主页 / server / 问题 / 819834
Accepted
QuantumMechanic
Asked: 2016-12-06 21:47:53 +0800 CST

无法使用 Let's Encrypt/Certbot 通过 TLS-SNI-01 挑战 - 如何解决?

  • 772

我正在运行 Ubuntu 14.04LTS。certbot-auto由于 certbot 不在 14.04 中,因此我已从 EFF 网站获取。

我试过运行它

certbot-auto --apache -d my.domain

并且它在 TLS-SNI-01 质询期间始终超时,并显示以下消息:

Failed authorization procedure. my.domain (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to ww.xx.yy.zz:443 for TLS-SNI-01 challenge

我已经通过运行 openssl 的命令并从外部位置s_server成功连接到“服务器”来验证入站 TLS 没有被阻止。s_server

看着/var/log/apache2/error.log我确实看到了一个关于(我假设)certbot-auto临时尝试设置的 docroot 未找到的可疑警告:

[Tue Dec 06 00:34:02.306032 2016] [mpm_prefork:notice] [pid 19521] AH00171: Graceful restart requested, doing restart
[Tue Dec 06 00:34:03.001014 2016] [mpm_prefork:notice] [pid 19521] AH00163: Apache/2.4.7 (Ubuntu) configured -- resuming normal operations
[Tue Dec 06 00:34:03.001094 2016] [core:notice] [pid 19521] AH00094: Command line: '/usr/sbin/apache2'
[Tue Dec 06 00:34:14.596461 2016] [mpm_prefork:notice] [pid 19521] AH00171: Graceful restart requested, doing restart
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
[Tue Dec 06 00:34:14.661372 2016] [ssl:warn] [pid 19521] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Dec 06 00:34:15.000674 2016] [mpm_prefork:notice] [pid 19521] AH00163: Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f configured -- resuming normal operations
[Tue Dec 06 00:34:15.001293 2016] [core:notice] [pid 19521] AH00094: Command line: '/usr/sbin/apache2'

/var/log/letsencrypt/letsencrypt.log我看到以下内容,这看起来完全合理:

2016-12-06 05:34:13,247:INFO:certbot.auth_handler:Performing the following challenges:
2016-12-06 05:34:13,268:INFO:certbot.auth_handler:tls-sni-01 challenge for mydomain.com
2016-12-06 05:34:13,359:INFO:certbot_apache.configurator:Enabled Apache socache_shmcb module
2016-12-06 05:34:13,520:INFO:certbot_apache.configurator:Enabled Apache ssl module
2016-12-06 05:34:14,345:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf
2016-12-06 05:34:14,351:DEBUG:certbot_apache.tls_sni_01:writing a config file with text:
 <IfModule mod_ssl.c>
<VirtualHost *>
    ServerName b103a17811594b35d3ade8eb763c8c42.74b423d383109b22eaecca3ea14cd1f7.acme.invalid
    UseCanonicalName on
    SSLStrictSNIVHostCheck on

    LimitRequestBody 1048576

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /var/lib/letsencrypt/mRH5i2aIrWMqjsZn3jMXvdNnYV5Ejd0GBtcDoIJqQ4U.crt
    SSLCertificateKeyFile /var/lib/letsencrypt/mRH5i2aIrWMqjsZn3jMXvdNnYV5Ejd0GBtcDoIJqQ4U.pem

    DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/
</VirtualHost>

</IfModule>

如果我/var/lib/letsencryptcertbot-auto跑步时观看,我永远不会看到tls_sni_01_page正在创建。这是我看到的顺序——一个临时目录和一些临时证书正在制作,然后在挑战失败时删除,但从来没有tls_sni_01_page

/var/lib/letsencrypt$ ls
backups
/var/lib/letsencrypt$ ls
backups
/var/lib/letsencrypt$ ls
backups
/var/lib/letsencrypt$ ls
backups  temp_checkpoint
/var/lib/letsencrypt$ ls
backups  temp_checkpoint
/var/lib/letsencrypt$ ls
backups  e1pvy9TgUvOmBxC4dlkwG5Ly2mTY0DU63qhUFpBik2Y.crt  e1pvy9TgUvOmBxC4dlkwG5Ly2mTY0DU63qhUFpBik2Y.pem  temp_checkpoint

