我正在尝试配置 CertBot,它仅在我通过 http 服务我的网站时才有效。通常我有一个 https 重定向,我不想每次需要使用 certbot 时都更改站点配置。我试图只/.well-known/通过 http 服务,但它仍然没有解决这个问题的任何想法?
我正在尝试复制这个想法但没有工作-> NGINX 将所有内容重定向,除了让加密到 https
例如:这有效:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
location / {
proxy_pass http://localhost:8575/;
include /etc/nginx/conf.d/proxy.conf;
}
}
这不:(请注意,当前配置的 SSL 证书不正确,但需要 NGinX 启动)
server {
listen 80;
listen [::]:80;
server_name www.example.com example.com;
location /.well-known/acme-challenge/ {
proxy_pass http://localhost:8575/;
include /etc/nginx/conf.d/proxy.conf;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443;
server_name www.example.com example.com;
# ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_certificate /etc/ssl/crt/crt.crt;
ssl_certificate_key /etc/ssl/crt/key.key;
location / {
proxy_pass http://localhost:8575/;
include /etc/nginx/conf.d/proxy.conf;
}
}
错误日志:
certbot | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot | Plugins selected: Authenticator webroot, Installer None
certbot | Registering without email!
certbot | Obtaining a new certificate
certbot | Performing the following challenges:
certbot | http-01 challenge for www.example.com
certbot | http-01 challenge for example.com
certbot | Using the webroot path /var/www/html for all unmatched domains.
certbot | Waiting for verification...
certbot | Challenge failed for domain www.example.com
certbot | Challenge failed for domain example.com
certbot | http-01 challenge for www.example.com
certbot | http-01 challenge for example.com
certbot | Cleaning up challenges
certbot | IMPORTANT NOTES:
certbot | - The following errors were reported by the server:
certbot |
certbot | Domain: www.example.com
certbot | Type: unauthorized
certbot | Detail: Invalid response from
certbot | http://www.example.com/.well-known/acme-challenge/WyVEA5g6BWVDPpYUhEJ0bG5iH6daF1rZpFd0vuTXOa0
certbot | [50.117.156.123]: " <!DOCTYPE html><html lang=\"en-US\">\r\n
certbot | \t<head>\n\n\t\t <meta charset=\"UTF-8\">\r\n <meta
certbot | name=\"viewport\" con"
certbot |
certbot | Domain: example.com
certbot | Type: unauthorized
certbot | Detail: Invalid response from
certbot | https://www.example.com/x61_h9wxFY2Ye8-16GllyMq_dfsXbsEB1lYOjeq4LjU
certbot | [50.117.156.123]: " <!DOCTYPE html><html lang=\"en-US\">\r\n
certbot | \t<head>\n\n\t\t <meta charset=\"UTF-8\">\r\n <meta
certbot | name=\"viewport\" con"
certbot |
certbot | To fix these errors, please make sure that your domain name was
certbot | entered correctly and the DNS A/AAAA record(s) for that domain
certbot | contain(s) the right IP address.
certbot | - Your account credentials have been saved in your Certbot
certbot | configuration directory at /etc/letsencrypt. You should make a
certbot | secure backup of this folder now. This configuration directory will
certbot | also contain certificates and private keys obtained by Certbot so
certbot | making regular backups of this folder is ideal.
certbot | Some challenges have failed.
certbot exited with code 1
使用HTTP-01 质询,可以先重定向到 HTTPS 并通过 TLS 提供质询。但是,挑战总是从使用端口 80 的普通 HTTP 连接开始,您只能重定向到端口 443 上的 HTTPS。
因此,这种 Nginx 配置也应该可以工作:
在您的情况下,这意味着以下内容可能位于 HTTP 或 HTTPS
server块中。您能够替换为
/.well-known/acme-challenge/,$request_uri因为:此外,如果
/具有相同的根,则根本不需要单独location的。更新:我的主要问题是没有使用
$request_uriw/proxy_pass指令(这也不允许~BTW)。但是,在 HTTPS 块中使用它并没有错。查看https://serverfault.com/a/1018199/312793和https://serverfault.com/a/1017720/312793我意识到我实际上不需要传递我的 webapp 的“真实”根目录,只需在 nginx 可以服务于 certbot 读取/写入文件的地方。同样,您可以让一个目录为多个站点提供服务,因此我决定将最熟练的方法添加到
locationnginxdefault服务器块内100%。事实上,web 应用程序甚至不需要运行,只需要运行 nginx。这是我的新
default服务器块。注意:我acme在我的 nginx“真实”webroot 中创建了一个文件夹,并为该目录提供服务location /.well-known/acme-challenge/就像在进行设置时一样,您需要为 SSL 证书准备一些东西,否则 nginx 将无法正确启动。对此设置/分辨率非常满意!
需要添加以下内容:
$request_uri