由于 let’s encrypt 签发的证书有效期只有 90 天,并且有的服务没有绑定目录,是通过 proxy_pass 转发的其他服务,就导致在更新证书的时候经常会出问题。
之前为了更新证书都是修改配置文件,证书更新完成之后再把配置文件换回去,但是,一直这个做法总是比较麻烦。查看 acme 的日志就会发现,其实是文件访问失败了。:
[Wed 17 Jan 2024 12:21:11 AM CST] responseHeaders='HTTP/2 200 server: nginx date: Tue, 16 Jan 2024 16:21:11 GMT content-type: application/json content-length: 1309 boulder-requester: 1023612387 cache-control: public, max-age=0, no-cache link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" replay-nonce: LPSUY_lxhOXaxMC2EZ9QV4b0zXRV24srjF5J4XvlRDA5S8Yb1zE x-frame-options: DENY strict-transport-security: max-age=604800 ' [Wed 17 Jan 2024 12:21:12 AM CST] code='200' [Wed 17 Jan 2024 12:21:12 AM CST] original='{ "identifier": { "type": "dns", "value": "c.oba.by" }, "status": "invalid", "expires": "2024-01-23T16:21:04Z", "challenges": [ { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404", "status": 403 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA", "token": "TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw", "validationRecord": [ { "url": "http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw", "hostname": "c.oba.by", "port": "80", "addressesResolved": [ "43.16.12.199" ], "addressUsed": "43.16.12.199" }, { "url": "https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw", "hostname": "c.oba.by", "port": "443", "addressesResolved": [ "43.16.12.199" ], "addressUsed": "43.16.12.199" } ], "validated": "2024-01-16T16:21:06Z" } ] }' [Wed 17 Jan 2024 12:21:12 AM CST] response='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}' [Wed 17 Jan 2024 12:21:12 AM CST] original='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}' [Wed 17 Jan 2024 12:21:12 AM CST] response='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}' [Wed 17 Jan 2024 12:21:12 AM CST] status='invalid invalid' [Wed 17 Jan 2024 12:21:12 AM CST] error='"error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403' [Wed 17 Jan 2024 12:21:12 AM CST] errordetail='43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404' [Wed 17 Jan 2024 12:21:12 AM CST] Invalid status, c.oba.by:Verify error detail:43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404 [Wed 17 Jan 2024 12:21:12 AM CST] pid [Wed 17 Jan 2024 12:21:12 AM CST] No need to restore nginx, skip. [Wed 17 Jan 2024 12:21:12 AM CST] _clearupdns [Wed 17 Jan 2024 12:21:12 AM CST] dns_entries [Wed 17 Jan 2024 12:21:12 AM CST] skip dns. [Wed 17 Jan 2024 12:21:12 AM CST] _on_issue_err [Wed 17 Jan 2024 12:21:12 AM CST] Please check log file for more details: /usr/local/acme.sh/acme.sh.log
访问:https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw这个文件的时候 404 了。对应的 nginx 配置文件为:
server { listen 80; #listen [::]:80; server_name c.oba.by ; index index.html index.htm index.php default.html default.htm default.php; root /home/wwwroot/c.oba.by; #include rewrite/none.conf; #error_page 404 /404.html; # Deny access to PHP files in specific directory #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; } location / { return 301 https://$host$request_uri; } access_log /home/wwwlogs/c.oba.by.log; }
http 直接 301到了 https,那么反问 challenge 文件就会访问到对应的 https 端口下,而这个端口下同样没有这个文件。
那么要解决就需要让 nginx 能够正常的提供/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw访问权限。
之前尝试添加过 location 解决,但是依然失败,再次尝试:
server { listen 80; #listen [::]:80; server_name c.oba.by ; index index.html index.htm index.php default.html default.htm default.php; root /home/wwwroot/c.oba.by; #include rewrite/none.conf; #error_page 404 /404.html; # Deny access to PHP files in specific directory #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; } location /.well-known { alias /home/wwwroot/c.oba.by/.well-known; } location / { return 301 https://$host$request_uri; } access_log /home/wwwlogs/c.oba.by.log; }
不过这次把 location 提到最开始的位置了:
location /.well-known { alias /home/wwwroot/c.oba.by/.well-known; }
再次尝试更新证书就 ok 了,为了保险 https 配置下也可以加入这个路径,对应路径/home/wwwroot/c.oba.by/.well-known如果不存在的话需要重新创建。
[Wed 17 Jan 2024 08:59:51 AM CST] Your cert is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.cer [Wed 17 Jan 2024 08:59:51 AM CST] Your cert key is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.key [Wed 17 Jan 2024 08:59:51 AM CST] The intermediate CA cert is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/ca.cer [Wed 17 Jan 2024 08:59:51 AM CST] And the full chain certs is there[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/fullchain.cer
37 comments
自动更新就安逸了,免得经常去更新
嗯嗯,是的。
这个封面图我能看老半天
喜欢可以多看会儿
曾经尝试过npm,部署了好多遍都没成功,后来的方案是,国内服务器用宝塔面板,国外服务器用1panel,免费、自动续期,纵享丝滑~
嗯嗯 一般的话面板方便,我这里服务比较多。还不如直接命令来得快,另外这些面板之前装过熟悉这些面板的功夫我都改完了
如果 cdn 控制台也需要一份证书的话咋办?
这个不大好办啦 有的cdn支持自动签发免费证书,目前用的失控是这样的。但是无畏云貌似不支持 用的一年的免费证书
我用的是Bitnami栈HTTPS配置工具bncert,可自动续订。
这个没用过 找时间研究下
不知道为啥能获取但解析不了你的feed了,难道是因为这个?
应该不是吧 这个是另外一个服务的证书。
修好了 文章导致的
又可以开心的解析了。
嗯嗯
是不是又动RSS了,XML Fatal Error 63: CData section not finished
no
可能是最新的文章导致的
修好了 文章特殊字符导致的
为了解决这个证书问题,大家的解决办法都不太一样呢,不过只要解决了问题就好。
嗯嗯 是哒
目前一直用的腾讯云的ssl 这个是免费一年的..不用繁琐的更换了 哈哈
嗯嗯 cdn用的是腾讯的。这种能自动部署的用的工具
我说你前两天的文章,怎么今天才在订阅中显示的呢。
话说这个自动更新,老是安装不了。最后放弃了
rss发了篇文章发挂了
自动更新的工具还是挺多的,可以换一个试试
域名快点转入成功,我就要申请SSL证书了,然后又要百度做难了
像那些90天就要过期的是真的麻烦 有自动更新还好 那些cdn要自己上传证书简直要全程骂骂咧咧
是的,时间短了之后就是手工上传就恶心了。
我都懒得折腾ssl,自从各平台都开始变成90天证书之后,目前国内大厂似乎只剩腾讯云还是提供免费的一年期证书了。但是我还是选择了30块一年的通配符证书
30一年价格还是可以的
阿里云的证书策略现在改成了「每年20张的免费额度,但要在3个月内用完。」就挺恶心的,无奈我也换成了面板自动续期的证书了。
阿里这个吃相贼恶心,从免费邮箱推送改额度之后就不敢用他们的免费服务了。垃圾
不用面板,纯手搓,羡慕这个动手能力,我如果会这些,我要一天折腾一遍服务器。
评论区友链识别 http和https 是不同结果啊,不显示友链了。
这个是全匹配的,嘎嘎。等找时间优化下匹配逻辑。
前来考古,喵喵喵,我就记得你好像发过。
考古队员你好