我正在使用 certbot 申请 Let's Encrypt
证书,
我的服务器是centos 7.2
和 nginx 1.11.9
.
这在下面是什么意思?
[root@test ~]# certbot certonly --webroot -w /var/www/www.example.com -d example.com -d www.example.com
Failed authorization procedure. example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-ch
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", www.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.example.com/.well-known/acme-challenge/k
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to example@example.com.
- The following errors were reported by the server:
Domain: example.com
Type: unauthorized
Detail: Invalid response from
http://example.com/.well-known/acme-challenge/wGNv57IGJjHQ9wyzzALktpNaPzfnTtN3m7u3QuO4p40:
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
Domain: www.example.com
Type: unauthorized
Detail: Invalid response from
http://www.example.com/.well-known/acme-challenge/kFJ0CSuKOdgcT2xmciB4GGNCcnUPoIbpQmA9jOII_Bk:
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
我可以访问
example.com
和 www.example.com
,并且在文档中有一个注释:https://certbot.eff.org/#centosrhel7-nginxNote: To use the webroot plugin, your server must be configured to serve files from hidden directories. If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver.
是这个原因吗?
如何修改配置?
最佳答案
这是一个很常见的问题,但幸运的是应该很容易解决。 Let's Encrypt 必须能够读取 .well-known 目录,以验证您的服务器是否实际托管了您想要证书的域。
首先,确保您的网站根目录中有一个 .well-known 目录。设置您的权限,使其可以从外部读取; 775应该是完美的。
然后,将此代码段添加到 Nginx 中的虚拟主机文件中:
location ~ /.well-known {
allow all;
}
这将允许对我们刚刚创建的 .well-known 目录的任何请求。现在,再次尝试请求证书,看看它是否有效。
关于nginx - 使用 certbot 申请 Let's Encrypt 证书 : Failed authorization procedure,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/42269107/