我正在运行Ubuntu 14.04LTS。 由于certbot不在14.04,我从EFF网站上抓取了certbot-auto 。
我已经试过运行它
certbot-auto --apache -d my.domain
并且在TLS-SNI-01挑战期间持续超时,消息如下:
Failed authorization procedure. my.domain (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to ww.xx.yy.zz:443 for TLS-SNI-01 challenge
我已经validation了入站TLS没有被运行openssl的s_server命令阻塞,并成功地从外部位置连接到s_server “server”。
查看/var/log/apache2/error.log我看到一个可疑的警告(我认为) certbot-auto暂时试图设置不被发现的docroot:
[Tue Dec 06 00:34:02.306032 2016] [mpm_prefork:notice] [pid 19521] AH00171: Graceful restart requested, doing restart [Tue Dec 06 00:34:03.001014 2016] [mpm_prefork:notice] [pid 19521] AH00163: Apache/2.4.7 (Ubuntu) configured -- resuming normal operations [Tue Dec 06 00:34:03.001094 2016] [core:notice] [pid 19521] AH00094: Command line: '/usr/sbin/apache2' [Tue Dec 06 00:34:14.596461 2016] [mpm_prefork:notice] [pid 19521] AH00171: Graceful restart requested, doing restart AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist [Tue Dec 06 00:34:14.661372 2016] [ssl:warn] [pid 19521] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Dec 06 00:34:15.000674 2016] [mpm_prefork:notice] [pid 19521] AH00163: Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f configured -- resuming normal operations [Tue Dec 06 00:34:15.001293 2016] [core:notice] [pid 19521] AH00094: Command line: '/usr/sbin/apache2'
在/var/log/letsencrypt/letsencrypt.log我看到以下,看起来完全合理:
2016-12-06 05:34:13,247:INFO:certbot.auth_handler:Performing the following challenges: 2016-12-06 05:34:13,268:INFO:certbot.auth_handler:tls-sni-01 challenge for mydomain.com 2016-12-06 05:34:13,359:INFO:certbot_apache.configurator:Enabled Apache socache_shmcb module 2016-12-06 05:34:13,520:INFO:certbot_apache.configurator:Enabled Apache ssl module 2016-12-06 05:34:14,345:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf 2016-12-06 05:34:14,351:DEBUG:certbot_apache.tls_sni_01:writing a config file with text: <IfModule mod_ssl.c> <VirtualHost *> ServerName b103a17811594b35d3ade8eb763c8c42.74b423d383109b22eaecca3ea14cd1f7.acme.invalid UseCanonicalName on SSLStrictSNIVHostCheck on LimitRequestBody 1048576 Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /var/lib/letsencrypt/mRH5i2aIrWMqjsZn3jMXvdNnYV5Ejd0GBtcDoIJqQ4U.crt SSLCertificateKeyFile /var/lib/letsencrypt/mRH5i2aIrWMqjsZn3jMXvdNnYV5Ejd0GBtcDoIJqQ4U.pem DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/ </VirtualHost> </IfModule>
如果我观看/var/lib/letsencrypt而certbot-auto运行我从来没有看到创build一个tls_sni_01_page 。 下面是我看到的序列 – 一个临时目录和一些临时证书正在制作,然后在挑战失败时被删除,但从来没有tls_sni_01_page
/var/lib/letsencrypt$ ls backups /var/lib/letsencrypt$ ls backups /var/lib/letsencrypt$ ls backups /var/lib/letsencrypt$ ls backups temp_checkpoint /var/lib/letsencrypt$ ls backups temp_checkpoint /var/lib/letsencrypt$ ls backups e1pvy9TgUvOmBxC4dlkwG5Ly2mTY0DU63qhUFpBik2Y.crt e1pvy9TgUvOmBxC4dlkwG5Ly2mTY0DU63qhUFpBik2Y.pem temp_checkpoint
我还更改了/etc/letsencrypt/options-ssl-apache.conf以将日志级别设置为DEBUG并让该临时虚拟主机login到自己的错误和访问日志。 我看到输出,但在错误日志中没有问题,但在访问日志中完全没有看到任何问题。
我已经尝试运行tcpdump -n port 443 ,我看到远程机器的某种连接尝试:
09:14:44.388328 IP 66.133.109.36.48890 > wxyz443: Flags [S], seq 1627589669, win 29200, options [mss 1460,sackOK,TS val 2834688174 ecr 0,nop,wscale 7], length 0 09:14:44.388435 IP wxyz443 > 66.133.109.36.48890: Flags [S.], seq 773250860, ack 1627589670, win 28960, options [mss 1460,sackOK,TS val 424229197 ecr 2834688174,nop,wscale 7], length 0 09:14:44.451190 IP 66.133.109.36.48890 > wxyz443: Flags [.], ack 1, win 229, options [nop,nop,TS val 2834688237 ecr 424229197], length 0 09:14:44.451546 IP 66.133.109.36.48890 > wxyz443: Flags [P.], seq 1:220, ack 1, win 229, options [nop,nop,TS val 2834688237 ecr 424229197], length 219 09:14:44.451619 IP wxyz443 > 66.133.109.36.48890: Flags [.], ack 220, win 235, options [nop,nop,TS val 424229216 ecr 2834688237], length 0 09:14:44.454461 IP wxyz443 > 66.133.109.36.48890: Flags [P.], seq 1:393, ack 220, win 235, options [nop,nop,TS val 424229217 ecr 2834688237], length 392 09:14:44.454626 IP wxyz443 > 66.133.109.36.48890: Flags [F.], seq 393, ack 220, win 235, options [nop,nop,TS val 424229217 ecr 2834688237], length 0 09:14:44.517433 IP 66.133.109.36.48890 > wxyz443: Flags [.], ack 393, win 237, options [nop,nop,TS val 2834688303 ecr 424229217], length 0 09:14:44.517481 IP 66.133.109.36.48890 > wxyz443: Flags [P.], seq 220:227, ack 394, win 237, options [nop,nop,TS val 2834688303 ecr 424229217], length 7 09:14:44.517514 IP 66.133.109.36.48890 > wxyz443: Flags [F.], seq 227, ack 394, win 237, options [nop,nop,TS val 2834688303 ecr 424229217], length 0 09:14:44.517544 IP wxyz443 > 66.133.109.36.48890: Flags [.], ack 228, win 235, options [nop,nop,TS val 424229235 ecr 2834688303], length 0
任何想法是怎么回事? 任何人都可以得到这与Ubuntu 14.04LTS和Apache的工作?
我打了几个小时,在我的日志中完成了相同的输出。 我只是偶然发现了我的答案。 我从另一个webconfig粘贴了一些代码,它已经有一个<virtual host _._._._:443>部分了。 我改变了它,但留下了它。在删除443节后, sudo certbot-auto --apache -d example.com运行没有错误,我有一个工作网站。
我只是从我的经验得出结论:确保你只有80端口的虚拟主机。在我读的文档中没有提到这个问题,但似乎certbot不能改变443虚拟主机部分,它只能添加一个。
你可以尝试单独的挑战validation。 这绕过Apache,并应该有可能解决您的问题与certbot不在WWW根创build正确的文件。
certbot-auto --standalone-supported-challenges tls-sni-01 -d my.domain /etc/apache2/ssl )