当我尝试执行命令为以下内容添加 Lets Encrypt SSL 证书时,出现错误。你能帮我纠正这个问题吗?
在服务器上运行命令以激活 LetsEncript SSL 证书
sudo certbot run -a webroot -i apache -w /var/www/html -d service.domain1.com --debug-challenges
Invalid response from
http://service.domain1.com/.well-known/acme-challenge/xWsuGIi0JmuEuDzS5qPkVX3oHuzY2kNl0YGoU6HltRg
[35.186.238.101]: "<!doctype html><html lang=\"en\"><head><meta
http-equiv=\"content-type\"
content=\"text/html;charset=utf-8\"><meta name=\"viewport\" con"
ubuntu@ip-10-0-0-55:~$ sudo certbot run -a webroot -i apache -w /var/www/html -d service.domain1.com --debug-challenges
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for service.domain1.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Cleaning up challenges
Failed authorization procedure. service.domain1.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://service.domain1.com/.well-known/acme-challenge/xWsuGIi0JmuEuDzS5qPkVX3oHuzY2kNl0YGoU6HltRg [35.186.238.101]: "<!doctype html><html lang=\"en\"><head><meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"><meta name=\"viewport\" con"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: service.domain1.com
Type: unauthorized
Detail: Invalid response from
http://service.domain1.com/.well-known/acme-challenge/xWsuGIi0JmuEuDzS5qPkVX3oHuzY2kNl0YGoU6HltRg
[35.186.238.101]: "<!doctype html><html lang=\"en\"><head><meta
http-equiv=\"content-type\"
content=\"text/html;charset=utf-8\"><meta name=\"viewport\" con"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
最佳答案
“要修复这些错误,请确保您的域名是
正确输入和该域的 DNS A/AAAA 记录
包含正确的 IP 地址。”
我会说您没有为您的域添加正确的 DNS 设置。它会为您提供一些要添加的 A 记录以及将它们指向的 IP。
您可以做的是获取副本 acme-dns-certbot
wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py
下载后,将脚本更改为可执行文件
chmod +x acme-dns-auth.py
将脚本的第一行更改为使用 python3
nano acme-dns-auth.py #!/usr/bin/env python3
最后,将脚本移动到 Certbot Let's Encrypt 目录,以便 Certbot 可以加载它
sudo mv acme-dns-auth.py /etc/letsencrypt/
现在运行 Certbot 并强制它使用 DNS 验证颁发证书。这将运行 acme-dns-certbot 脚本并触发初始设置过程
sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.your-domain -d your-domain
您使用 --manual 参数禁用 Certbot 的所有自动集成功能。在这种情况下,您只是颁发原始证书,而不是自动将其安装在服务上。
您可以通过 --manual-auth-hook 参数将 Certbot 配置为使用 acme-dns-certbot Hook 。您运行 --preferred-challenges 参数,以便 Certbot 优先使用 DNS 验证。
您还必须告诉 Certbot 在尝试验证证书之前暂停,您可以使用 --debug-challenges 参数执行此操作。这是为了允许您设置 acme-dns-certbot 所需的 DNS CNAME 记录,这将在此步骤的后面介绍。如果没有 --debug-challenges 参数,Certbot 不会暂停,因此您将没有时间进行所需的 DNS 更改。
请记住使用 -d 参数替换您希望使用的每个域名。如果要颁发通配符证书,请确保使用反斜杠 () 转义星号 (*)。
完成此操作后,您应该会看到类似的消息
... Output from acme-dns-auth.py: Please add the following CNAME record to your main DNS zone: _acme-challenge.your-domain CNAME a15ce5b2-f170-4c91-97bf-09a5764a88f6.auth.acme-dns.io.
等待验证...
...
将 DNS 设置添加到您的域中,然后继续,您应该可以看到以下内容:
... Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your-domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your-domain/privkey.pem ...
关于apache - 极限挑战失败。来自 http ://service. domain1.com/.well-known/acme-challenge/xWsuGIi0JmuEuDzS5qPkVX3oHuzY2kNl0YGoU6HltRg 的无效响应,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63919132/