Ubuntu

為什麼 certbot 突然退回到 http-01 挑戰而不是 tls-sni-01 (https)?

  • February 11, 2018

我有一個經過良好測試的 bash 腳本,直到幾週前它都執行良好。

似乎 certbot 挑戰現在預設為 http 而不是 https。我想不出原因。

echo 'rsa-key-size = 2048
renew-hook = /usr/sbin/ipsec reload && /usr/sbin/ipsec secrets
' > /etc/letsencrypt/cli.ini

certbot certonly --non-interactive --agree-tos --email $EMAIL --standalone -d $VPNHOST

防火牆設置:

Firewall stopped and disabled on system startup
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
          all  --  anywhere             anywhere             state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  ip-10-10-10-0.eu-west-2.compute.internal/24  anywhere             policy match dir in pol ipsec proto esp
ACCEPT     all  --  anywhere             ip-10-10-10-0.eu-west-2.compute.internal/24  policy match dir out pol ipsec proto esp
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

證書機器人:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vpn-1.duelify.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. vpn-1.duelify.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://vpn-1.duelify.com/.well-known/acme-challenge/BsPR5NK4JVb8rgIyS2VR4VTOv4Bc1F5TNppjoo95O70: Timeout

IMPORTANT NOTES:
- The following errors were reported by the server:

  Domain: vpn-1.duelify.com
  Type:   connection
  Detail: Fetching
  http://vpn-1.duelify.com/.well-known/acme-challenge/BsPR5NK4JVb8rgIyS2VR4VTOv4Bc1F5TNppjoo95O70:
  Timeout

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
  configuration directory at /etc/letsencrypt. You should make a
  secure backup of this folder now. This configuration directory will
  also contain certificates and private keys obtained by Certbot so
  making regular backups of this folder is ideal.

這可能是由於最近使用 tls-sni-01 驗證方法宣布的漏洞,Let’s Encrypt 禁用了這個,直到它被修復更新檔。

在此之前,他們建議使用 http 進行驗證。

讓我們加密 tls-sni-01 錯誤詳細資訊

引用自:https://serverfault.com/questions/896762