来自 .well-known/acme-challenge/ 的响应无效: 404 + nginx

tag-icon tag-icon nginx ssl docker certbot
来自 .well-known/acme-challenge/ 的响应无效: 404 + nginx

我见过这些问题(^^^^),但不幸的是它们都不能解决我的问题。

我正在尝试使用 certbot 为我的一个子域获取 SSL 证书。但是,测试 .well-known/acme-challenges/ 时,挑战失败。Web 服务器 (nginx) 返回 404。具体错误如下:

Waiting for verification...                                                                      
Challenge failed for domain api.example.com                                                        
http-01 challenge for api.example.com             
                        
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:                          
  Domain: api.example.com                         
  Type:   unauthorized  
  Detail: 139.x.x.x: Invalid response from http://api.example.com/.well-known/acme-challenge/7AujpY6MnpBkHAmVihpVSQXcEMYuMZFHjywSsAICtvQ: 404                                                 

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.    
                                                                                                 
Cleaning up challenges  
Some challenges have failed.

我甚至从单独的系统手动运行以下命令来获取证书:

certbot -v certonly --manual --dry-run -d api.example.com

然而,我又遇到了同样的错误。我按照说明在相应文件夹(/var/www/certbot/)中创建了该文件并复制了其内容。我甚至给该文件和 certbot 文件夹赋予了 777 权限并重启了 Web 服务器,但还是没用。

Create a file containing just this data:                                                         

7AujpY6MnpBkHAmVihpVSQXcEMYuMZFHjywSsAICtvQ.HQdAzFVYjmgUdQRvdJTBMm2eC2ZLOw-G-4TZr6JB0ak                                                          
And make it available on your web server at this URL:                                            
                        
http://api.example.com/.well-known/acme-challenge/7AujpY6MnpBkHAmVihpVSQXcEMYuMZFHjywSsAICtvQ

似乎根本无法访问/.well-known/acme-challenge/。即使我在中创建一个普通的 HTML 文件/.well-known/acme-challenge/,仍然无法访问它。

我对域本身(http://example.com/.well-known/acme-challenge/)执行此操作,虽然已收到其证书,但我仍然无权访问/.well-known/acme-challenge/

nginx.conf的如下:

worker_processes auto;

events{
  worker_connections 1024;
}

http {
  include mime.types;
  client_max_body_size 15M;
  include fastcgi.conf;

  gzip on;
  gzip_disable "msie6";
  gzip_comp_level 5;
  gzip_static on;
  gzip_vary on;
  gzip_proxied any;
  gzip_buffers 16 8k;
  gzip_min_length 1000;
  gzip_http_version 1.1;
  gzip_types
          text/css
          text/xml
          text/plain
          text/javascript
          application/javascript
          application/json
          application/x-javascript
          application/xml
          application/xml+rss
          application/xhtml+xml
          application/x-font-ttf
          application/x-font-opentype
          font/opentype
          application/vnd.ms-fontobject
          image/svg+xml
          image/x-icon
          application/rss+xml
          application/atom_xml;

  proxy_cache_path /etc/nginx/cache levels=1:2 keys_zone=website:100m max_size=1024m inactive=60m use_temp_path=off;
  proxy_cache_key "$scheme$request_method$host$request_uri";
  proxy_cache_valid 200 60m;
  limit_req_zone $binary_remote_addr zone=mylimit:10m rate=30r/m;

  server {
    listen [::]:80;
    listen 80;
    server_name example.com www.example.com;

    location /.well-known/acme-challenge/ {
      allow all;
      root /var/www/certbot/;
    }

    location /{
      return 301 https://example.com$request_uri;
    }
  }

  server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    add_header Strict-Transport-Security "max-age=63072000" always;

    location /{
      access_log /var/log/nginx/website_access_log;
      error_log /var/log/nginx/website_error_log;
      limit_req zone=mylimit burst=5 nodelay;

      proxy_pass 'http://website/';
      proxy_redirect off;

      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $http_host;
      proxy_set_header X-NginX-Proxy true;

      add_header X-Cache-Status $upstream_cache_status;
      expires 30d;
      add_header Cache-Control "public, no-transform";

      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Port $server_port;

      proxy_cache website;
      proxy_cache_valid 200 10m;
      proxy_cache_methods GET HEAD POST;

      proxy_cache_min_uses 3;

      proxy_cache_revalidate on;
      proxy_cache_background_update on;
      proxy_cache_lock on;
      proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;

      add_header X-Frame-Options SAMEORIGIN;
      add_header X-Content-Type-Options "nosniff" always;
      add_header X-XSS-Protection "1; mode=block";
      add_header Referrer-Policy "strict-origin";
      add_header Content-Security-Policy "default-src 'self'; script-src 'self'; media-src 'self'; img-src 'self' data: https://cloud.domain.co/images/; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; object-src 'none'; connect-src 'self' https://api.example.com";
     # add_header Access-Control-Allow-Origin "*" always;
      add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";

      #include http-headers.conf;
    }

    location /.well-known/acme-challenge/ {
      allow all;
      root /var/www/certbot/;
    }
  }

  server {
    listen [::]:80;
    listen 80;
    server_name api.example.com;

    location /.well-known/acme-challenge/ {
      allow all;
      root /var/www/certbot/;
    }

    location / {
      return 301 https://api.example.com$request_uri;
    }
  }

  server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name api.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
      access_log /var/log/nginx/api_access_log;
      error_log /var/log/nginx/api_error_log;

      proxy_pass 'http://api:8090/';
      proxy_redirect off;
      
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $http_host;
      proxy_set_header X-NginX-Proxy true;

      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Port $server_port;
      
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
      add_header Content-Security-Policy "default-src 'self'; script-src 'self'; media-src 'self'; img-src 'self' data: https://cloud.domain.co/images/; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; object-src 'none'; connect-src 'self' https://api.example.com";

    location /.well-known/acme-challenge/ {
      allow all;
      root /var/www/certbot/;
    }
    # include http-headers.conf; 
    # add_header Access-Control-Allow-Origin "*" always;
    }
  }
}

有什么问题?
任何帮助都非常感谢。

答案1

Certbot 使用 URLhttp://example.com/.well-known/acme-challenge/...来查找其质询/响应文件。

Nginx 使用root指示将 URL 转换为文件名,方法是将root值与“路径”组件URL 的。

给定一个location块:

location /.well-known/acme-challenge/ {
    allow all;
    root /var/www/certbot;
}

URLhttp://example.com/.well-known/acme-challenge/foo期望foo在目录中找到该文件:

/var/www/certbot/.well-known/acme-challenge

您可以certbot使用-w命令行选项来调用,为质询/响应文件指定相同的路径。例如:

certbot certonly --webroot -w /var/www/certbot -d api.example.com

相关内容