無法使用 LetsEncrypt - CertBot - 設置 HTTP 到 HTTPS 重定向時
我正在嘗試配置 CertBot,它僅在我通過 http 服務我的網站時才有效。通常我有一個 https 重定向,我不想每次需要使用 certbot 時都更改站點配置。我試圖只
/.well-known/通過 http 服務,但它仍然沒有解決這個問題的任何想法?我正在嘗試複製這個想法但沒有工作-> NGINX 將所有內容重定向,除了讓加密到 https
例如:這有效:
server { listen 80; listen [::]:80; server_name example.com www.example.com; location / { proxy_pass http://localhost:8575/; include /etc/nginx/conf.d/proxy.conf; } }這不:(請注意,目前配置的 SSL 證書不正確,但需要 NGinX 啟動)
server { listen 80; listen [::]:80; server_name www.example.com example.com; location /.well-known/acme-challenge/ { proxy_pass http://localhost:8575/; include /etc/nginx/conf.d/proxy.conf; } location / { return 301 https://$server_name$request_uri; } } server { listen 443 ssl; listen [::]:443; server_name www.example.com example.com; # ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_certificate /etc/ssl/crt/crt.crt; ssl_certificate_key /etc/ssl/crt/key.key; location / { proxy_pass http://localhost:8575/; include /etc/nginx/conf.d/proxy.conf; } }錯誤日誌:
certbot | Saving debug log to /var/log/letsencrypt/letsencrypt.log certbot | Plugins selected: Authenticator webroot, Installer None certbot | Registering without email! certbot | Obtaining a new certificate certbot | Performing the following challenges: certbot | http-01 challenge for www.example.com certbot | http-01 challenge for example.com certbot | Using the webroot path /var/www/html for all unmatched domains. certbot | Waiting for verification... certbot | Challenge failed for domain www.example.com certbot | Challenge failed for domain example.com certbot | http-01 challenge for www.example.com certbot | http-01 challenge for example.com certbot | Cleaning up challenges certbot | IMPORTANT NOTES: certbot | - The following errors were reported by the server: certbot | certbot | Domain: www.example.com certbot | Type: unauthorized certbot | Detail: Invalid response from certbot | http://www.example.com/.well-known/acme-challenge/WyVEA5g6BWVDPpYUhEJ0bG5iH6daF1rZpFd0vuTXOa0 certbot | [50.117.156.123]: " <!DOCTYPE html><html lang=\"en-US\">\r\n certbot | \t<head>\n\n\t\t <meta charset=\"UTF-8\">\r\n <meta certbot | name=\"viewport\" con" certbot | certbot | Domain: example.com certbot | Type: unauthorized certbot | Detail: Invalid response from certbot | https://www.example.com/x61_h9wxFY2Ye8-16GllyMq_dfsXbsEB1lYOjeq4LjU certbot | [50.117.156.123]: " <!DOCTYPE html><html lang=\"en-US\">\r\n certbot | \t<head>\n\n\t\t <meta charset=\"UTF-8\">\r\n <meta certbot | name=\"viewport\" con" certbot | certbot | To fix these errors, please make sure that your domain name was certbot | entered correctly and the DNS A/AAAA record(s) for that domain certbot | contain(s) the right IP address. certbot | - Your account credentials have been saved in your Certbot certbot | configuration directory at /etc/letsencrypt. You should make a certbot | secure backup of this folder now. This configuration directory will certbot | also contain certificates and private keys obtained by Certbot so certbot | making regular backups of this folder is ideal. certbot | Some challenges have failed. certbot exited with code 1
更新:我的主要問題是沒有使用
$request_uriw/proxy_pass指令(這也不允許~BTW)。但是,在 HTTPS 塊中使用它並沒有錯。查看https://serverfault.com/a/1018199/312793和https://serverfault.com/a/1017720/312793我意識到我實際上不需要傳遞我的 webapp 的“真實”根目錄,只需在 nginx 可以服務於 certbot 讀取/寫入文件的地方。同樣,您可以讓一個目錄為多個站點提供服務,因此我決定將最熟練的方法添加到
locationnginxdefault伺服器塊內100%。事實上,web 應用程序甚至不需要執行,只需要執行 nginx。這是我的新
default伺服器塊。注意:我acme在我的 nginx“真實”webroot 中創建了一個文件夾,並為該目錄提供服務location /.well-known/acme-challenge/server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html/; index index.html; } server { listen 443 default_server; listen [::]:443 default_server; ssl_certificate /etc/ssl/fake/fake.crt; ssl_certificate_key /etc/ssl/fake/fake.key; location /.well-known/acme-challenge/ { root /var/www/html/acme; allow all; } root /var/www/html/; index index.html; }就像在進行設置時一樣,您需要為 SSL 證書準備一些東西,否則 nginx 將無法正確啟動。對此設置/解析度非常滿意!
需要添加以下內容:
$request_urilocation /.well-known/acme-challenge/ { proxy_pass http://localhost:8575/$request_uri; include /etc/nginx/conf.d/proxy.conf; }
使用HTTP-01 質詢,可以先重定向到 HTTPS 並通過 TLS 提供質詢。但是,挑戰總是從使用埠 80 的普通 HTTP 連接開始,您只能重定向到埠 443 上的 HTTPS。
我們對 HTTP-01 挑戰的實現遵循重定向,深度最多 10 個重定向。它只接受重定向到“http:”或“https:”,並且只接受到埠 80 或 443。它不接受重定向到 IP 地址。當重定向到 HTTPS URL 時,它不會驗證證書(因為此質詢旨在引導有效證書,它可能會在此過程中遇到自簽名或過期的證書)。
HTTP-01 質詢只能在埠 80 上完成。允許客戶端指定任意埠會降低質詢的安全性,因此 ACME 標準不允許這樣做。
因此,這種 Nginx 配置也應該可以工作:
server { listen 80; server_name www.example.com example.com; location / { return 301 https://$server_name$request_uri; } } server { listen 443 ssl; server_name www.example.com example.com; location /.well-known/acme-challenge/ { # HTTP-01 challenge } location / { # Your web application } }在您的情況下,這意味著以下內容可能位於 HTTP 或 HTTPS
server塊中。location /.well-known/acme-challenge/ { proxy_pass http://localhost:8575/.well-known/acme-challenge/; include /etc/nginx/conf.d/proxy.conf; }您能夠替換為
/.well-known/acme-challenge/,$request_uri因為:在proxy_pass中使用變數時:
location /name/ { proxy_pass http://127.0.0.1$request_uri; }在這種情況下,如果在指令中指定了 URI,它將按原樣傳遞給伺服器,替換原始請求 URI。
此外,如果
/具有相同的根,則根本不需要單獨location的。