無法使用 Let’s Encrypt/Certbot 通過 TLS-SNI-01 挑戰 - 如何解決?
我正在執行 Ubuntu 14.04LTS。
certbot-auto
由於 certbot 不在 14.04 中,因此我已從 EFF 網站獲取。我試過執行它
certbot-auto --apache -d my.domain
並且它在 TLS-SNI-01 質詢期間始終超時,並顯示以下消息:
Failed authorization procedure. my.domain (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to ww.xx.yy.zz:443 for TLS-SNI-01 challenge
我已經通過執行 openssl 的命令並從外部位置
s_server
成功連接到“伺服器”來驗證入站 TLS 沒有被阻止。s_server
看著
/var/log/apache2/error.log
我確實看到了一個關於(我假設)certbot-auto
臨時嘗試設置的 docroot 未找到的可疑警告:[Tue Dec 06 00:34:02.306032 2016] [mpm_prefork:notice] [pid 19521] AH00171: Graceful restart requested, doing restart [Tue Dec 06 00:34:03.001014 2016] [mpm_prefork:notice] [pid 19521] AH00163: Apache/2.4.7 (Ubuntu) configured -- resuming normal operations [Tue Dec 06 00:34:03.001094 2016] [core:notice] [pid 19521] AH00094: Command line: '/usr/sbin/apache2' [Tue Dec 06 00:34:14.596461 2016] [mpm_prefork:notice] [pid 19521] AH00171: Graceful restart requested, doing restart AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist [Tue Dec 06 00:34:14.661372 2016] [ssl:warn] [pid 19521] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Dec 06 00:34:15.000674 2016] [mpm_prefork:notice] [pid 19521] AH00163: Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f configured -- resuming normal operations [Tue Dec 06 00:34:15.001293 2016] [core:notice] [pid 19521] AH00094: Command line: '/usr/sbin/apache2'
在
/var/log/letsencrypt/letsencrypt.log
我看到以下內容,這看起來完全合理:2016-12-06 05:34:13,247:INFO:certbot.auth_handler:Performing the following challenges: 2016-12-06 05:34:13,268:INFO:certbot.auth_handler:tls-sni-01 challenge for mydomain.com 2016-12-06 05:34:13,359:INFO:certbot_apache.configurator:Enabled Apache socache_shmcb module 2016-12-06 05:34:13,520:INFO:certbot_apache.configurator:Enabled Apache ssl module 2016-12-06 05:34:14,345:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf 2016-12-06 05:34:14,351:DEBUG:certbot_apache.tls_sni_01:writing a config file with text: <IfModule mod_ssl.c> <VirtualHost *> ServerName b103a17811594b35d3ade8eb763c8c42.74b423d383109b22eaecca3ea14cd1f7.acme.invalid UseCanonicalName on SSLStrictSNIVHostCheck on LimitRequestBody 1048576 Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /var/lib/letsencrypt/mRH5i2aIrWMqjsZn3jMXvdNnYV5Ejd0GBtcDoIJqQ4U.crt SSLCertificateKeyFile /var/lib/letsencrypt/mRH5i2aIrWMqjsZn3jMXvdNnYV5Ejd0GBtcDoIJqQ4U.pem DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/ </VirtualHost> </IfModule>
如果我
/var/lib/letsencrypt
在certbot-auto
跑步時觀看,我永遠不會看到tls_sni_01_page
正在創建。這是我看到的順序——一個臨時目錄和一些臨時證書正在製作,然後在挑戰失敗時刪除,但從來沒有tls_sni_01_page
