问题
I am using a useful tool to automate the creation and renewal of SSL certs from letsencrypt. I have "parametised" the steps shown on the linked site, so that I can use the instructions to obtain and maintain SSL certs for multiple websites.
I am running nginx on Ubuntu 16.0.4 LTS. I am running multiple virtual servers with nginx.
I managed to successfully obtain certificates for the first domain (foo.com, www.foo.com, mail.foo.com), so I know that my "parametisation" of the steps/script etc works.
I am now trying to obtain a certificate for the other websites. I am trying to obtain certs for foobar.com, www.foobar.com, mail.foobar.com and staff.foobar.com.
When I run my getcert.sh script (modified for foobar.com), it returns with the following message:
memyself@yourbox:/opt/sslcert/foobar# su -s /bin/bash -c '/opt/sslcert/foobar/bin/getcert.sh' sslcert
acme/challenge failed: {
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:unauthorized",
"detail": "Invalid response from http://mail.foobar.com/.well-known/acme-challenge/RsX0GNAPx-ODGvMTHCjQ9uSru7AazwkmmG6gmo-yAkk: \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e\"",
"status": 403
},
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/83fRVxQHUjMUHzqK2Cc0gTflM_3wuwuItW5-Y6Xlfo0/360341585",
"token": "RsX0GNAPx-ODGvMTHCjQ9uSru7AazwkmmG6gmo-yAkk",
"keyAuthorization": "RsX0GNAPx-ODGvMTHCjQ9uSru7AazwkmmG6gmo-yAkk.9CRniSJOopxytAkBrkdIFkhM5tJzGI6kbXfB0998SNk",
"validationRecord": [
{
"url": "http://mail.foobar.com/.well-known/acme-challenge/RsX0GNAPx-ODGvMTHCjQ9uSru7AazwkmmG6gmo-yAkk",
"hostname": "mail.foobar.com",
"port": "80",
"addressesResolved": [
"66.228.37.10"
],
"addressUsed": "66.228.37.10"
}
]
}
A few points worth mentioning:
- The nginx configuration for foo.com and foobar.com are identical (except where the server name is specified)
- The folder structure and permissioning is exactly the same for the websites foo and foobar.
- The websites have the same physical static IP address, but different server names; i.e. the different domain names resolve to the same IP address.
Here are the contents of the error log AFTER I have tried to obtain certificates for foobar:
memyself@yourbox:~# cat /var/log/nginx/error.log
2016/11/19 10:07:41 [error] 30345#30345: *78 open() "/opt/sslcert/foo/acme-challenge/1aLrSYLJGhDBtihuoXAsdh1K0jpdmcWBYWYPGxFNJXo" failed (2: No such file or directory), client: 66.133.109.36, server: foo.com, request: "GET /.well-known/acme-challenge/1aLrSYLJGhDBtihuoXAsdh1K0jpdmcWBYWYPGxFNJXo HTTP/1.1", host: "mail.foobar.com"
As can be seen from above, the cert is being attempted to be read from /opt/sslcert/foo/acme-challenge/ this should be /opt/sslcert/foobar/acme-challenge/ instead.
Can anyone explain what is causing this problem ? - and how can it be resolved?
回答1:
Have you had a look at how lets-nginx is doing this? It sounds like you're trying to do essentially what it is doing in its entrypoint.sh script but inside a container.
It might even be easier to use a docker container for this entirely but if you can't this might help guide you through the setup of a script.
回答2:
a time saver suggestion, add this location block in your server blocks and try
location ~ /.well-known {
allow all;
root /path/to/webroot/;
}
if you have no problem using another command (which am using):
/opt/letsencrypt/letsencrypt-auto certonly -a webroot --webroot-path="/path/to/webroot/" -d "domain_name1" -d "domain_name2" --non-interactive --email="you@email.com" --agree-tos
NOTES :
Assuming you installed letsencrypt installation path as /opt/letsencrypt/
Tested on Ubuntu 14.04 & 16.04, hope there is no problem using it in any linux systems
if you are using new certbot rename letsencrypt-auto to certbot-auto
来源:https://stackoverflow.com/questions/40768354/letsencrypt-nginx-and-virtual-servers-on-ubuntu