我还更改/etc/letsencrypt/options-ssl-apache.conf了将日志记录级别设置为DEBUG并将该临时虚拟主机日志记录到它自己的错误和访问日志中。我在错误日志中看到输出但没有问题,但在访问日志中根本看不到任何内容。

我试过运行tcpdump -n port 443,我确实看到来自远程机器的某种连接尝试:

09:14:44.388328 IP 66.133.109.36.48890 > w.x.y.z.443: Flags [S], seq 1627589669, win 29200, options [mss 1460,sackOK,TS val 2834688174 ecr 0,nop,wscale 7], length 0
09:14:44.388435 IP w.x.y.z.443 > 66.133.109.36.48890: Flags [S.], seq 773250860, ack 1627589670, win 28960, options [mss 1460,sackOK,TS val 424229197 ecr 2834688174,nop,wscale 7], length 0
09:14:44.451190 IP 66.133.109.36.48890 > w.x.y.z.443: Flags [.], ack 1, win 229, options [nop,nop,TS val 2834688237 ecr 424229197], length 0
09:14:44.451546 IP 66.133.109.36.48890 > w.x.y.z.443: Flags [P.], seq 1:220, ack 1, win 229, options [nop,nop,TS val 2834688237 ecr 424229197], length 219
09:14:44.451619 IP w.x.y.z.443 > 66.133.109.36.48890: Flags [.], ack 220, win 235, options [nop,nop,TS val 424229216 ecr 2834688237], length 0
09:14:44.454461 IP w.x.y.z.443 > 66.133.109.36.48890: Flags [P.], seq 1:393, ack 220, win 235, options [nop,nop,TS val 424229217 ecr 2834688237], length 392
09:14:44.454626 IP w.x.y.z.443 > 66.133.109.36.48890: Flags [F.], seq 393, ack 220, win 235, options [nop,nop,TS val 424229217 ecr 2834688237], length 0
09:14:44.517433 IP 66.133.109.36.48890 > w.x.y.z.443: Flags [.], ack 393, win 237, options [nop,nop,TS val 2834688303 ecr 424229217], length 0
09:14:44.517481 IP 66.133.109.36.48890 > w.x.y.z.443: Flags [P.], seq 220:227, ack 394, win 237, options [nop,nop,TS val 2834688303 ecr 424229217], length 7
09:14:44.517514 IP 66.133.109.36.48890 > w.x.y.z.443: Flags [F.], seq 227, ack 394, win 237, options [nop,nop,TS val 2834688303 ecr 424229217], length 0
09:14:44.517544 IP w.x.y.z.443 > 66.133.109.36.48890: Flags [.], ack 228, win 235, options [nop,nop,TS val 424229235 ecr 2834688303], length 0

知道到底发生了什么吗?任何人都可以使用 Ubuntu 14.04LTS 和 apache 来完成这项工作吗?

ubuntu ssl https

2 个回答

  1. Best Answer

    我为此奋斗了几个小时,在我的日志中完成了相同的输出。我只是偶然发现了我的答案。我从另一个 webconfig 中粘贴了一些代码,其中已经有一个<virtual host _._._._:443>部分。我对其进行了更改,但仍将其保留。删除该 443 部分后,sudo certbot-auto --apache -d example.com运行没有错误,并且我有一个工作站点。

    我仅根据我的经验得出结论:确保您只有端口 80 的虚拟主机。我阅读的文档中没有提到这个问题,但似乎 certbot 无法更改 443 虚拟主机部分,它只能添加一个。

    编辑——2017 年 12 月我现在可以在 sites-available.conf 上运行 certbot <virtual host *:443>。我所有的自定义修改都保持不变,我唯一的抱怨是证书路径行没有缩进。<sigh>哦,好吧!</sigh>

    • 2

  2. 您可以尝试独立挑战验证。这绕过了 apache,并且可能会解决您certbot未在 WWW 根目录中创建正确文件的问题。

    1. 停止阿帕奇
    2. certbot-auto --standalone-supported-challenges tls-sni-01 -d my.domain
    3. 将您获得的证书安装在正确的位置(可能/etc/apache2/ssl
    4. 启动apache并测试
    • 1

相关问题