由于 let’s encrypt 签发的证书有效期只有 90 天,并且有的服务没有绑定目录,是通过 proxy_pass 转发的其他服务,就导致在更新证书的时候经常会出问题。
之前为了更新证书都是修改配置文件,证书更新完成之后再把配置文件换回去,但是,一直这个做法总是比较麻烦。查看 acme 的日志就会发现,其实是文件访问失败了。:
[Wed 17 Jan 2024 12:21:11 AM CST] responseHeaders='HTTP/2 200
server: nginx
date: Tue, 16 Jan 2024 16:21:11 GMT
content-type: application/json
content-length: 1309
boulder-requester: 1023612387
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: LPSUY_lxhOXaxMC2EZ9QV4b0zXRV24srjF5J4XvlRDA5S8Yb1zE
x-frame-options: DENY
strict-transport-security: max-age=604800
'
[Wed 17 Jan 2024 12:21:12 AM CST] code='200'
[Wed 17 Jan 2024 12:21:12 AM CST] original='{
"identifier": {
"type": "dns",
"value": "c.oba.by"
},
"status": "invalid",
"expires": "2024-01-23T16:21:04Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA",
"token": "TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",
"validationRecord": [
{
"url": "http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",
"hostname": "c.oba.by",
"port": "80",
"addressesResolved": [
"43.16.12.199"
],
"addressUsed": "43.16.12.199"
},
{
"url": "https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",
"hostname": "c.oba.by",
"port": "443",
"addressesResolved": [
"43.16.12.199"
],
"addressUsed": "43.16.12.199"
}
],
"validated": "2024-01-16T16:21:06Z"
}
]
}'
[Wed 17 Jan 2024 12:21:12 AM CST] response='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'
[Wed 17 Jan 2024 12:21:12 AM CST] original='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'
[Wed 17 Jan 2024 12:21:12 AM CST] response='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'
[Wed 17 Jan 2024 12:21:12 AM CST] status='invalid
invalid'
[Wed 17 Jan 2024 12:21:12 AM CST] error='"error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403'
[Wed 17 Jan 2024 12:21:12 AM CST] errordetail='43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404'
[Wed 17 Jan 2024 12:21:12 AM CST] Invalid status, c.oba.by:Verify error detail:43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404
[Wed 17 Jan 2024 12:21:12 AM CST] pid
[Wed 17 Jan 2024 12:21:12 AM CST] No need to restore nginx, skip.
[Wed 17 Jan 2024 12:21:12 AM CST] _clearupdns
[Wed 17 Jan 2024 12:21:12 AM CST] dns_entries
[Wed 17 Jan 2024 12:21:12 AM CST] skip dns.
[Wed 17 Jan 2024 12:21:12 AM CST] _on_issue_err
[Wed 17 Jan 2024 12:21:12 AM CST] Please check log file for more details: /usr/local/acme.sh/acme.sh.log
访问:https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw这个文件的时候 404 了。对应的 nginx 配置文件为:
server
{
listen 80;
#listen [::]:80;
server_name c.oba.by ;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/c.oba.by;
#include rewrite/none.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
location / {
return 301 https://$host$request_uri;
}
access_log /home/wwwlogs/c.oba.by.log;
}
http 直接 301到了 https,那么反问 challenge 文件就会访问到对应的 https 端口下,而这个端口下同样没有这个文件。
那么要解决就需要让 nginx 能够正常的提供/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw访问权限。
之前尝试添加过 location 解决,但是依然失败,再次尝试:
server
{
listen 80;
#listen [::]:80;
server_name c.oba.by ;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/c.oba.by;
#include rewrite/none.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
location /.well-known {
alias /home/wwwroot/c.oba.by/.well-known;
}
location / {
return 301 https://$host$request_uri;
}
access_log /home/wwwlogs/c.oba.by.log;
}
不过这次把 location 提到最开始的位置了:
location /.well-known {
alias /home/wwwroot/c.oba.by/.well-known;
}
再次尝试更新证书就 ok 了,为了保险 https 配置下也可以加入这个路径,对应路径/home/wwwroot/c.oba.by/.well-known如果不存在的话需要重新创建。
[Wed 17 Jan 2024 08:59:51 AM CST] Your cert is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.cer [Wed 17 Jan 2024 08:59:51 AM CST] Your cert key is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.key [Wed 17 Jan 2024 08:59:51 AM CST] The intermediate CA cert is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/ca.cer [Wed 17 Jan 2024 08:59:51 AM CST] And the full chain certs is there[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/fullchain.cer
35 comments
自动更新就安逸了,免得经常去更新
嗯嗯,是的。
这个封面图我能看老半天
喜欢可以多看会儿
曾经尝试过npm,部署了好多遍都没成功,后来的方案是,国内服务器用宝塔面板,国外服务器用1panel,免费、自动续期,纵享丝滑~
嗯嗯 一般的话面板方便,我这里服务比较多。还不如直接命令来得快,另外这些面板之前装过熟悉这些面板的功夫我都改完了
如果 cdn 控制台也需要一份证书的话咋办?
这个不大好办啦 有的cdn支持自动签发免费证书,目前用的失控是这样的。但是无畏云貌似不支持 用的一年的免费证书
我用的是Bitnami栈HTTPS配置工具bncert,可自动续订。
这个没用过 找时间研究下
不知道为啥能获取但解析不了你的feed了,难道是因为这个?
应该不是吧 这个是另外一个服务的证书。
修好了 文章导致的
又可以开心的解析了。
嗯嗯
是不是又动RSS了,XML Fatal Error 63: CData section not finished
no
可能是最新的文章导致的
修好了 文章特殊字符导致的
为了解决这个证书问题,大家的解决办法都不太一样呢,不过只要解决了问题就好。
嗯嗯 是哒
目前一直用的腾讯云的ssl 这个是免费一年的..不用繁琐的更换了 哈哈
嗯嗯 cdn用的是腾讯的。这种能自动部署的用的工具
我说你前两天的文章,怎么今天才在订阅中显示的呢。
话说这个自动更新,老是安装不了。最后放弃了
rss发了篇文章发挂了
自动更新的工具还是挺多的,可以换一个试试
域名快点转入成功,我就要申请SSL证书了,然后又要百度做难了
像那些90天就要过期的是真的麻烦 有自动更新还好 那些cdn要自己上传证书简直要全程骂骂咧咧
是的,时间短了之后就是手工上传就恶心了。
我都懒得折腾ssl,自从各平台都开始变成90天证书之后,目前国内大厂似乎只剩腾讯云还是提供免费的一年期证书了。但是我还是选择了30块一年的通配符证书
30一年价格还是可以的
阿里云的证书策略现在改成了「每年20张的免费额度,但要在3个月内用完。」就挺恶心的,无奈我也换成了面板自动续期的证书了。
阿里这个吃相贼恶心,从免费邮箱推送改额度之后就不敢用他们的免费服务了。垃圾
不用面板,纯手搓,羡慕这个动手能力,我如果会这些,我要一天折腾一遍服务器。
评论区友链识别 http和https 是不同结果啊,不显示友链了。
这个是全匹配的,嘎嘎。等找时间优化下匹配逻辑。