我只是设置我的服务器,我不能让我的configuration与Certbot工作。 它总是一样的。 我尝试了一些不同的configuration,但都没有工作。 这是我的最后一次尝试。 它总是说:“获取validation数据出错”有没有人有一个想法,为什么这不起作用?
完整安装:
sudo apt-get update && sudo apt-get upgrade Ign http://ftp.debian.org jessie InRelease [...] Processing triggers for initramfs-tools (0.120+deb8u3) ... Processing triggers for ca-certificates (20141019+deb8u3) ... Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. sudo apt-get install nano Reading package lists... Done [...] 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. [...] update-alternatives: using /bin/nano to provide /usr/bin/pico (pico) in auto mode sudo apt install curl Reading package lists... Done [...] 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. [...] sudo mkdir -p /var/www/mydomain.ru/public_html sudo chown -R root:root /var/www/mydomain.ru/public_html sudo chmod -R 755 /var/www nano /var/www/mydomain.ru/public_html/index.html cd /etc/apache2/sites-available/ /etc/apache2/sites-available# ls 000-default.conf default-ssl.conf /etc/apache2/sites-available# cd sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/mydomain.ru.conf sudo nano /etc/apache2/sites-available/mydomain.ru.conf sudo nano /etc/apache2/sites-available/mydomain.ru.conf sudo a2ensite mydomain.ru.conf Enabling site mydomain.ru. To activate the new configuration, you need to run: service apache2 reload sudo a2dissite 000-default.conf Site 000-default disabled. To activate the new configuration, you need to run: service apache2 reload sudo a2dissite default-ssl.conf Site default-ssl already disabled sudo /etc/init.d/apache2 restart [ ok ] Restarting apache2 (via systemctl): apache2.service. sudo nano /etc/apache2/sites-available/mydomain.ru.conf sudo /etc/init.d/apache2 restart [ ok ] Restarting apache2 (via systemctl): apache2.service. sudo nano /etc/apache2/sites-available/mydomain.ru.conf sudo nano /etc/apt/sources.list apt-get update Ign http://ftp.debian.org jessie InRelease [...] Reading package lists... Done sudo apt-get install python-certbot-apache -t jessie-backports Reading package lists... Done [...] 0 upgraded, 34 newly installed, 0 to remove and 32 not upgraded. [...] Do you want to continue? [Y/n] y Get:1 http://ftp.debian.org/debian/ jessie-backports/main augeas-lenses all 1.8.0-1~bpo8+1 [422 kB] [...] Processing triggers for libc-bin (2.19-18+deb8u10) ... sudo certbot --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: mydomain.ru 2: www.mydomain.ru ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):[email protected] Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: a Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for mydomain.ru tls-sni-01 challenge for www.mydomain.ru Enabled Apache socache_shmcb module Enabled Apache ssl module /usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct) result_code = _lib.RAND_bytes(result_buffer, num_bytes) Waiting for verification... Cleaning up challenges Failed authorization procedure. www.mydomain.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data, mydomain.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data IMPORTANT NOTES: - If you lose your account credentials, you can recover through e-mails sent to [email protected]. - The following errors were reported by the server: Domain: www.mydomain.ru Type: connection Detail: Error getting validation data Domain: mydomain.ru Type: connection Detail: Error getting validation data To fix these errors, please make sure that your domain name was [...] making regular backups of this folder is ideal. 我的/etc/apache2/sites-available/mydomain.ru.conf中的更改
<IfModule mod_ssl.c> <VirtualHost mydomain.ru:443> ServerAdmin [email protected] ServerName mydomain.ru:443 ServerAlias www.mydomain.ru DocumentRoot /var/www/mydomain.ru/public_html # Available loglevels: trace8, ..., trace1, debug, info, notice$ # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, eg #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to
您的apache服务器在虚拟主机的域上是可用的(对更大的互联网)吗? 当你申请一个证书时,certbot修改你的apacheconfiguration,把一个validation令牌发送到你网站上的一个特殊的URL(通常是/.well-known/acme-challenge/<sometoken> ,然后,让我们encryptionpath使用您申请证书的域名。这是他们如何确认您拥有公开申请证书的域名。
如果该Web服务器不公开或者没有与指向它的虚拟主机相匹配的公共DNS条目,则我们的encryption将无法请求其授权令牌。
我需要使用以下行configurationiptables:
sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT