certbot-auto/letencrypt为指向同一服务器的多个域设置一个密钥 [英] certbot-auto / letsencrypt setting up one key for multiple domains pointing to the same server
问题描述
我真的更像是一个前端开发人员,因此服务器配置对我来说是一个新领域,如果这是一个简单的问题,对不起!
尝试获取我的certbot-auto来为多个域生成SSH密钥(指向一个框)时遇到了麻烦.
我有3-4个域(domain1.net,domain2.io,domain3.me,domain4.codes),它们都指向同一数字海洋小滴.
以前(几个月前),我直接用letsencrypt尝试过(当时没有certbot).不知何故,我让我的所有域都可以使用SSL,但是它们最近过期了,现在看来我只能续签domain1.net,而不能续签其余部分.
我尝试了以下命令:
./certbot-auto certonly -a webroot --agree-tos -w /var/www/domain1.net/public_html/ \--expand -d domain1.net,www.domain1.net,domain2.io,www.domain2.io,domain3.me,www.domain3.me,domain4.codes,www.domain4.codes
...该工作了,我得到了以下信息:
| Saving debug log to /var/log/letsencrypt/letsencrypt.log │
│ Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org │
│ Cert not yet due for renewal │
│ Renewing an existing certificate │
│ Performing the following challenges: │
│ http-01 challenge for domain1.net │
│ http-01 challenge for www.domain1.net │
│ http-01 challenge for domain2.io │
│ http-01 challenge for www.domain2.io │
│ http-01 challenge for domain3.me │
│ http-01 challenge for www.domain3.me │
│ http-01 challenge for domain4.codes │
│ http-01 challenge for www.domain4.codes │
│ Using the webroot path /var/www/domain1.net/public_html for │
│ all unmatched domains. │
│ Waiting for verification... │
│ Cleaning up challenges │
│ Generating key (2048 bits): │
│ /etc/letsencrypt/keys/0012_key-certbot.pem │
│ Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/domain1.net/fullchain.pem. Your cert
will expire on 2017-02-20. To obtain a new or tweaked version of
this certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
..好的,太好了!但是,只有domain1.net和www.domain1.net似乎在起作用...其他域声称不使用HTTPS!
我还在/etc/letsencrypt/live/目录中看到多个文件..我曾尝试使此文件以前工作(直接使用letsencrypt,而不是通过certbot),并且一直工作到今天,直到它们过期并拒绝续约.这是我在该目录中看到的:
tom@Personal:/opt$ sudo ls -la /etc/letsencrypt/live/
total 20
drwx------ 5 root root 4096 Nov 22 18:22 .
drwxr-xr-x 8 root root 4096 Nov 22 18:22 ..
drwxr-xr-x 2 root root 4096 Nov 22 18:41 domain1.net
drwxr-xr-x 2 root root 4096 Oct 16 00:00 domain1.net-0001
drwxr-xr-x 2 root root 4096 Nov 22 18:22 www.domain1.net
hmm ..不知道为什么其中有多个条目.不应该只有一个吗?
无论如何-我对HTTPS/密钥/NginX不够了解,无法弄清楚这一点,并且正在扯掉我的头发.我只想获取我的SSL密钥:
- 为上述所有域工作
- 通过certbot自动续订自动续订
不能完全确定我在这里的混乱状况...非常感谢您的帮助!
这是我的服务器配置块在nginx中的样子:
server {
# listen 80 default_server;
# listen [::]:80 default_server ipv6only=on;
# START LETS ENCRYPT ADDITIONS:
listen 443 ssl;
server_name domain1.net www.domain1.net domain2.io www.domain2.io domain3.me www.domain3.me domain4.codes www.domain4.codes;
ssl_certificate /etc/letsencrypt/live/www.domain1.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.domain1.net/privkey.pem; # managed by Certbot
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# /END LETS ENCRYPT ADDITION
root /var/www/domain1.net/public_html;
index index.php index.html index.htm;
# FOR LETSENCRYPT AUTO-RENEWAL, we must give it access to /.well-known
location ~ /.well-known {
allow all;
}
# /END LETSENCRYPT AUTO_RENEWAL
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
只想跟进-我搞定了!
原来我的命令是正确的,但是我误用了-d标志-它需要分别应用于每个域.因此,更正后的命令:
./certbot-auto certonly -a webroot --agree-tos -w /var/www/domain1.net/public_html/ \--expand -d domain1.net,www.domain1.net -d domain2.io,www.domain2.io -d domain3.me,www.domain3.me -d domain4.codes,www.domain4.codes
I'm really more of a front-end dev so server config stuff is very new territory for me, sorry if this is an easy question!
