Board logo

标题: 请问哪里有配置Let'sEncrypt的教程啊 [打印本页]

作者: Tomcat    时间: 2017-10-12 15:49     标题: 请问哪里有配置Let'sEncrypt的教程啊

在vhost add操作中,已经开启了Let'sEncrypt,然后想让这个网站通过https访问,再下面需要如何配置呢,apache服务 。看网上教程,nginx在vhost add中选择使用Let'sEncrypt后,浏览器就可以直接访问https了,而我现在的apache,不可以。
然后我的443入站规则也已经添加

使用ssl add执行后,报如下错误:
The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for xxx.xxx.xxx(域名被我隐藏了)



[ 本帖最后由 Tomcat 于 2017-10-12 16:18 编辑 ]
作者: Tomcat    时间: 2017-10-12 15:50

如何生成这个域名的证书呢。
作者: licess    时间: 2017-10-12 19:19

选择了letsencrypt的话就会自动生成
建议发一下添加时的返回信息看一下是否已经成功添加并生成ssl证书
具体要看什么访问时什么错误信息确定
netstat -ntl 查看是否有443端口
系统和服务商防火墙确认已经有443允许规则
作者: Tomcat    时间: 2017-10-12 21:10     标题: 回复 3# 的帖子

军哥!你好,感谢回复 !
现在的情况是这样的。  我们是前端有个负载均衡的机器,然后分发到后面的应用服务器。
域名解析A记录到的是到负载均衡机器的IP的。  
我现在在应用服务器上进行添加ssl,然后返回的信息是以下(域名已被我隐藏):
Using the webroot path /home/wwwroot/camera/apps/default/public for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.xxx.xx (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for www.xxx.xx

IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: www.xxx.xx
   Type:   connection
   Detail: DNS problem: SERVFAIL looking up A for www.xxx.xx

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
Let's Encrypt SSL Certificate create failed!

[ 本帖最后由 Tomcat 于 2017-10-12 22:10 编辑 ]
作者: Tomcat    时间: 2017-10-12 22:06

引用:
原帖由 Tomcat 于 2017-10-12 21:10 发表
军哥!你好,感谢回复 !
现在的情况是这样的。  我们是前端有个负载均衡的机器,然后分发到后面的应用服务器。
域名解析A记录到的是到负载均衡机器的IP的。  
我现在在应用服务器上进行添加ssl,然后返回的信息是以下(域名已 ...
之前以为是A记录指向负载IP,所以不能生成的,
我现在直接没使用负载,并且直接解析到了应用服务器,直接在机器上使用ssl add,  也同样报这个错误:
Failed authorization procedure. www.xx.xx (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for www.xx.xx

IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: www.xx.xx
   Type:   connection
   Detail: DNS problem: SERVFAIL looking up A for www.xx.xx

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
Let's Encrypt SSL Certificate create failed!

--------------------
现在又开始报如下 错误了:
There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently.
Please see the logfiles in /var/log/letsencrypt for more details.
Let's Encrypt SSL Certificate create failed!

我在这个链接中看到说有可能是ipv6的问题,按操作先禁用,然后还是这个错误,感觉是不是我个人操作有点多了,被限了,http://www.vpser.net/build/letsencrypt-free-ssl.html

[ 本帖最后由 Tomcat 于 2017-10-12 22:53 编辑 ]
作者: Tomcat    时间: 2017-10-12 23:36

引用:
原帖由 licess 于 2017-10-12 19:19 发表
选择了letsencrypt的话就会自动生成
建议发一下添加时的返回信息看一下是否已经成功添加并生成ssl证书
具体要看什么访问时什么错误信息确定
netstat -ntl 查看是否有443端口
系统和服务商防火墙确认已经有443允许规 ...
防火墙确认没有开启
服务端规则也全部解除了,开放了所有端口
报的错误依然是(域名被我隐藏了):
复制内容到剪贴板
代码:
Failed authorization procedure. www.xx.xx (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for www.xx.xx

IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: www.xx.xx
   Type:   connection
   Detail: DNS problem: SERVFAIL looking up A for www.xx.xx

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
Let's Encrypt SSL Certificate create failed!