/var/lib/letsencrypt$ ls backups /var/lib/letsencrypt$ ls backups /var/lib/letsencrypt$ ls backups /var/lib/letsencrypt$ ls backups temp_checkpoint /var/lib/letsencrypt$ ls backups temp_checkpoint /var/lib/letsencrypt$ ls backups e1pvy9TgUvOmBxC4dlkwG5Ly2mTY0DU63qhUFpBik2Y.crt e1pvy9TgUvOmBxC4dlkwG5Ly2mTY0DU63qhUFpBik2Y.pem temp_checkpoint
我還更改
/etc/letsencrypt/options-ssl-apache.conf
了將日誌記錄級別設置為DEBUG
並將該臨時虛擬主機日誌記錄到它自己的錯誤和訪問日誌中。我在錯誤日誌中看到輸出但沒有問題,但在訪問日誌中根本看不到任何內容。我試過執行
tcpdump -n port 443
,我確實看到來自遠端機器的某種連接嘗試:09:14:44.388328 IP 66.133.109.36.48890 > w.x.y.z.443: Flags [S], seq 1627589669, win 29200, options [mss 1460,sackOK,TS val 2834688174 ecr 0,nop,wscale 7], length 0 09:14:44.388435 IP w.x.y.z.443 > 66.133.109.36.48890: Flags [S.], seq 773250860, ack 1627589670, win 28960, options [mss 1460,sackOK,TS val 424229197 ecr 2834688174,nop,wscale 7], length 0 09:14:44.451190 IP 66.133.109.36.48890 > w.x.y.z.443: Flags [.], ack 1, win 229, options [nop,nop,TS val 2834688237 ecr 424229197], length 0 09:14:44.451546 IP 66.133.109.36.48890 > w.x.y.z.443: Flags [P.], seq 1:220, ack 1, win 229, options [nop,nop,TS val 2834688237 ecr 424229197], length 219 09:14:44.451619 IP w.x.y.z.443 > 66.133.109.36.48890: Flags [.], ack 220, win 235, options [nop,nop,TS val 424229216 ecr 2834688237], length 0 09:14:44.454461 IP w.x.y.z.443 > 66.133.109.36.48890: Flags [P.], seq 1:393, ack 220, win 235, options [nop,nop,TS val 424229217 ecr 2834688237], length 392 09:14:44.454626 IP w.x.y.z.443 > 66.133.109.36.48890: Flags [F.], seq 393, ack 220, win 235, options [nop,nop,TS val 424229217 ecr 2834688237], length 0 09:14:44.517433 IP 66.133.109.36.48890 > w.x.y.z.443: Flags [.], ack 393, win 237, options [nop,nop,TS val 2834688303 ecr 424229217], length 0 09:14:44.517481 IP 66.133.109.36.48890 > w.x.y.z.443: Flags [P.], seq 220:227, ack 394, win 237, options [nop,nop,TS val 2834688303 ecr 424229217], length 7 09:14:44.517514 IP 66.133.109.36.48890 > w.x.y.z.443: Flags [F.], seq 227, ack 394, win 237, options [nop,nop,TS val 2834688303 ecr 424229217], length 0 09:14:44.517544 IP w.x.y.z.443 > 66.133.109.36.48890: Flags [.], ack 228, win 235, options [nop,nop,TS val 424229235 ecr 2834688303], length 0
知道到底發生了什麼嗎?任何人都可以使用 Ubuntu 14.04LTS 和 apache 來完成這項工作嗎?
我為此奮鬥了幾個小時,在我的日誌中完成了相同的輸出。我只是偶然發現了我的答案。我從另一個 webconfig 中粘貼了一些程式碼,其中已經有一個
<virtual host _._._._:443>
部分。我對其進行了更改,但仍將其保留。刪除該 443 部分後,sudo certbot-auto --apache -d example.com
執行沒有錯誤,並且我有一個工作站點。我僅根據我的經驗得出結論:確保您只有埠 80 的虛擬主機。我閱讀的文件中沒有提到這個問題,但似乎 certbot 無法更改 443 虛擬主機部分,它只能添加一個。
編輯——2017 年 12 月我現在可以在 sites-available.conf 上執行 certbot
<virtual host *:443>
。我所有的自定義修改都保持不變,我唯一的抱怨是證書路徑行沒有縮進。<sigh>哦,好吧!</sigh>