Certbot 更新試執行失敗並出現錯誤:輸入 sub.mydomain.com: 的 webroot。跳過
我有一個執行我的 Node.js/Express API 的 Debian 10 實例。我在開發過程中一直在使用不同的子域,並在接近生產時添加了另一個子域。第一個域是
dev.myapi.com
,我添加了另一個子dashboard.myapi.com
域certbot certonly --cert-name dev.myapi.com -d dev.myapi.com,dashboard.myapi.com
。之後,我跑了certbot renew --dry-run
,我收到以下錯誤:Processing /etc/letsencrypt/renewal/dev.myapi.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for dashboard.myapi.com http-01 challenge for dev.myapi.com Cleaning up challenges Attempting to renew cert (dev.myapi.com) from /etc/letsencrypt/renewal/dev.myapi.com.conf produced an unexpected error: Missing command line flag or config entry for this setting: Input the webroot for dashboard.myapi.com:. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/dev.myapi.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/dev.myapi.com/fullchain.pem (failure) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Running post-hook command: /etc/letsencrypt/renewal-hooks/post/reloadService.sh 1 renew failure(s), 0 parse failure(s)
如何為新的子域提供 webroot?我項目的根目錄是一樣的。即,我只執行一個項目,其中 2 個子域指向相同。
所以我是這樣做的:
sudo certbot certonly --cert-name dev.myapi.com \ -a webroot \ -w path/to/my/public/folder \ -d dev.myapi.com,dashboard.myapi.com
更多細節在這裡。
如果您使用 certbot 創建證書,則可以按上述方式執行:
certbot certonly --cert-name dev.myapi.com -d dev.myapi.com,dashboard.myapi.com
這會自動在(Ubuntu 18.04LTS)“/etc/letsencrypt/renewal/dev.myapi.com.conf”中創建一個配置文件,其中包含命令行上指定的詳細資訊,並通過任何互動式提示。在您的情況下,如上所述,應該提示您進行身份驗證過程;apache、webroot、獨立伺服器等,如果您選擇 webroot,則應提示您輸入路徑。但如果你不是,那麼你的配置將缺少 webroot-path。
因此,您應該使用 –webroot 和**–webroot-path顯式呼叫 certbot$$ full path to DocumentRoot $$**(在本例中為“/var/www/html/mySite”)。
certbot certonly --cert-name dev.myapi.com --webroot --webroot-path "/var/www/html/mySite" -d dev.myapi.com,dashboard.myapi.com
如果您不這樣做,則不會將 webroot-path 欄位輸入到配置文件中,並且任何更新嘗試都將失敗並出現您看到的錯誤。
您可以手動將路徑(在本例中為“/var/www/html/mySite”)添加到配置文件中,如下所示,請參閱“webroot_path =”部分下的行
$$ renewalparams $$:
root:/etc/letsencrypt/renewal# cat dev.myapi.com.conf # renew_before_expiry = 30 days version = 1.9.0 archive_dir = /etc/letsencrypt/archive/dev.myapi.com cert = /etc/letsencrypt/live/dev.myapi.com/cert.pem privkey = /etc/letsencrypt/live/dev.myapi.com/privkey.pem chain = /etc/letsencrypt/live/dev.myapi.com/chain.pem fullchain = /etc/letsencrypt/live/dev.myapi.com/fullchain.pem # Options used in the renewal process [renewalparams] account = #### authenticator = webroot webroot_path = /var/www/html/mySite, server = https://acme-v02.api.letsencrypt.org/directory
然後測試:
certbot renew --cert-name dev.myapi.com --dry-run