VPS侦探论坛 › LNMP一键安装包 › lnmp1.7 Let'sEncrypt 域名SSL证书自动续期失败

riddle 发表于 2021-12-4 21:56:32

lnmp1.7 Let'sEncrypt 域名SSL证书自动续期失败

您好，我是在lnmp vhost add时添加的证书，然是过期之后一直没有续期，我看了论坛里的帖子，参考https://bbs.vpser.net/forum.php?mod=viewthread&tid=25435&highlight=SSL%E8%AF%81%E4%B9%A6进行了操作，但是最后一步时提示：
===Starting cron===
Renew: 'cyber-reed.tech'
Using CA: https://acme-v02.api.letsencrypt.org/directory
Single domain='cyber-reed.tech'
Getting domain auth token for each domain
Getting webroot for domain='cyber-reed.tech'
Verifying: cyber-reed.tech
Pending, The CA is processing your order, please just wait. (1/30)
cyber-reed.tech:Verify error:Fetching https://cyber-reed.tech/.well-known/acme-challenge/jYY3XVmM1kdi0Wh9tYgL4d0RWGb85hQmLv_vIBKQjEA: Connection refused
Please check log file for more details: /usr/local/acme.sh/acme.sh.log
Error renew cyber-reed.tech.
===End cron===

然后我找到了https://bbs.vpser.net/forum.php?mod=viewthread&tid=25319&highlight=SSL%E8%AF%81%E4%B9%A6，查看/usr/local/nginx/conf# cat nginx.conf
      location ~ /.well-known {
            allow all;
      }

      location ~ /\.
      {
            deny all;
      }

      access_log/home/wwwlogs/access.log;
    }

看者似乎没问题，请问应该如何处理，原谅我对这方面么有研究过。

riddle 发表于 2021-12-4 22:08:23

还有个问题，请问手动续期是通过/usr/local/acme.sh/acme.sh --upgrade实现的吗？我执行成功了，但是网站刷新还是显示证书已过期

licess 发表于 2021-12-5 09:34:04

显示的是Connection refused，letsencrypt无法访问的你网站
具体的要看完整的acme.sh.log
如果letsencrypt、zerossl、buypass免费ssl证书要设置301要按照 https://lnmp.org/faq/lnmp-nginx-301-rewrite.html 中的说明

riddle 发表于 2021-12-6 22:19:11

licess 发表于 2021-12-5 09:34
显示的是Connection refused，letsencrypt无法访问的你网站
具体的要看完整的acme.sh.log
如果letsencrypt ...

我是设置过重定向，设置的是具体网站的配置：/usr/local/nginx/conf/vhost/cyber-reed.tech.conf
server
    {
      listen 80;
      #listen [::]:80;
      server_name cyber-reed.tech;
        return 301 https://cyber-reed.tech$request_uri;
      index index.html index.htm index.php default.html default.htm default.php;
      root/home/wwwroot/cyber-reed.tech;

      include rewrite/typecho.conf;
      #error_page   404   /404.html;

      # Deny access to PHP files in specific directory
      #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

      include enable-php-pathinfo.conf;

      location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
      {
            expires      30d;
      }

      location ~ .*\.(js|css)?$
      {
            expires      12h;
      }

      location ~ /.well-known {
            allow all;
      }

      location ~ /\.
      {
            deny all;
      }

      access_log/home/wwwlogs/cyber-reed.tech.log;
    }

server
    {
      listen 443 ssl http2;
      #listen [::]:443 ssl http2;
      server_name cyber-reed.tech ;
      index index.html index.htm index.php default.html default.htm default.php;
      root/home/wwwroot/cyber-reed.tech;

      ssl_certificate /usr/local/nginx/conf/ssl/cyber-reed.tech/fullchain.cer;
      ssl_certificate_key /usr/local/nginx/conf/ssl/cyber-reed.tech/cyber-reed.tech.key;
      ssl_session_timeout 5m;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
      ssl_prefer_server_ciphers on;
      ssl_ciphers "TLS1XXXX";
      ssl_session_cache builtin:1000 shared:SSL:10m;
      # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
      ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

      include rewrite/typecho.conf;
      #error_page   404   /404.html;

      # Deny access to PHP files in specific directory
      #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

      include enable-php-pathinfo.conf;

      location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
      {
            expires      30d;
      }

      location ~ .*\.(js|css)?$
      {
            expires      12h;
      }

      location ~ /.well-known {
            allow all;
      }

      location ~ /\.
      {
            deny all;
      }

      access_log/home/wwwlogs/cyber-reed.tech.log;
    }

然后我看了acme.sh.log，除了上面显示的Connection refused，没有看到其他的错误。感觉没什么头绪{:1_36:}

我另外附上完整日志

riddle 发表于 2021-12-6 22:26:35

完整日志有点长，我截了一部分：
===Starting cron===
Using config home:/usr/local/acme.sh
ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
_stopRenewOnError
_set_level='2'
di='/usr/local/nginx/conf/ssl/cyber-reed.tech/'
d='cyber-reed.tech'
Using config home:/usr/local/acme.sh
ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
DOMAIN_PATH='/usr/local/nginx/conf/ssl/cyber-reed.tech'
Renew: 'cyber-reed.tech'
Le_API='https://acme-v02.api.letsencrypt.org/directory'
Using config home:/usr/local/acme.sh
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
_main_domain='cyber-reed.tech'
_alt_domains='no'
Le_NextRenewTime='1626975050'
Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
_init api for server: https://acme-v02.api.letsencrypt.org/directory
Retrying GET
GET
url='https://acme-v02.api.letsencrypt.org/directory'
timeout=
displayError='1'
_CURL='curl --silent --dump-header /usr/local/acme.sh/http.header-L-g '
ret='0'
_hcode='0'

