
return 301 https://example.com$request_uri;
}
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=63072000" always;
location /{
access_log /var/log/nginx/website_access_log;
error_log /var/log/nginx/website_error_log;
limit_req zone=mylimit burst=5 nodelay;
proxy_pass 'http://website/';
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
add_header X-Cache-Status $upstream_cache_status;
expires 30d;
add_header Cache-Control "public, no-transform";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_cache website;
proxy_cache_valid 200 10m;
proxy_cache_methods GET HEAD POST;
proxy_cache_min_uses 3;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin";
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; media-src 'self'; img-src 'self' data: https://cloud.domain.co/images/; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; object-src 'none'; connect-src 'self' https://api.example.com";
# add_header Access-Control-Allow-Origin "*" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
#include http-headers.conf;
}
location /.well-known/acme-challenge/ {
allow all;
root /var/www/certbot/;
}
}
server {
listen [::]:80;
listen 80;
server_name api.example.com;
location /.well-known/acme-challenge/ {
allow all;
root /var/www/certbot/;
}
location / {
return 301 https://api.example.com$request_uri;
}
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name api.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
access_log /var/log/nginx/api_access_log;
error_log /var/log/nginx/api_error_log;
proxy_pass 'http://api:8090/';
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; media-src 'self'; img-src 'self' data: https://cloud.domain.co/images/; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; object-src 'none'; connect-src 'self' https://api.example.com";
location /.well-known/acme-challenge/ {
allow all;
root /var/www/certbot/;
}
# include http-headers.conf;
# add_header Access-Control-Allow-Origin "*" always;
}
}
}
有什么问题?
任何帮助都非常感谢。
答案1
Certbot 使用 URLhttp://example.com/.well-known/acme-challenge/...
来查找其质询/响应文件。
Nginx 使用root
指示将 URL 转换为文件名,方法是将root
值与“路径”组件URL 的。
给定一个location
块:
location /.well-known/acme-challenge/ {
allow all;
root /var/www/certbot;
}
URLhttp://example.com/.well-known/acme-challenge/foo
期望foo
在目录中找到该文件:
/var/www/certbot/.well-known/acme-challenge
您可以certbot
使用-w
命令行选项来调用,为质询/响应文件指定相同的路径。例如:
certbot certonly --webroot -w /var/www/certbot -d api.example.com