Linux
在 Debian8.7-Jessie Linux 上安裝 Certbot 時獲取驗證數據時出錯
我剛剛設置了我的伺服器,但我無法讓我的配置與 Certbot 一起使用。它總是一樣的。我嘗試了一些不同的配置,但都沒有奏效。這是我最後一次嘗試。它總是說:“獲取驗證數據時出錯”有誰知道為什麼這不起作用?
完整安裝:
sudo apt-get update && sudo apt-get upgrade Ign http://ftp.debian.org jessie InRelease [...] Processing triggers for initramfs-tools (0.120+deb8u3) ... Processing triggers for ca-certificates (20141019+deb8u3) ... Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. sudo apt-get install nano Reading package lists... Done [...] 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. [...] update-alternatives: using /bin/nano to provide /usr/bin/pico (pico) in auto mode sudo apt install curl Reading package lists... Done [...] 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. [...] sudo mkdir -p /var/www/mydomain.ru/public_html sudo chown -R root:root /var/www/mydomain.ru/public_html sudo chmod -R 755 /var/www nano /var/www/mydomain.ru/public_html/index.html cd /etc/apache2/sites-available/ /etc/apache2/sites-available# ls 000-default.conf default-ssl.conf /etc/apache2/sites-available# cd sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/mydomain.ru.conf sudo nano /etc/apache2/sites-available/mydomain.ru.conf sudo nano /etc/apache2/sites-available/mydomain.ru.conf sudo a2ensite mydomain.ru.conf Enabling site mydomain.ru. To activate the new configuration, you need to run: service apache2 reload sudo a2dissite 000-default.conf Site 000-default disabled. To activate the new configuration, you need to run: service apache2 reload sudo a2dissite default-ssl.conf Site default-ssl already disabled sudo /etc/init.d/apache2 restart [ ok ] Restarting apache2 (via systemctl): apache2.service. sudo nano /etc/apache2/sites-available/mydomain.ru.conf sudo /etc/init.d/apache2 restart [ ok ] Restarting apache2 (via systemctl): apache2.service. sudo nano /etc/apache2/sites-available/mydomain.ru.conf sudo nano /etc/apt/sources.list apt-get update Ign http://ftp.debian.org jessie InRelease [...] Reading package lists... Done sudo apt-get install python-certbot-apache -t jessie-backports Reading package lists... Done [...] 0 upgraded, 34 newly installed, 0 to remove and 32 not upgraded. [...] Do you want to continue? [Y/n] y Get:1 http://ftp.debian.org/debian/ jessie-backports/main augeas-lenses all 1.8.0-1~bpo8+1 [422 kB] [...] Processing triggers for libc-bin (2.19-18+deb8u10) ... sudo certbot --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: mydomain.ru 2: www.mydomain.ru ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):office@myotherdomain.eu Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: a Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for mydomain.ru tls-sni-01 challenge for www.mydomain.ru Enabled Apache socache_shmcb module Enabled Apache ssl module /usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct) result_code = _lib.RAND_bytes(result_buffer, num_bytes) Waiting for verification... Cleaning up challenges Failed authorization procedure. www.mydomain.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data, mydomain.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data IMPORTANT NOTES: - If you lose your account credentials, you can recover through e-mails sent to office@myotherdomain.eu. - The following errors were reported by the server: Domain: www.mydomain.ru Type: connection Detail: Error getting validation data Domain: mydomain.ru Type: connection Detail: Error getting validation data To fix these errors, please make sure that your domain name was [...] making regular backups of this folder is ideal.我的 /etc/apache2/sites-available/mydomain.ru.conf 中的更改
<IfModule mod_ssl.c> <VirtualHost mydomain.ru:443> ServerAdmin info@mydomain.ru ServerName mydomain.ru:443 ServerAlias www.mydomain.ru DocumentRoot /var/www/mydomain.ru/public_html # Available loglevels: trace8, ..., trace1, debug, info, notice$ # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to
我需要使用以下行配置 iptables:
sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
您的 apache 伺服器是否可以在虛擬主機的域中從外部(到更大的網際網路)可用?當您請求證書時,certbot 會修改您的 apache 配置,以將驗證令牌發送到您網站上的特殊 URL(通常是
/.well-known/acme-challenge/<sometoken>. . 這是他們確認您公開擁有您申請證書的域的方式。如果該網路伺服器不是公共的,或者沒有與您的虛擬主機匹配的公共 DNS 條目指向它,Let’s Encrypt 將無法請求它的授權令牌。