VPS侦探论坛

 找回密码
 注册
查看: 295|回复: 7

lnmp1.7 Let'sEncrypt 域名SSL证书自动续期失败

[复制链接]
发表于 2021-12-4 21:56:32 | 显示全部楼层 |阅读模式



您好,我是在lnmp vhost add时添加的证书,然是过期之后一直没有续期,我看了论坛里的帖子,参考https://bbs.vpser.net/forum.php? ... L%E8%AF%81%E4%B9%A6进行了操作,但是最后一步时提示:
[Sat 04 Dec 2021 09:47:29 PM CST] ===Starting cron===
[Sat 04 Dec 2021 09:47:29 PM CST] Renew: 'cyber-reed.tech'
[Sat 04 Dec 2021 09:47:29 PM CST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sat 04 Dec 2021 09:47:30 PM CST] Single domain='cyber-reed.tech'
[Sat 04 Dec 2021 09:47:30 PM CST] Getting domain auth token for each domain
[Sat 04 Dec 2021 09:47:32 PM CST] Getting webroot for domain='cyber-reed.tech'
[Sat 04 Dec 2021 09:47:32 PM CST] Verifying: cyber-reed.tech
[Sat 04 Dec 2021 09:47:33 PM CST] Pending, The CA is processing your order, please just wait. (1/30)
[Sat 04 Dec 2021 09:47:36 PM CST] cyber-reed.tech:Verify error:Fetching https://cyber-reed.tech/.well-known/acme-challenge/jYY3XVmM1kdi0Wh9tYgL4d0RWGb85hQmLv_vIBKQjEA: Connection refused
[Sat 04 Dec 2021 09:47:36 PM CST] Please check log file for more details: /usr/local/acme.sh/acme.sh.log
[Sat 04 Dec 2021 09:47:36 PM CST] Error renew cyber-reed.tech.
[Sat 04 Dec 2021 09:47:36 PM CST] ===End cron===

然后我找到了https://bbs.vpser.net/forum.php? ... L%E8%AF%81%E4%B9%A6,查看/usr/local/nginx/conf# cat nginx.conf
        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /home/wwwlogs/access.log;
    }

看者似乎没问题,请问应该如何处理,原谅我对这方面么有研究过。
美国VPS推荐: 遨游主机LinodeLOCVPSKVMLAVPS2EZ搬瓦工80VPSVultr美国VPS主机中国VPS推荐: 阿里云腾讯云。LNMP付费服务(代装/问题排查)QQ 503228080
 楼主| 发表于 2021-12-4 22:08:23 | 显示全部楼层


还有个问题,请问手动续期是通过/usr/local/acme.sh/acme.sh --upgrade实现的吗?我执行成功了,但是网站刷新还是显示证书已过期
Linux下Nginx+MySQL+PHP自动安装工具:https://lnmp.org
发表于 2021-12-5 09:34:04 | 显示全部楼层



显示的是Connection refused,letsencrypt无法访问的你网站
具体的要看完整的acme.sh.log
如果letsencrypt、zerossl、buypass免费ssl证书要设置301要按照 https://lnmp.org/faq/lnmp-nginx-301-rewrite.html 中的说明
美国VPS推荐: 遨游主机LinodeLOCVPSKVMLAVPS2EZ搬瓦工80VPSVultr美国VPS主机中国VPS推荐: 阿里云腾讯云。LNMP付费服务(代装/问题排查)QQ 503228080
 楼主| 发表于 2021-12-6 22:19:11 | 显示全部楼层



licess 发表于 2021-12-5 09:34
显示的是Connection refused,letsencrypt无法访问的你网站
具体的要看完整的acme.sh.log
如果letsencrypt ...

我是设置过重定向,设置的是具体网站的配置:/usr/local/nginx/conf/vhost/cyber-reed.tech.conf
server
    {
        listen 80;
        #listen [::]:80;
        server_name cyber-reed.tech;
        return 301 https://cyber-reed.tech$request_uri;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/cyber-reed.tech;

        include rewrite/typecho.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        include enable-php-pathinfo.conf;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /home/wwwlogs/cyber-reed.tech.log;
    }

server
    {
        listen 443 ssl http2;
        #listen [::]:443 ssl http2;
        server_name cyber-reed.tech ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/cyber-reed.tech;

        ssl_certificate /usr/local/nginx/conf/ssl/cyber-reed.tech/fullchain.cer;
        ssl_certificate_key /usr/local/nginx/conf/ssl/cyber-reed.tech/cyber-reed.tech.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "TLS1XXXX";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

        include rewrite/typecho.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        include enable-php-pathinfo.conf;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /home/wwwlogs/cyber-reed.tech.log;
    }

然后我看了acme.sh.log,除了上面显示的Connection refused,没有看到其他的错误。感觉没什么头绪

我另外附上完整日志
Linux下Nginx+MySQL+PHP自动安装工具:https://lnmp.org
 楼主| 发表于 2021-12-6 22:26:35 | 显示全部楼层