Using CA: https://acme-v02.api.letsencrypt.org/directory
_on_before_issue
_chk_main_domain='cyber-reed.tech'
_chk_alt_domains
Le_LocalAddress
d='cyber-reed.tech'
Check for domain='cyber-reed.tech'
_currentRoot='/home/wwwroot/cyber-reed.tech'
d


d='cyber-reed.tech'
Getting webroot for domain='cyber-reed.tech'

ok, let's start to verify
Verifying: cyber-reed.tech
d='cyber-reed.tech'
keyauthorization='1i4RgbPWXUvt7oQw_FHHue5EaUMigZmiTys2BUZNvdE.o-M4cJadG0jy5rLhY8-5LxjHh1lNl6itN58glfOkiiA'
uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/55986915200/Npf6NA'
_currentRoot='/home/wwwroot/cyber-reed.tech'
wellknown_path='/home/wwwroot/cyber-reed.tech/.well-known/acme-challenge'
writing token:1i4RgbPWXUvt7oQw_FHHue5EaUMigZmiTys2BUZNvdE to /home/wwwroot/cyber-reed.tech/.well-known/acme-challenge/1i4RgbPWXUvt7oQw_FHHue5EaUMigZmiTys2BUZNvdE
Changing owner/group of .well-known to www:www


trigger validation code: 200
Pending, The CA is processing your order, please just wait. (1/30)
sleep 2 secs to verify again
checking

_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/55986915200/Npf6NA'
_CURL='curl --silent --dump-header /usr/local/acme.sh/http.header-L-g '

code='200'
cyber-reed.tech:Verify error:Fetching https://cyber-reed.tech/.well-known/acme-challenge/1i4RgbPWXUvt7oQw_FHHue5EaUMigZmiTys2BUZNvdE: Connection refused
pid
No need to restore nginx, skip.
_clearupdns
dns_entries
skip dns.
_on_issue_err
Please check log file for more details: /usr/local/acme.sh/acme.sh.log
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/55986915200/Npf6NA'
payload='{}'
Retrying post
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/55986915200/Npf6NA'
_CURL='curl --silent --dump-header /usr/local/acme.sh/http.header-L-g '
_ret='0'
_hcode='0'
code='400'
Return code: 1
Error renew cyber-reed.tech.
_error_level='1'
_set_level='2'
The NOTIFY_HOOK is empty, just return.
===End cron===

riddle 发表于 2021-12-6 22:31:09

licess 发表于 2021-12-5 09:34
显示的是Connection refused，letsencrypt无法访问的你网站
具体的要看完整的acme.sh.log
如果letsencrypt ...

我看了链接里关于重定向的说明，有提到该设置不适用于Let'sEncrypt及其他需要http验证的SSL证书；如果使用DNS API方式可以使用这种设置方法。

请问是不是因为这个问题:'(

riddle 发表于 2021-12-6 22:36:37

licess 发表于 2021-12-5 09:34
显示的是Connection refused，letsencrypt无法访问的你网站
具体的要看完整的acme.sh.log
如果letsencrypt ...

似乎是这样子的，我关了重定向就成功了，感谢感谢。。。终于搞明白了:hug:

licess 发表于 2021-12-7 08:54:29

riddle 发表于 2021-12-6 22:31
我看了链接里关于重定向的说明，有提到该设置不适用于Let'sEncrypt及其他需要http验证的SSL证书；如果使 ...

使用http验证必须要按301设置教程里面Let'sEncrypt的方式设置，要不没法续期
DNS API方式只要域名服务器支持API的方使就可以

riddle 发表于 2022-6-14 23:02:46

licess 发表于 2021-12-7 08:54
使用http验证必须要按301设置教程里面Let'sEncrypt的方式设置，要不没法续期
DNS API方式只要域名服务器 ...

