Ubuntu
為什麼 certbot 突然退回到 http-01 挑戰而不是 tls-sni-01 (https)?
我有一個經過良好測試的 bash 腳本,直到幾週前它都執行良好。
似乎 certbot 挑戰現在預設為 http 而不是 https。我想不出原因。
echo 'rsa-key-size = 2048 renew-hook = /usr/sbin/ipsec reload && /usr/sbin/ipsec secrets ' > /etc/letsencrypt/cli.ini certbot certonly --non-interactive --agree-tos --email $EMAIL --standalone -d $VPNHOST
防火牆設置:
Firewall stopped and disabled on system startup Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255 all -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere state INVALID ACCEPT udp -- anywhere anywhere udp dpt:isakmp ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- ip-10-10-10-0.eu-west-2.compute.internal/24 anywhere policy match dir in pol ipsec proto esp ACCEPT all -- anywhere ip-10-10-10-0.eu-west-2.compute.internal/24 policy match dir out pol ipsec proto esp DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination
證書機器人:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for vpn-1.duelify.com Waiting for verification... Cleaning up challenges Failed authorization procedure. vpn-1.duelify.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://vpn-1.duelify.com/.well-known/acme-challenge/BsPR5NK4JVb8rgIyS2VR4VTOv4Bc1F5TNppjoo95O70: Timeout IMPORTANT NOTES: - The following errors were reported by the server: Domain: vpn-1.duelify.com Type: connection Detail: Fetching http://vpn-1.duelify.com/.well-known/acme-challenge/BsPR5NK4JVb8rgIyS2VR4VTOv4Bc1F5TNppjoo95O70: Timeout To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
這可能是由於最近使用 tls-sni-01 驗證方法宣布的漏洞,Let’s Encrypt 禁用了這個,直到它被修復更新檔。
在此之前,他們建議使用 http 進行驗證。