我看过这些问题(^,^,^,^),但不幸的是它们都不能解决我的问题。
我正在尝试使用 certbot 为我的子域之一获取 SSL 证书。但是,在测试 .well-known/acme-challenges/ 时,挑战失败。Web服务器(nginx)返回404。准确的错误是:
Waiting for verification...
Challenge failed for domain api.example.com
http-01 challenge for api.example.com
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: api.example.com
Type: unauthorized
Detail: 139.x.x.x: Invalid response from http://api.example.com/.well-known/acme-challenge/7AujpY6MnpBkHAmVihpVSQXcEMYuMZFHjywSsAICtvQ: 404
Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.
Cleaning up challenges
Some challenges have failed.
我什至从单独的系统手动运行以下命令来获取证书:
certbot -v certonly --manual --dry-run -d api.example.com
但是,我又遇到了同样的错误。我根据相应文件夹(/var/www/certbot/)中的说明创建了该文件并复制了其内容。我什至给了文件和certbot文件夹777权限并重新启动了Web服务器,但仍然不起作用。
Create a file containing just this data:
7AujpY6MnpBkHAmVihpVSQXcEMYuMZFHjywSsAICtvQ.HQdAzFVYjmgUdQRvdJTBMm2eC2ZLOw-G-4TZr6JB0ak
And make it available on your web server at this URL:
http://api.example.com/.well-known/acme-challenge/7AujpY6MnpBkHAmVihpVSQXcEMYuMZFHjywSsAICtvQ
似乎根本无法访问/.well-known/acme-challenge/。即使我在 中创建了一个普通的 HTML 文件/.well-known/acme-challenge/,仍然无法访问它。
我为域本身 ( http://example.com/.well-known/acme-challenge/) 执行此操作,该域的证书已收到,但我仍然无法访问/.well-known/acme-challenge/.
我nginx.conf的如下:
worker_processes auto;
events{
worker_connections 1024;
}
http {
include mime.types;
client_max_body_size 15M;
include fastcgi.conf;
gzip on;
gzip_disable "msie6";
gzip_comp_level 5;
gzip_static on;
gzip_vary on;
gzip_proxied any;
gzip_buffers 16 8k;
gzip_min_length 1000;
gzip_http_version 1.1;
gzip_types
text/css
text/xml
text/plain
text/javascript
application/javascript
application/json
application/x-javascript
application/xml
application/xml+rss
application/xhtml+xml
application/x-font-ttf
application/x-font-opentype
font/opentype
application/vnd.ms-fontobject
image/svg+xml
image/x-icon
application/rss+xml
application/atom_xml;
proxy_cache_path /etc/nginx/cache levels=1:2 keys_zone=website:100m max_size=1024m inactive=60m use_temp_path=off;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_cache_valid 200 60m;
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=30r/m;
server {
listen [::]:80;
listen 80;
server_name example.com www.example.com;
location /.well-known/acme-challenge/ {
allow all;
root /var/www/certbot/;
}
location /{
return 301 https://example.com$request_uri;
}
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=63072000" always;
location /{
access_log /var/log/nginx/website_access_log;
error_log /var/log/nginx/website_error_log;
limit_req zone=mylimit burst=5 nodelay;
proxy_pass 'http://website/';
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
add_header X-Cache-Status $upstream_cache_status;
expires 30d;
add_header Cache-Control "public, no-transform";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_cache website;
proxy_cache_valid 200 10m;
proxy_cache_methods GET HEAD POST;
proxy_cache_min_uses 3;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin";
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; media-src 'self'; img-src 'self' data: https://cloud.domain.co/images/; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; object-src 'none'; connect-src 'self' https://api.example.com";
# add_header Access-Control-Allow-Origin "*" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
#include http-headers.conf;
}
location /.well-known/acme-challenge/ {
allow all;
root /var/www/certbot/;
}
}
server {
listen [::]:80;
listen 80;
server_name api.example.com;
location /.well-known/acme-challenge/ {
allow all;
root /var/www/certbot/;
}
location / {
return 301 https://api.example.com$request_uri;
}
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name api.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
access_log /var/log/nginx/api_access_log;
error_log /var/log/nginx/api_error_log;
proxy_pass 'http://api:8090/';
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; media-src 'self'; img-src 'self' data: https://cloud.domain.co/images/; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; object-src 'none'; connect-src 'self' https://api.example.com";
location /.well-known/acme-challenge/ {
allow all;
root /var/www/certbot/;
}
# include http-headers.conf;
# add_header Access-Control-Allow-Origin "*" always;
}
}
}
问题是什么?
任何帮助表示赞赏。
