apache - 尝试使用 certbox 获取 SSL 证书，但命令 sudo certbot --apache 在 ec2 实例上失败

Question

Here are the instructions I was following ，这是我尝试运行 sudo certbot --apache

时收到的错误

我通过 ssh 连接到我的 EC2 实例，并成功运行了说明第 2 部分和第 3 部分中的所有命令，但现在第 4 部分中的此命令失败了。这是输出:

bitnami@ip-172-31-82-209:~/apps/InterSportsGraphs$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): bigleaguegraphs.com www.bigleaguegraphs.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bigleaguegraphs.com
http-01 challenge for www.bigleaguegraphs.com
Enabled Apache rewrite module
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
Cleaning up challenges
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
Encountered exception during recovery: 
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2185, in _reload
    util.run_script(self.option("restart_cmd"))
  File "/usr/lib/python3/dist-packages/certbot/util.py", line 86, in run_script
    raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2287, in perform
    self.restart()
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2175, in restart
    self._reload()
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2203, in _reload
    raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2185, in _reload
    util.run_script(self.option("restart_cmd"))
  File "/usr/lib/python3/dist-packages/certbot/util.py", line 86, in run_script
    raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/error_handler.py", line 108, in _call_registered
    self.funcs[-1]()
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 323, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2312, in cleanup
    self.restart()
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2175, in restart
    self._reload()
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2203, in _reload
    raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

我认为整个错误中出现的错误消息的主要内容如下:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80

任何关于如何调试它以获得我的网站的 SSL 证书的指导都会很棒，谢谢!我不是网络人士，但需要完成此操作以保护我的网站。如果我可以分享任何有助于解决此问题的附加信息，或者我应该如何解决这个问题，请告诉我。谢谢!

编辑:我用了 https://www.ssllabs.com/ssltest/测试我的域 bigleaguegraphs.com 但也不太理解这里的输出。

Edit2:这里有两个其他帖子的链接:

• https://unix.stackexchange.com/questions/381646/aws-ec2-instance-says-apache2-isnt-running-but-the-server-is-still-up-and-httpd
• https://community.bitnami.com/t/i-unable-to-restart-apache/47636

...看起来它们可能与我的帖子有关？

Answer 1

根据您发布的日志输出和评论，我们知道您的网站由 Node.js 而不是 Apache 提供服务。 这意味着您有三个选择:

1. 让 Apache 工作只是为了获取 Let's Encrypt 证书。我不推荐这种方法，因为它会很麻烦。 Apache 会在使用的端口方面与 Node.js 发生冲突，当您解决该问题时，您仍然需要将检索到的证书集成到 Node.js 中。

2. 您可以通过 certbot 和任何其他服务器(例如 node.js)直接检索证书，而不是使用 Apache 和 --apache 标志检索证书。通常，这将涉及使用带有 certonly --webroot 选项的 certbot，并且您需要修改您的 Node.js 服务器(仅一点点)以实际使用检索到的证书并监听其他端口SSL/TLS 连接。这种方法的一个很好的起点可能是这篇针对node.js和express.js的文章(express.js是迄今为止最流行的node.js HTTP服务器包，所以它很可能是您的网站也使用它或至少使用一个非常相似的包):https://www.sitepoint.com/how-to-use-ssltls-with-node-js/
   如果您有一个网站或一小部分网站想要获得证书，我会建议您采用这种方法。

3. 不要让 Let's Encrypt 通过 HTTP 验证您的网站，这始终涉及通过现有服务器(例如 Apache 以及带有 --apache 标志)或任何其他服务器提供质询响应服务器(使用 certonly --webroot 选项)您还可以通过 DNS 提供这些响应。这也适用于 certonly 选项(您还需要修改 node.js 才能像以前的方法一样实际使用证书)，但它有点复杂，因为其他所需选项可能会有所不同取决于您的 DNS 提供商。您可以在 https://certbot.eff.org/docs/using.html#dns-plugins 找到流行 DNS 提供商的文档概述。 。
   如果您有更多的网站并且想要通配符证书，这是我绝对推荐的方法(专业提示:每个 DNS 提供商都有准备使用的 docker 镜像: https://hub.docker.com/r/certbot/certbot/ )。