完整日志有点长,我截了一部分:
[Mon 06 Dec 2021 10:04:16 PM CST] ===Starting cron===
[Mon 06 Dec 2021 10:04:16 PM CST] Using config home:/usr/local/acme.sh
[Mon 06 Dec 2021 10:04:16 PM CST] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Mon 06 Dec 2021 10:04:16 PM CST] _stopRenewOnError
[Mon 06 Dec 2021 10:04:16 PM CST] _set_level='2'
[Mon 06 Dec 2021 10:04:16 PM CST] di='/usr/local/nginx/conf/ssl/cyber-reed.tech/'
[Mon 06 Dec 2021 10:04:16 PM CST] d='cyber-reed.tech'
[Mon 06 Dec 2021 10:04:16 PM CST] Using config home:/usr/local/acme.sh
[Mon 06 Dec 2021 10:04:16 PM CST] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Mon 06 Dec 2021 10:04:16 PM CST] DOMAIN_PATH='/usr/local/nginx/conf/ssl/cyber-reed.tech'
[Mon 06 Dec 2021 10:04:16 PM CST] Renew: 'cyber-reed.tech'
[Mon 06 Dec 2021 10:04:16 PM CST] Le_API='https://acme-v02.api.letsencrypt.org/directory'
[Mon 06 Dec 2021 10:04:16 PM CST] Using config home:/usr/local/acme.sh
[Mon 06 Dec 2021 10:04:16 PM CST] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Mon 06 Dec 2021 10:04:16 PM CST] _main_domain='cyber-reed.tech'
[Mon 06 Dec 2021 10:04:16 PM CST] _alt_domains='no'
[Mon 06 Dec 2021 10:04:16 PM CST] Le_NextRenewTime='1626975050'
[Mon 06 Dec 2021 10:04:17 PM CST] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Mon 06 Dec 2021 10:04:17 PM CST] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Mon 06 Dec 2021 10:04:17 PM CST] Retrying GET
[Mon 06 Dec 2021 10:04:17 PM CST] GET
[Mon 06 Dec 2021 10:04:17 PM CST] url='https://acme-v02.api.letsencrypt.org/directory'
[Mon 06 Dec 2021 10:04:17 PM CST] timeout=
[Mon 06 Dec 2021 10:04:17 PM CST] displayError='1'
[Mon 06 Dec 2021 10:04:17 PM CST] _CURL='curl --silent --dump-header /usr/local/acme.sh/http.header  -L  -g '
[Mon 06 Dec 2021 10:04:17 PM CST] ret='0'
[Mon 06 Dec 2021 10:04:17 PM CST] _hcode='0'

[Mon 06 Dec 2021 10:04:17 PM CST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon 06 Dec 2021 10:04:17 PM CST] _on_before_issue
[Mon 06 Dec 2021 10:04:17 PM CST] _chk_main_domain='cyber-reed.tech'
[Mon 06 Dec 2021 10:04:17 PM CST] _chk_alt_domains
[Mon 06 Dec 2021 10:04:17 PM CST] Le_LocalAddress
[Mon 06 Dec 2021 10:04:17 PM CST] d='cyber-reed.tech'
[Mon 06 Dec 2021 10:04:17 PM CST] Check for domain='cyber-reed.tech'
[Mon 06 Dec 2021 10:04:17 PM CST] _currentRoot='/home/wwwroot/cyber-reed.tech'
[Mon 06 Dec 2021 10:04:17 PM CST] d


[Mon 06 Dec 2021 10:04:20 PM CST] d='cyber-reed.tech'
[Mon 06 Dec 2021 10:04:20 PM CST] Getting webroot for domain='cyber-reed.tech'

[Mon 06 Dec 2021 10:04:20 PM CST] ok, let's start to verify
[Mon 06 Dec 2021 10:04:20 PM CST] Verifying: cyber-reed.tech
[Mon 06 Dec 2021 10:04:20 PM CST] d='cyber-reed.tech'
[Mon 06 Dec 2021 10:04:20 PM CST] keyauthorization='1i4RgbPWXUvt7oQw_FHHue5EaUMigZmiTys2BUZNvdE.o-M4cJadG0jy5rLhY8-5LxjHh1lNl6itN58glfOkiiA'
[Mon 06 Dec 2021 10:04:20 PM CST] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/55986915200/Npf6NA'
[Mon 06 Dec 2021 10:04:20 PM CST] _currentRoot='/home/wwwroot/cyber-reed.tech'
[Mon 06 Dec 2021 10:04:20 PM CST] wellknown_path='/home/wwwroot/cyber-reed.tech/.well-known/acme-challenge'
[Mon 06 Dec 2021 10:04:20 PM CST] writing token:1i4RgbPWXUvt7oQw_FHHue5EaUMigZmiTys2BUZNvdE to /home/wwwroot/cyber-reed.tech/.well-known/acme-challenge/1i4RgbPWXUvt7oQw_FHHue5EaUMigZmiTys2BUZNvdE
[Mon 06 Dec 2021 10:04:20 PM CST] Changing owner/group of .well-known to www:www


