Nginx

無法使用 LetsEncrypt - CertBot - 設置 HTTP 到 HTTPS 重定向時

  • May 22, 2020

我正在嘗試配置 CertBot,它僅在我通過 http 服務我的網站時才有效。通常我有一個 https 重定向,我不想每次需要使用 certbot 時都更改站點配置。我試圖只/.well-known/通過 http 服務,但它仍然沒有解決這個問題的任何想法?

我正在嘗試複製這個想法但沒有工作-> NGINX 將所有內容重定向,除了讓加密到 https

例如:這有效:

server {
   listen 80;
   listen [::]:80;
   server_name example.com www.example.com;


location / {

       proxy_pass              http://localhost:8575/;
       include                 /etc/nginx/conf.d/proxy.conf;
   }
}

這不:(請注意,目前配置的 SSL 證書不正確,但需要 NGinX 啟動)

server {

  listen 80;
  listen [::]:80;
  server_name www.example.com example.com;

   location /.well-known/acme-challenge/ {
       proxy_pass              http://localhost:8575/;
       include                 /etc/nginx/conf.d/proxy.conf;
   }

location / {
      return 301 https://$server_name$request_uri;
   }

}

server {
       listen 443 ssl;
       listen        [::]:443;
       server_name www.example.com example.com;

#        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
#        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
       ssl_certificate /etc/ssl/crt/crt.crt;
       ssl_certificate_key /etc/ssl/crt/key.key;

location / {

       proxy_pass              http://localhost:8575/;
       include                 /etc/nginx/conf.d/proxy.conf;
   }
}

錯誤日誌:

certbot    | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot    | Plugins selected: Authenticator webroot, Installer None
certbot    | Registering without email!
certbot    | Obtaining a new certificate
certbot    | Performing the following challenges:
certbot    | http-01 challenge for www.example.com
certbot    | http-01 challenge for example.com
certbot    | Using the webroot path /var/www/html for all unmatched domains.
certbot    | Waiting for verification...
certbot    | Challenge failed for domain www.example.com
certbot    | Challenge failed for domain example.com
certbot    | http-01 challenge for www.example.com
certbot    | http-01 challenge for example.com
certbot    | Cleaning up challenges
certbot    | IMPORTANT NOTES:
certbot    |  - The following errors were reported by the server:
certbot    |
certbot    |    Domain: www.example.com
certbot    |    Type:   unauthorized
certbot    |    Detail: Invalid response from
certbot    |    http://www.example.com/.well-known/acme-challenge/WyVEA5g6BWVDPpYUhEJ0bG5iH6daF1rZpFd0vuTXOa0
certbot    |    [50.117.156.123]: "        <!DOCTYPE html><html lang=\"en-US\">\r\n
certbot    |    \t<head>\n\n\t\t        <meta charset=\"UTF-8\">\r\n        <meta
certbot    |    name=\"viewport\" con"
certbot    |
certbot    |    Domain: example.com
certbot    |    Type:   unauthorized
certbot    |    Detail: Invalid response from
certbot    |    https://www.example.com/x61_h9wxFY2Ye8-16GllyMq_dfsXbsEB1lYOjeq4LjU
certbot    |    [50.117.156.123]: "        <!DOCTYPE html><html lang=\"en-US\">\r\n
certbot    |    \t<head>\n\n\t\t        <meta charset=\"UTF-8\">\r\n        <meta
certbot    |    name=\"viewport\" con"
certbot    |
certbot    |    To fix these errors, please make sure that your domain name was
certbot    |    entered correctly and the DNS A/AAAA record(s) for that domain
certbot    |    contain(s) the right IP address.
certbot    |  - Your account credentials have been saved in your Certbot
certbot    |    configuration directory at /etc/letsencrypt. You should make a
certbot    |    secure backup of this folder now. This configuration directory will
certbot    |    also contain certificates and private keys obtained by Certbot so
certbot    |    making regular backups of this folder is ideal.
certbot    | Some challenges have failed.
certbot exited with code 1

更新:我的主要問題是沒有使用$request_uriw/proxy_pass指令(這也不允許~BTW)。但是,在 HTTPS 塊中使用它並沒有錯。查看https://serverfault.com/a/1018199/312793

https://serverfault.com/a/1017720/312793我意識到我實際上不需要傳遞我的 webapp 的“真實”根目錄,只需在 nginx 可以服務於 certbot 讀取/寫入文件的地方。同樣,您可以讓一個目錄為多個站點提供服務,因此我決定將最熟練的方法添加到locationnginxdefault伺服器塊內100%。事實上,web 應用程序甚至不需要執行,只需要執行 nginx。

這是我的新default伺服器塊。注意:我acme在我的 nginx“真實”webroot 中創建了一個文件夾,並為該目錄提供服務location /.well-known/acme-challenge/

server {
       listen 80 default_server;
       listen [::]:80 default_server;
       root /var/www/html/;
       index index.html;
}
server {
       listen 443 default_server;
       listen [::]:443 default_server;
       ssl_certificate /etc/ssl/fake/fake.crt;
       ssl_certificate_key /etc/ssl/fake/fake.key;

       location /.well-known/acme-challenge/ {
       root /var/www/html/acme;
        allow all;
       }

       root /var/www/html/;
       index index.html;
}

就像在進行設置時一樣,您需要為 SSL 證書準備一些東西,否則 nginx 將無法正確啟動。對此設置/解析度非常滿意!


需要添加以下內容:$request_uri

location /.well-known/acme-challenge/ {
   proxy_pass              http://localhost:8575/$request_uri;
   include                 /etc/nginx/conf.d/proxy.conf;
}

使用HTTP-01 質詢,可以先重定向到 HTTPS 並通過 TLS 提供質詢。但是,挑戰總是從使用埠 80 的普通 HTTP 連接開始,您只能重定向到埠 443 上的 HTTPS。

我們對 HTTP-01 挑戰的實現遵循重定向,深度最多 10 個重定向。它只接受重定向到“http:”或“https:”,並且只接受到埠 80 或 443。它不接受重定向到 IP 地址。當重定向到 HTTPS URL 時,它不會驗證證書(因為此質詢旨在引導有效證書,它可能會在此過程中遇到自簽名或過期的證書)。

HTTP-01 質詢只能在埠 80 上完成。允許客戶端指定任意埠會降低質詢的安全性,因此 ACME 標準不允許這樣做。

因此,這種 Nginx 配置也應該可以工作:

server {
   listen 80;
   server_name www.example.com example.com;

   location / {
       return 301 https://$server_name$request_uri;
   }
}

server {
   listen 443 ssl;
   server_name www.example.com example.com;

   location /.well-known/acme-challenge/ {
       # HTTP-01 challenge
   }

   location / {
       # Your web application
   }
}

在您的情況下,這意味著以下內容可能位於 HTTP 或 HTTPSserver塊中。

location /.well-known/acme-challenge/ {
   proxy_pass   http://localhost:8575/.well-known/acme-challenge/;
   include      /etc/nginx/conf.d/proxy.conf;
}

您能夠替換為/.well-known/acme-challenge/$request_uri因為:

proxy_pass中使用變數時:

location /name/ {
    proxy_pass http://127.0.0.1$request_uri;
}

在這種情況下,如果在指令中指定了 URI,它將按原樣傳遞給伺服器,替換原始請求 URI。

此外,如果/具有相同的根,則根本不需要單獨location的。

引用自:https://serverfault.com/questions/1017545