Ubuntu上的Letsencrypt,nginx和虚拟服务器 [英] Letsencrypt, nginx and virtual servers on Ubuntu
问题描述
我正在使用有用的工具自动从 letencrypt .我已经参数化"了链接网站上显示的步骤,以便可以使用说明来获取和维护多个网站的SSL证书.
I am using a useful tool to automate the creation and renewal of SSL certs from letsencrypt. I have "parametised" the steps shown on the linked site, so that I can use the instructions to obtain and maintain SSL certs for multiple websites.
我正在Ubuntu 16.0.4 LTS上运行nginx.我正在使用Nginx运行多个虚拟服务器.
I am running nginx on Ubuntu 16.0.4 LTS. I am running multiple virtual servers with nginx.
我设法成功获得了第一个域(foo.com,www.foo.com,mail.foo.com)的证书,所以我知道我对步骤/脚本等进行的参数化"是可行的.
I managed to successfully obtain certificates for the first domain (foo.com, www.foo.com, mail.foo.com), so I know that my "parametisation" of the steps/script etc works.
我现在正在尝试获取其他网站的证书.我正在尝试获取foobar.com,www.foobar.com,mail.foobar.com和staff.foobar.com的证书.
I am now trying to obtain a certificate for the other websites. I am trying to obtain certs for foobar.com, www.foobar.com, mail.foobar.com and staff.foobar.com.
当我运行getcert.sh脚本(为foobar.com修改)时,它将返回以下消息:
When I run my getcert.sh script (modified for foobar.com), it returns with the following message:
memyself@yourbox:/opt/sslcert/foobar# su -s /bin/bash -c '/opt/sslcert/foobar/bin/getcert.sh' sslcert
acme/challenge failed: {
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:unauthorized",
"detail": "Invalid response from http://mail.foobar.com/.well-known/acme-challenge/RsX0GNAPx-ODGvMTHCjQ9uSru7AazwkmmG6gmo-yAkk: \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e\"",
"status": 403
},
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/83fRVxQHUjMUHzqK2Cc0gTflM_3wuwuItW5-Y6Xlfo0/360341585",
"token": "RsX0GNAPx-ODGvMTHCjQ9uSru7AazwkmmG6gmo-yAkk",
"keyAuthorization": "RsX0GNAPx-ODGvMTHCjQ9uSru7AazwkmmG6gmo-yAkk.9CRniSJOopxytAkBrkdIFkhM5tJzGI6kbXfB0998SNk",
"validationRecord": [
{
"url": "http://mail.foobar.com/.well-known/acme-challenge/RsX0GNAPx-ODGvMTHCjQ9uSru7AazwkmmG6gmo-yAkk",
"hostname": "mail.foobar.com",
"port": "80",
"addressesResolved": [
"66.228.37.10"
],
"addressUsed": "66.228.37.10"
}
]
}
几点值得一提:
- foo.com和foobar.com的nginx配置相同(除非指定了服务器名称)
- 网站foo和foobar的文件夹结构和权限完全相同.
- 网站具有相同的物理静态IP地址,但服务器名称不同;即不同的域名解析为相同的IP地址.
这是我尝试获取 foobar 的证书后错误日志的内容:
Here are the contents of the error log AFTER I have tried to obtain certificates for foobar:
memyself@yourbox:~# cat /var/log/nginx/error.log
2016/11/19 10:07:41 [error] 30345#30345: *78 open() "/opt/sslcert/foo/acme-challenge/1aLrSYLJGhDBtihuoXAsdh1K0jpdmcWBYWYPGxFNJXo" failed (2: No such file or directory), client: 66.133.109.36, server: foo.com, request: "GET /.well-known/acme-challenge/1aLrSYLJGhDBtihuoXAsdh1K0jpdmcWBYWYPGxFNJXo HTTP/1.1", host: "mail.foobar.com"
从上面可以看出,正在尝试从/opt/sslcert/foo/acme-challenge/
读取证书,而应该是/opt/sslcert/foobar/acme-challenge/
.
As can be seen from above, the cert is being attempted to be read from /opt/sslcert/foo/acme-challenge/
this should be /opt/sslcert/foobar/acme-challenge/
instead.
任何人都可以解释导致此问题的原因吗? -以及如何解决?
Can anyone explain what is causing this problem ? - and how can it be resolved?
推荐答案
节省时间的建议,将此位置块添加到服务器块中,然后尝试
a time saver suggestion, add this location block in your server blocks and try
location ~ /.well-known {
allow all;
root /path/to/webroot/;
}
如果使用其他命令没有问题(正在使用):
if you have no problem using another command (which am using):
/opt/letsencrypt/letsencrypt-auto certonly -a webroot --webroot-path="/path/to/webroot/" -d "domain_name1" -d "domain_name2" --non-interactive --email="you@email.com" --agree-tos
注意:
-
假设您安装了letsencrypt,安装路径为/opt/letsencrypt/
Assuming you installed letsencrypt installation path as /opt/letsencrypt/
在Ubuntu 14.04&上测试16.04,希望在任何linux系统中使用它都没问题
Tested on Ubuntu 14.04 & 16.04, hope there is no problem using it in any linux systems
如果您使用的是新的 certbot 重命名letscrypt-auto到certbot-auto
if you are using new certbot rename letsencrypt-auto to certbot-auto
这篇关于Ubuntu上的Letsencrypt,nginx和虚拟服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!