Https

Certbot 更新試執行失敗並出現錯誤:輸入 sub.mydomain.com: 的 webroot。跳過

  • April 21, 2022

我有一個執行我的 Node.js/Express API 的 Debian 10 實例。我在開發過程中一直在使用不同的子域,並在接近生產時添加了另一個子域。第一個域是dev.myapi.com,我添加了另一個子dashboard.myapi.comcertbot certonly --cert-name dev.myapi.com -d dev.myapi.com,dashboard.myapi.com。之後,我跑了certbot renew --dry-run,我收到以下錯誤:


Processing /etc/letsencrypt/renewal/dev.myapi.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dashboard.myapi.com
http-01 challenge for dev.myapi.com
Cleaning up challenges
Attempting to renew cert (dev.myapi.com) from /etc/letsencrypt/renewal/dev.myapi.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for dashboard.myapi.com:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
 /etc/letsencrypt/live/dev.myapi.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
 /etc/letsencrypt/live/dev.myapi.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/reloadService.sh
1 renew failure(s), 0 parse failure(s)

如何為新的子域提供 webroot?我項目的根目錄是一樣的。即,我只執行一個項目,其中 2 個子域指向相同。

所以我是這樣做的:

sudo certbot certonly --cert-name dev.myapi.com \
-a webroot \
-w path/to/my/public/folder \
-d dev.myapi.com,dashboard.myapi.com

更多細節在這裡。

如果您使用 certbot 創建證書,則可以按上述方式執行:

certbot certonly --cert-name dev.myapi.com -d dev.myapi.com,dashboard.myapi.com

這會自動在(Ubuntu 18.04LTS)“/etc/letsencrypt/renewal/dev.myapi.com.conf”中創建一個配置文件,其中包含命令行上指定的詳細資訊,並通過任何互動式提示。在您的情況下,如上所述,應該提示您進行身份驗證過程;apache、webroot、獨立伺服器等,如果您選擇 webroot,則應提示您輸入路徑。但如果你不是,那麼你的配置將缺少 webroot-path。

因此,您應該使用 –webroot 和**–webroot-path顯式呼叫 certbot$$ full path to DocumentRoot $$**(在本例中為“/var/www/html/mySite”)。

certbot certonly --cert-name dev.myapi.com --webroot --webroot-path "/var/www/html/mySite" -d dev.myapi.com,dashboard.myapi.com

如果您不這樣做,則不會將 webroot-path 欄位輸入到配置文件中,並且任何更新嘗試都將失敗並出現您看到的錯誤。

您可以手動將路徑(在本例中為“/var/www/html/mySite”)添加到配置文件中,如下所示,請參閱“webroot_path =”部分下的行

$$ renewalparams $$:

root:/etc/letsencrypt/renewal# cat dev.myapi.com.conf
# renew_before_expiry = 30 days
version = 1.9.0
archive_dir = /etc/letsencrypt/archive/dev.myapi.com
cert = /etc/letsencrypt/live/dev.myapi.com/cert.pem
privkey = /etc/letsencrypt/live/dev.myapi.com/privkey.pem
chain = /etc/letsencrypt/live/dev.myapi.com/chain.pem
fullchain = /etc/letsencrypt/live/dev.myapi.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = ####
authenticator = webroot
webroot_path = /var/www/html/mySite,
server = https://acme-v02.api.letsencrypt.org/directory

然後測試:

certbot renew --cert-name dev.myapi.com --dry-run

引用自:https://serverfault.com/questions/1035830