在请教下，我目前按照https://lnmp.org/faq/lnmp-nginx-301-rewrite.html修改了配置，然后按照https://bbs.vpser.net/forum.php?mod=viewthread&tid=25435&highlight=SSL%E8%AF%81%E4%B9%A6尝试更新证书，但是失败了，目前显示的的是以下信息，请问下这个该怎么处理：
===Starting cron===
Renew: 'cyber-reed.tech'
Renew to Le_API=https://acme.zerossl.com/v2/DV90
Using CA: https://acme.zerossl.com/v2/DV90
No EAB credentials found for ZeroSSL, let's get one
acme.sh is using ZeroSSL as default CA now.
Please update your account with an email address first.
acme.sh --register-account -m my@example.com
See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
Please check log file for more details: /usr/local/acme.sh/acme.sh.log
Error renew cyber-reed.tech.
Renew: 'reedle.me'
Renew to Le_API=https://acme.zerossl.com/v2/DV90
Using CA: https://acme.zerossl.com/v2/DV90
No EAB credentials found for ZeroSSL, let's get one
acme.sh is using ZeroSSL as default CA now.
Please update your account with an email address first.
acme.sh --register-account -m my@example.com
See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
Please check log file for more details: /usr/local/acme.sh/acme.sh.log
Error renew reedle.me.
===End cron===

riddle 发表于 2022-6-14 23:09:20

licess 发表于 2021-12-7 08:54
使用http验证必须要按301设置教程里面Let'sEncrypt的方式设置，要不没法续期
DNS API方式只要域名服务器 ...

我截了一下acme.sh.log日志：
di='/usr/local/nginx/conf/ssl/reedle.me/'
d='reedle.me'
_renewServer
Using config home:/usr/local/acme.sh
ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
DOMAIN_PATH='/usr/local/nginx/conf/ssl/reedle.me'
Renew: 'reedle.me'
Le_API='https://acme.zerossl.com/v2/DV90'
Renew to Le_API=https://acme.zerossl.com/v2/DV90
Using config home:/usr/local/acme.sh
ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
_main_domain='reedle.me'
_alt_domains='no'
Le_NextRenewTime='1643900827'
Using ACME_DIRECTORY: https://acme.zerossl.com/v2/DV90
_init api for server: https://acme.zerossl.com/v2/DV90
GET
url='https://acme.zerossl.com/v2/DV90'
timeout=
_CURL='curl --silent --dump-header /usr/local/acme.sh/http.header-L-g '
ret='0'
ACME_KEY_CHANGE='https://acme.zerossl.com/v2/DV90/keyChange'
ACME_NEW_AUTHZ
ACME_NEW_ORDER='https://acme.zerossl.com/v2/DV90/newOrder'
ACME_NEW_ACCOUNT='https://acme.zerossl.com/v2/DV90/newAccount'
ACME_REVOKE_CERT='https://acme.zerossl.com/v2/DV90/revokeCert'
ACME_AGREEMENT='https://secure.trust-provider.com/repository/docs/Legacy/20201020_Certificate_Subscriber_Agreement_v_2_4_click.pdf'
ACME_NEW_NONCE='https://acme.zerossl.com/v2/DV90/newNonce'
Using CA: https://acme.zerossl.com/v2/DV90
_on_before_issue
_chk_main_domain='reedle.me'
_chk_alt_domains
Le_LocalAddress
d='reedle.me'
Check for domain='reedle.me'
_currentRoot='/home/wwwroot/reedle.me'
d
config file is empty, can not read CA_KEY_HASH
Using config home:/usr/local/acme.sh
ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
_init api for server: https://acme.zerossl.com/v2/DV90
RSA key
config file is empty, can not read CA_EAB_KEY_ID
config file is empty, can not read CA_EAB_HMAC_KEY
config file is empty, can not read CA_EMAIL
No EAB credentials found for ZeroSSL, let's get one
acme.sh is using ZeroSSL as default CA now.
Please update your account with an email address first.
my@example.com
See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
_on_issue_err
Please check log file for more details: /usr/local/acme.sh/acme.sh.log
Return code: 1
Error renew reedle.me.
_error_level='1'
_set_level='2'
The NOTIFY_HOOK is empty, just return.
===End cron===

riddle 发表于 2022-6-14 23:14:58

licess 发表于 2021-12-7 08:54
使用http验证必须要按301设置教程里面Let'sEncrypt的方式设置，要不没法续期
DNS API方式只要域名服务器 ...

难道是需要我手动注册一下吗
acme.sh --register-account -m my@example.com
这个邮箱我随便填一个可以吗？

riddle 发表于 2022-6-14 23:31:37

licess 发表于 2021-12-7 08:54
使用http验证必须要按301设置教程里面Let'sEncrypt的方式设置，要不没法续期
DNS API方式只要域名服务器 ...

是的，我设置了邮箱之后就好了，

还有一个问题，我按照301设置了重定向
      location / {
            return 301 https://$host$request_uri;
    }

但是访问网站的时候chrome提示
该网页无法正常运作cyber-reed.tech 将您重定向的次数过多。
尝试清除 Cookie.
ERR_TOO_MANY_REDIRECTS

我把这段注释掉，并且重定向的方时换回return 301 https://cyber-reed.tech$request_uri;才能正常访问，
请较下这个有什么好的解决方法吗？

licess 发表于 2022-6-15 09:47:20

riddle 发表于 2022-6-14 23:31
是的，我设置了邮箱之后就好了，

还有一个问题，我按照301设置了重定向


贴完整配置文件看一下

查看完整版本: lnmp1.7 Let'sEncrypt 域名SSL证书自动续期失败