Domain-Name-System
無法使用 DNS-01 質詢從 Letsencrypt 獲取證書
我嘗試使用 certbot、caddy 和 lego 獲得證書。他們都返回了與此域類似的錯誤。
我使用了 DNS-01 挑戰。這是樂高客戶端的輸出:
ananth@wopr ~> lego -a -m "my@email.com" -d subhamho.me -d "*.subhamho.me" --dns gandiv5 --path ./lego run 2021/05/14 00:20:13 [INFO] [subhamho.me, *.subhamho.me] acme: Obtaining bundled SAN certificate 2021/05/14 00:20:15 [INFO] [*.subhamho.me] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317014 2021/05/14 00:20:15 [INFO] [subhamho.me] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317037 2021/05/14 00:20:15 [INFO] [*.subhamho.me] acme: use dns-01 solver 2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Could not find solver for: tls-alpn-01 2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Could not find solver for: http-01 2021/05/14 00:20:15 [INFO] [subhamho.me] acme: use dns-01 solver 2021/05/14 00:20:15 [INFO] [*.subhamho.me] acme: Preparing to solve DNS-01 2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Preparing to solve DNS-01 2021/05/14 00:20:15 [INFO] [*.subhamho.me] acme: Cleaning DNS-01 challenge 2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Cleaning DNS-01 challenge 2021/05/14 00:20:15 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317014 2021/05/14 00:20:16 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317037 2021/05/14 00:20:16 Could not obtain certificates: error: one or more domains had a problem: [*.subhamho.me] [*.subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me. [subhamho.me] [subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me.
另外兩個客戶端:certbot 和 caddy 的錯誤消息中也包含 FORMERR。
我嘗試使用 –dns.resolvers 選項為樂高指定不同的解析器。systemd-resolved 似乎無法正確解析此 TXT 記錄。似乎認為它的格式無效。域使用我執行的 dnsmasq 伺服器正確解析。
當從 Let’s Encrypt 請求萬用字元證書時,您必須在您的 DNS 區域文件(或在您的提供商 gandi.net 的後端)中設置一個 TXT 記錄,名稱下
_acme-challenge.subhamho.me
包含您在發出命令時獲得的令牌certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d '*.subhamho.me' -d subhamho.me
上述命令的輸出將是
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for subhamho.me - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.subhamho.me with the following value: <acme-challenge-value> Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
其中令牌是 的值
<acme-challenge-value>
。設置好 TXT 記錄後Enter
,你應該得到萬用字元證書。目前沒有這樣的令牌。你可以檢查這個
dig TXT +short subhamho.me
因此你得到了錯誤
[*.subhamho.me] [*.subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me. [subhamho.me] [subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me.
請記住,您必須在任何續訂證書時(即 90 天后)續訂 TXT 記錄。