讓我們加密 nginx 伺服器 tls-sni-01 挑戰
我有一個域,比方說
domain.com
此域已在 Go Daddy 註冊並使用 Go Daddy 儀表板,我將域指向某個 IP,比方說
1.2.3.4
此 IP
1.2.3.4
屬於 AWS EC2 實例。機器執行
Ubuntu
並提供我想要使用的內容nginx
。lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.2 LTS Release: 16.04 Codename: xenial nginx -v nginx version: nginx/1.10.3 (Ubuntu)
我
Let's Encrypt
使用certbot
. 我通過發出命令來做到這一點sudo certbot --nginx
證書生成了,三個月來一切都很順利。我的網站已通過
https
有效證書正確提供。我的證書最近過期了,所以我嘗試更新。我首先發出了這個命令。
sudo certbot renew
錯誤是這樣的:
Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested 243e624c366db6a6f6aca6ac57f6f3cc.16fe65202571c102848dfa2b97afa875.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com" WARNING:certbot.renewal:Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 243e624c366db6a6f6aca6ac57f6f3cc.16fe65202571c102848dfa2b97afa875.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com". Skipping.
當我發出這個命令時,
nginx
伺服器仍在執行。我停止了伺服器並再次嘗試,還嘗試了該命令的其他變體。我再次嘗試跑步sudo certbot renew
,sudo certbot --nginx
再次,我嘗試sudo certbot renew --agree-tos
和其他人。我不知道施加的速率限制
Let's Encrypt
。我最後一次嘗試我得到了錯誤:Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
再次訪問後
Let's Encrypt
,我應該如何解決這個問題?如何為機器上執行
Let's Encrypt
的伺服器續訂證書?nginx``Ubuntu
為什麼我會得到
Incorrect validation certificate for tls-sni-01 challenge
?我應該
certbot
完全刪除所有證書並重新安裝嗎?你對這個問題有什麼建議?
謝謝!
編輯 2:伺服器配置
server { listen 80; server_name domain.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name domain.com; location / { root /home/deploy/frontend/build; try_files $uri /index.html; } ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot }
編輯3:
這是完整的錯誤
certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: domain.com ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for domain.com Waiting for verification... Cleaning up challenges Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 8e2860a15c352af70bba07e265c4e05d.01f665a017c20bd5d2c25f1ec2110b6b.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com" IMPORTANT NOTES: - The following errors were reported by the server: Domain: domain.com Type: unauthorized Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested 8e2860a15c352af70bba07e265c4e05d.01f665a017c20bd5d2c25f1ec2110b6b.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
我找到的解決方案是使用這個命令:
sudo certbot --authenticator webroot --installer nginx
這樣做,本質上是重新頒發證書。但是,就我而言,這還不夠。對此方法所做的檢查涉及點擊此網址:
Failed authorization procedure. example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/6OmVoBFxfKtjdAO1bgM9ylZw0d7U7MVC8KqyS6A2LfU: "<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shr"
注意:我
domain.com
在我的問題中用作範例,但在答案中我被迫使用example.com
我的
nginx
伺服器設置方式http://example.com/
無法訪問,因為我有return 301 https://$server_name$request_uri;
我必須做的是允許
http
訪問我的 webroot,/home/deploy/frontend/build
獲取證書並恢復設置。我希望這有幫助。
由於安全報告,截至 2018 年 1 月 9 日,讓我們加密永久禁用 TLS-SNI-01 挑戰 303。
你可以使用命令:
sudo certbot --authenticator standalone --installer nginx -d example.com --pre-hook “service nginx stop” --post-hook “service nginx start”