[Mon 06 Dec 2021 10:04:20 PM CST] trigger validation code: 200
[Mon 06 Dec 2021 10:04:21 PM CST] Pending, The CA is processing your order, please just wait. (1/30)
[Mon 06 Dec 2021 10:04:21 PM CST] sleep 2 secs to verify again
[Mon 06 Dec 2021 10:04:23 PM CST] checking

[Mon 06 Dec 2021 10:04:23 PM CST] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/55986915200/Npf6NA'
[Mon 06 Dec 2021 10:04:23 PM CST] _CURL='curl --silent --dump-header /usr/local/acme.sh/http.header  -L  -g '

[Mon 06 Dec 2021 10:04:23 PM CST] code='200'
[Mon 06 Dec 2021 10:04:23 PM CST] cyber-reed.tech:Verify error:Fetching https://cyber-reed.tech/.well-known/acme-challenge/1i4RgbPWXUvt7oQw_FHHue5EaUMigZmiTys2BUZNvdE: Connection refused
[Mon 06 Dec 2021 10:04:23 PM CST] pid
[Mon 06 Dec 2021 10:04:23 PM CST] No need to restore nginx, skip.
[Mon 06 Dec 2021 10:04:23 PM CST] _clearupdns
[Mon 06 Dec 2021 10:04:23 PM CST] dns_entries
[Mon 06 Dec 2021 10:04:23 PM CST] skip dns.
[Mon 06 Dec 2021 10:04:23 PM CST] _on_issue_err
[Mon 06 Dec 2021 10:04:23 PM CST] Please check log file for more details: /usr/local/acme.sh/acme.sh.log
[Mon 06 Dec 2021 10:04:23 PM CST] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/55986915200/Npf6NA'
[Mon 06 Dec 2021 10:04:23 PM CST] payload='{}'
[Mon 06 Dec 2021 10:04:23 PM CST] Retrying post
[Mon 06 Dec 2021 10:04:23 PM CST] POST
[Mon 06 Dec 2021 10:04:23 PM CST] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/55986915200/Npf6NA'
[Mon 06 Dec 2021 10:04:23 PM CST] _CURL='curl --silent --dump-header /usr/local/acme.sh/http.header  -L  -g '
[Mon 06 Dec 2021 10:04:24 PM CST] _ret='0'
[Mon 06 Dec 2021 10:04:24 PM CST] _hcode='0'
[Mon 06 Dec 2021 10:04:24 PM CST] code='400'
[Mon 06 Dec 2021 10:04:24 PM CST] Return code: 1
[Mon 06 Dec 2021 10:04:24 PM CST] Error renew cyber-reed.tech.
[Mon 06 Dec 2021 10:04:24 PM CST] _error_level='1'
[Mon 06 Dec 2021 10:04:24 PM CST] _set_level='2'
[Mon 06 Dec 2021 10:04:24 PM CST] The NOTIFY_HOOK is empty, just return.
[Mon 06 Dec 2021 10:04:24 PM CST] ===End cron===

美国VPS、VPN、域名代购:http://shop63846532.taobao.com/

 楼主| 发表于 2021-12-6 22:31:09 | 显示全部楼层

licess 发表于 2021-12-5 09:34
显示的是Connection refused,letsencrypt无法访问的你网站
具体的要看完整的acme.sh.log
如果letsencrypt ...

我看了链接里关于重定向的说明,有提到该设置不适用于Let'sEncrypt及其他需要http验证的SSL证书;如果使用DNS API方式可以使用这种设置方法。

请问是不是因为这个问题
 楼主| 发表于 2021-12-6 22:36:37 | 显示全部楼层

licess 发表于 2021-12-5 09:34
显示的是Connection refused,letsencrypt无法访问的你网站
具体的要看完整的acme.sh.log
如果letsencrypt ...

似乎是这样子的,我关了重定向就成功了,感谢感谢。。。终于搞明白了
美国VPS推荐: 遨游主机LinodeLOCVPSKVMLAVPS2EZ搬瓦工80VPSVultr美国VPS主机中国VPS推荐: 阿里云腾讯云。LNMP付费服务(代装/问题排查)QQ 503228080
发表于 2021-12-7 08:54:29 | 显示全部楼层



riddle 发表于 2021-12-6 22:31
我看了链接里关于重定向的说明,有提到该设置不适用于Let'sEncrypt及其他需要http验证的SSL证书;如果使 ...

使用http验证必须要按301设置教程里面Let'sEncrypt的方式设置,要不没法续期
DNS API方式只要域名服务器支持API的方使就可以
Linux下Nginx+MySQL+PHP自动安装工具:https://lnmp.org
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|VPS侦探 ( 鲁ICP备16040043号-1 )

GMT+8, 2022-1-29 20:56 , Processed in 0.051482 second(s), 16 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表