Ubuntu

讓我們加密 nginx 伺服器 tls-sni-01 挑戰

  • January 29, 2018

我有一個域,比方說domain.com

此域已在 Go Daddy 註冊並使用 Go Daddy 儀表板,我將域指向某個 IP,比方說1.2.3.4

此 IP1.2.3.4屬於 AWS EC2 實例。

機器執行Ubuntu並提供我想要使用的內容nginx

lsb_release -a

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.2 LTS
Release:    16.04
Codename:   xenial

nginx -v

nginx version: nginx/1.10.3 (Ubuntu)

Let's Encrypt使用certbot. 我通過發出命令來做到這一點sudo certbot --nginx

證書生成了,三個月來一切都很順利。我的網站已通過https有效證書正確提供。

我的證書最近過期了,所以我嘗試更新。我首先發出了這個命令。

sudo certbot renew

錯誤是這樣的:

Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested 243e624c366db6a6f6aca6ac57f6f3cc.16fe65202571c102848dfa2b97afa875.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com"

WARNING:certbot.renewal:Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 243e624c366db6a6f6aca6ac57f6f3cc.16fe65202571c102848dfa2b97afa875.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com". Skipping.

當我發出這個命令時,nginx伺服器仍在執行。我停止了伺服器並再次嘗試,還嘗試了該命令的其他變體。我再次嘗試跑步sudo certbot renewsudo certbot --nginx再次,我嘗試sudo certbot renew --agree-tos和其他人。

我不知道施加的速率限制Let's Encrypt。我最後一次嘗試我得到了錯誤:

Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.

再次訪問後Let's Encrypt,我應該如何解決這個問題?


如何為機器上執行Let's Encrypt的伺服器續訂證書?nginx``Ubuntu

為什麼我會得到Incorrect validation certificate for tls-sni-01 challenge

我應該certbot完全刪除所有證書並重新安裝嗎?

你對這個問題有什麼建議?

謝謝!


編輯 2:伺服器配置

server {
   listen 80;
   server_name domain.com;
   return 301 https://$server_name$request_uri;
}

server {
   listen 443 ssl;
   server_name domain.com;

   location / {
       root /home/deploy/frontend/build;
       try_files $uri /index.html;
   }

ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
}

編輯3:

這是完整的錯誤certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: domain.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 8e2860a15c352af70bba07e265c4e05d.01f665a017c20bd5d2c25f1ec2110b6b.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com"

IMPORTANT NOTES:
- The following errors were reported by the server:

  Domain: domain.com
  Type:   unauthorized
  Detail: Incorrect validation certificate for tls-sni-01 challenge.
  Requested
  8e2860a15c352af70bba07e265c4e05d.01f665a017c20bd5d2c25f1ec2110b6b.acme.invalid
  from 1.2.3.4:443. Received 2 certificate(s), first certificate
  had names "domain.com"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

我找到的解決方案是使用這個命令:

sudo certbot --authenticator webroot --installer nginx

這樣做,本質上是重新頒發證書。但是,就我而言,這還不夠。對此方法所做的檢查涉及點擊此網址:

Failed authorization procedure. example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/6OmVoBFxfKtjdAO1bgM9ylZw0d7U7MVC8KqyS6A2LfU: "<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shr"

注意:我domain.com在我的問題中用作範例,但在答案中我被迫使用example.com

我的nginx伺服器設置方式http://example.com/無法訪問,因為我有return 301 https://$server_name$request_uri;

我必須做的是允許http訪問我的 webroot,/home/deploy/frontend/build獲取證書並恢復設置。

我希望這有幫助。

由於安全報告,截至 2018 年 1 月 9 日,讓我們加密永久禁用 TLS-SNI-01 挑戰 303。

你可以使用命令:

sudo certbot --authenticator standalone --installer nginx -d example.com --pre-hook “service nginx stop” --post-hook “service nginx start”

https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983

引用自:https://serverfault.com/questions/894485