我知道这个问题已经被问过几次了,但是我需要一些特定的帮助,因为我一直在从其他几个线程中获取建议,但到目前为止没有任何工作。
我正在尝试使用certbot-auto renew在Ubuntu 14.04中更新我的SSL证书,并且正在运行Apache2服务器和nginx。我得到certbot-auto renew的以下输出:
root@PostgreSQLServer:/# sudo certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/my-domain.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for my-domain.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/my-domain.com.conf produced an unexpected error: Failed authorization procedure. my-domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://my-domain.com/.well-known/acme-challenge/ailNmgZADpb4QBipKM57sOi9w3PwNkwBwVFiRYs7i40: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/my-domain.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: my-domain.com
Type: unauthorized
Detail: Invalid response from
http://my-domain.com/.well-known/acme-challenge/ailNmgZADpb4QBipKM57sOi9w3PwNkwBwVFiRYs7i40:
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
我确保
.well-known文件夹存在于/var/www/my-domain.com/public_html中,并且当我在浏览器中导航到http://my-domain.com/.well-known/时,我能够看到该目录的内容。我还在acme-challenge中添加了一个.well-known文件夹,并包含了一个test.txt文件进行测试。我能够在浏览器中访问目录和文本文件。我发现在运行
acme-challenge命令时未创建certbot-auto文件夹,因此这似乎是权限问题。我以root身份运行certbot-auto,但还授予了www-data和.well-known文件夹上的acme-challenge用户写权限(root和www-data用户正在运行apache2和nginx进程)。即使授予该写权限,我仍然会收到上面详述的404错误。
我还具有通过
crontab运行的自动证书更新过程,并且输出已记录到本地文件中。在该日志文件中,我看到续约请求似乎正常工作,直到certbot-auto从0.9.3升级到0.10.1。这是升级时日志文件中的一个示例: -------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/offensively-bad.com.conf
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
/etc/letsencrypt/live/offensively-bad.com/fullchain.pem (skipped)
No renewals were attempted.
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/offensively-bad.com.conf
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
/etc/letsencrypt/live/offensively-bad.com/fullchain.pem (skipped)
No renewals were attempted.
Upgrading certbot-auto 0.9.3 to 0.10.1...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/offensively-bad.com.conf
-------------------------------------------------------------------------------
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/offensively-bad.com/fullchain.pem (failure)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: offensively-bad.com
Type: unauthorized
Detail: Invalid response from
http://offensively-bad.com/.well-known/acme-challenge/tkSc8l-r1XVPIF5TosTbEXiYMa8sQnoXEjAEgAwRoqI:
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
您可以看到,升级后,该过程开始失败,并显示404消息。
我已经尝试了所有可以在网上找到的建议,但完全陷入了困境,因此,我们将不胜感激。提前致谢!
最佳答案
我的问题是我的树莓派raspbian Stretch上的certbot版本太旧:
certbot --version
给了
certbot 0.10.2
apt-get install python-certbot-apache -t stretch-backports
做到了:
certbot 0.21.1
然后就
certbot --apache -d domain.com
希望这可以帮助!
关于apache - certbot-auto:客户端缺少足够的授权,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/42194249/