I'm running into some trouble trying to get my certbot-auto to generate an SSH key for multiple domains, pointing to one box.
I have 3-4 domains (domain1.net, domain2.io, domain3.me, domain4.codes), which are all pointing to the same Digital Ocean droplet.
Previously ( couple months back ), I had attempted this with letsencrypt directly ( no certbot at that time ). Somehow, I got SSL working for all my domains, but they recently expired and I'm now seemingly only able to renew domain1.net and not the rest.
I tried the following command:
./certbot-auto certonly -a webroot --agree-tos -w /var/www/domain1.net/public_html/ \--expand -d domain1.net,www.domain1.net,domain2.io,www.domain2.io,domain3.me,www.domain3.me,domain4.codes,www.domain4.codes
...which SEEMED to work, I got the following:
| Saving debug log to /var/log/letsencrypt/letsencrypt.log │
│ Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org │
│ Cert not yet due for renewal │
│ Renewing an existing certificate │
│ Performing the following challenges: │
│ http-01 challenge for domain1.net │
│ http-01 challenge for www.domain1.net │
│ http-01 challenge for domain2.io │
│ http-01 challenge for www.domain2.io │
│ http-01 challenge for domain3.me │
│ http-01 challenge for www.domain3.me │
│ http-01 challenge for domain4.codes │
│ http-01 challenge for www.domain4.codes │
│ Using the webroot path /var/www/domain1.net/public_html for │
│ all unmatched domains. │
│ Waiting for verification... │
│ Cleaning up challenges │
│ Generating key (2048 bits): │
│ /etc/letsencrypt/keys/0012_key-certbot.pem │
│ Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/domain1.net/fullchain.pem. Your cert
will expire on 2017-02-20. To obtain a new or tweaked version of
this certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
.. OK Great! however, only domain1.net and www.domain1.net seem to be working... the other domains claim to not be using HTTPS!
I'm also seeing multiple files in the /etc/letsencrypt/live/ directory.. I had attempted to get this working previously ( using letsencrypt directly, not via certbot ) and had it working until today, when they expired and refused to renew. this is what I see inside that directory:
tom@Personal:/opt$ sudo ls -la /etc/letsencrypt/live/
total 20
drwx------ 5 root root 4096 Nov 22 18:22 .
drwxr-xr-x 8 root root 4096 Nov 22 18:22 ..
drwxr-xr-x 2 root root 4096 Nov 22 18:41 domain1.net
drwxr-xr-x 2 root root 4096 Oct 16 00:00 domain1.net-0001
drwxr-xr-x 2 root root 4096 Nov 22 18:22 www.domain1.net
hmm.. not sure why there are multiple entries in there. shouldn't there just be one?
Anyway -- I'm not well versed enough with HTTPS / keys / NginX to figure this out and am ripping my hair out. I just want to get my SSL keys:
- working for all the above domains
- auto-renewing via certbot-auto renew
and not exactly sure where I am messing up here... any help is MUCH appreciated!
EDIT: this is what my server config block looks like in nginx:
server {
# listen 80 default_server;
# listen [::]:80 default_server ipv6only=on;
# START LETS ENCRYPT ADDITIONS:
listen 443 ssl;
server_name domain1.net www.domain1.net domain2.io www.domain2.io domain3.me www.domain3.me domain4.codes www.domain4.codes;
ssl_certificate /etc/letsencrypt/live/www.domain1.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.domain1.net/privkey.pem; # managed by Certbot
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# /END LETS ENCRYPT ADDITION
root /var/www/domain1.net/public_html;
index index.php index.html index.htm;
# FOR LETSENCRYPT AUTO-RENEWAL, we must give it access to /.well-known
location ~ /.well-known {
allow all;
}
# /END LETSENCRYPT AUTO_RENEWAL
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
Just wanted to follow up - I got this working!
Turns out my command was correct but I was misusing the -dflag -- it needs to be applied for each domain separately. So the corrected command:
./certbot-auto certonly -a webroot --agree-tos -w /var/www/domain1.net/public_html/ \--expand -d domain1.net,www.domain1.net -d domain2.io,www.domain2.io -d domain3.me,www.domain3.me -d domain4.codes,www.domain4.codes
这篇关于certbot-auto/letencrypt为指向同一服务器的多个域设置一个密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
