尝试运行命令时出现奇怪的letsencrypt错误
$ certbot certonly --standalone --email [email protected] --agree-tos -n -d trumporate.com,www.trumporate.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for trumporate.com
tls-sni-01 challenge for www.trumporate.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. trumporate.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, www.trumporate.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: trumporate.com
Type: connection
Detail: Timeout
Domain: www.trumporate.com
Type: connection
Detail: Timeout
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
现在我已经使用生成了文件
dhparam$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
这是我当前的nginx conf文件
$ cat /etc/nginx/sites-available/trumporate
server {
listen 80;
server_name trumporate.com www.trumporate.com;
location / {
include proxy_params;
proxy_redirect off;
proxy_pass http://127.0.0.1:5000;
}
}
不知道我要去哪里错了。我正在运行certbot的此vm上的
trumporate.com应该可以解析吗?停止
nginx并再次运行,出现相同的错误我已经通过route53注册了域。
它有2个A型记录,指向连接到ec2盒的弹性IP。
一个用于www版本,另一个不带www版本,并且具有4条NS记录和一条SOA记录,我认为在创建托管区域时默认存在
最佳答案
我正在运行certbot的此vm上的trumporate.com应该可以解析吗?
听起来好像您没有在要获取证书的ec2框上运行命令。这将是一个问题,因为standalone启动了一个Web服务器,然后尝试使用您提供的域从外部访问它。可以这么说,这“证明”您拥有该域。您需要从ec2框中运行命令,并且需要打开通过安全组运行到世界的端口。您可以使用--tls-sni-01-port指定tls-sni端口(失败的端口),但默认情况下为443,因此您可能只需要打开端口443。
您还提到您正在使用route53,因此可以只使用route53验证程序。这样的好处是可以在任何地方工作,您只需要在运行它的计算机上设置访问密钥/秘密即可。
certbot certonly --dns-route53 --domains trumporate.com,www.trumporate.com