Ubuntu上的Letsencrypt，nginx和虚拟服务器 [英] Letsencrypt, nginx and virtual servers on Ubuntu

问题描述

我正在使用有用的工具自动从 letencrypt .我已经参数化"了链接网站上显示的步骤，以便可以使用说明来获取和维护多个网站的SSL证书.

I am using a useful tool to automate the creation and renewal of SSL certs from letsencrypt. I have "parametised" the steps shown on the linked site, so that I can use the instructions to obtain and maintain SSL certs for multiple websites.

我正在Ubuntu 16.0.4 LTS上运行nginx.我正在使用Nginx运行多个虚拟服务器.

I am running nginx on Ubuntu 16.0.4 LTS. I am running multiple virtual servers with nginx.

我设法成功获得了第一个域(foo.com，www.foo.com，mail.foo.com)的证书，所以我知道我对步骤/脚本等进行的参数化"是可行的.

I managed to successfully obtain certificates for the first domain (foo.com, www.foo.com, mail.foo.com), so I know that my "parametisation" of the steps/script etc works.

我现在正在尝试获取其他网站的证书.我正在尝试获取foobar.com，www.foobar.com，mail.foobar.com和staff.foobar.com的证书.

I am now trying to obtain a certificate for the other websites. I am trying to obtain certs for foobar.com, www.foobar.com, mail.foobar.com and staff.foobar.com.

当我运行getcert.sh脚本(为foobar.com修改)时，它将返回以下消息:

When I run my getcert.sh script (modified for foobar.com), it returns with the following message:

memyself@yourbox:/opt/sslcert/foobar# su -s /bin/bash -c '/opt/sslcert/foobar/bin/getcert.sh' sslcert
acme/challenge failed: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:unauthorized",
    "detail": "Invalid response from http://mail.foobar.com/.well-known/acme-challenge/RsX0GNAPx-ODGvMTHCjQ9uSru7AazwkmmG6gmo-yAkk: \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e\"",
    "status": 403
  },
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/83fRVxQHUjMUHzqK2Cc0gTflM_3wuwuItW5-Y6Xlfo0/360341585",
  "token": "RsX0GNAPx-ODGvMTHCjQ9uSru7AazwkmmG6gmo-yAkk",
  "keyAuthorization": "RsX0GNAPx-ODGvMTHCjQ9uSru7AazwkmmG6gmo-yAkk.9CRniSJOopxytAkBrkdIFkhM5tJzGI6kbXfB0998SNk",
  "validationRecord": [
    {
      "url": "http://mail.foobar.com/.well-known/acme-challenge/RsX0GNAPx-ODGvMTHCjQ9uSru7AazwkmmG6gmo-yAkk",
      "hostname": "mail.foobar.com",
      "port": "80",
      "addressesResolved": [
        "66.228.37.10"
      ],
      "addressUsed": "66.228.37.10"
    }
  ]
}

几点值得一提:

1. foo.com和foobar.com的nginx配置相同(除非指定了服务器名称)
2. 网站foo和foobar的文件夹结构和权限完全相同.
3. 网站具有相同的物理静态IP地址，但服务器名称不同；即不同的域名解析为相同的IP地址.

这是我尝试获取 foobar 的证书后错误日​​志的内容:

Here are the contents of the error log AFTER I have tried to obtain certificates for foobar:

memyself@yourbox:~# cat /var/log/nginx/error.log
2016/11/19 10:07:41 [error] 30345#30345: *78 open() "/opt/sslcert/foo/acme-challenge/1aLrSYLJGhDBtihuoXAsdh1K0jpdmcWBYWYPGxFNJXo" failed (2: No such file or directory), client: 66.133.109.36, server: foo.com, request: "GET /.well-known/acme-challenge/1aLrSYLJGhDBtihuoXAsdh1K0jpdmcWBYWYPGxFNJXo HTTP/1.1", host: "mail.foobar.com"

从上面可以看出，正在尝试从/opt/sslcert/foo/acme-challenge/读取证书，而应该是/opt/sslcert/foobar/acme-challenge/.

As can be seen from above, the cert is being attempted to be read from /opt/sslcert/foo/acme-challenge/ this should be /opt/sslcert/foobar/acme-challenge/ instead.

任何人都可以解释导致此问题的原因吗? -以及如何解决?

Can anyone explain what is causing this problem ? - and how can it be resolved?

推荐答案

节省时间的建议，将此位置块添加到服务器块中，然后尝试

a time saver suggestion, add this location block in your server blocks and try

location ~ /.well-known {
      allow all;
      root /path/to/webroot/;         
}

如果使用其他命令没有问题(正在使用):

if you have no problem using another command (which am using):

/opt/letsencrypt/letsencrypt-auto certonly -a webroot --webroot-path="/path/to/webroot/" -d "domain_name1" -d "domain_name2" --non-interactive  --email="you@email.com" --agree-tos

注意:

• 假设您安装了letsencrypt，安装路径为/opt/letsencrypt/

• Assuming you installed letsencrypt installation path as /opt/letsencrypt/

在Ubuntu 14.04&上测试16.04，希望在任何linux系统中使用它都没问题

Tested on Ubuntu 14.04 & 16.04, hope there is no problem using it in any linux systems

如果您使用的是新的 certbot 重命名letscrypt-auto到certbot-auto

if you are using new certbot rename letsencrypt-auto to certbot-auto

这篇关于Ubuntu上的Letsencrypt，nginx和虚拟服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！