作者: licess    时间: 2017-10-13 10:19

你前面这ssl都没正常生成,相关配置文件肯定都没有生成,443端口肯定也就没有


Too many invalid authorizations recently. 就是你尝试的次数超了

必须要解析ip到你允许添加ssl的这个主机上才能正确验证文件,默认显示的都是基本日志无法完全确定,你可以看一下 /var/log/letsencrypt/letsencrypt.log 中确定解析的ip是否正确
再就是你域名用的哪里的dns服务器,有些dns服务器也是不支持的
作者: Tomcat    时间: 2017-10-13 11:07

引用:
原帖由 licess 于 2017-10-13 10:19 发表
你前面这ssl都没正常生成,相关配置文件肯定都没有生成,443端口肯定也就没有


Too many invalid authorizations recently. 就是你尝试的次数超了

必须要解析ip到你允许添加ssl的这个主机上才能正确验证文件,默认显示的 ...
DNS是花生壳的DNS,  如果需要换DNS,请问有推荐的吗。我改下试试,下面是log,  谢谢军哥百忙中回答,谢谢!
复制内容到剪贴板
代码:
2017-10-13 02:59:59,326:DEBUG:acme.client:Storing nonce: J0p07C3BRiRV8JZFesh-GTu37lQG3tiz3gyypZf7_o42017-10-13 03:00:02,330:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/PPauEXZ6fp6TSmIMXjepkPCgZwTGaBtgDTfz-MSaFHM.2017-10-13 03:00:02,680:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /acme/authz/PPauEXZ6fp6TSmIMXjepkPCgZwTGaBtgDTfz-MSaFHM HTTP/1.1" 200 11092017-10-13 03:00:02,681:DEBUG:acme.client:Received response:HTTP 200Server: nginxContent-Type: application/jsonContent-Length: 1109Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"Replay-Nonce: Ae0Tj-8El9qugamIS6cBp8j3_EFw5cmsq5GwtgjQDvgX-Frame-Options: DENYStrict-Transport-Security: max-age=604800Expires: Fri, 13 Oct 2017 03:00:02 GMTCache-Control: max-age=0, no-cache, no-storePragma: no-cacheDate: Fri, 13 Oct 2017 03:00:02 GMTConnection: keep-alive
{  "identifier": {    "type": "dns",    "value": "www.camrent.cc"  },  "status": "pending",  "expires": "2017-10-20T02:59:58Z",  "challenges": [    {      "type": "dns-01",      "status": "pending",      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/PPauEXZ6fp6TSmIMXjepkPCgZwTGaBtgDTfz-MSaFHM/2193144211",      "token": "w6GJLQlEpBoFSWEecl26js8_DbEFYiPJeEEsiMrGLeE"    },    {      "type": "http-01",      "status": "pending",      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/PPauEXZ6fp6TSmIMXjepkPCgZwTGaBtgDTfz-MSaFHM/2193144212",      "token": "82cnk26eMPtjirtomDsBYycfldtGtRkeWIZMspUQV-Y",      "keyAuthorization": "82cnk26eMPtjirtomDsBYycfldtGtRkeWIZMspUQV-Y.4qDzOoz-1dt3mm5aDEmrZjsyWm5-BKLjYuqPpphM6k8"    },    {      "type": "tls-sni-01",      "status": "pending",      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/PPauEXZ6fp6TSmIMXjepkPCgZwTGaBtgDTfz-MSaFHM/2193144213",      "token": "YNDsAK5n1Mvc6Q9QRcY3d1NxkcXKC-X7dTQfdIQDyps"    }  ],  "combinations": [    [      0    ],    [      1    ],    [      2    ]  ]}2017-10-13 03:00:05,685:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/PPauEXZ6fp6TSmIMXjepkPCgZwTGaBtgDTfz-MSaFHM.2017-10-13 03:00:06,285:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /acme/authz/PPauEXZ6fp6TSmIMXjepkPCgZwTGaBtgDTfz-MSaFHM HTTP/1.1" 200 16002017-10-13 03:00:06,286:DEBUG:acme.client:Received response:HTTP 200Server: nginxContent-Type: application/jsonContent-Length: 1600Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"Replay-Nonce: 9TdwJCQS48Dfi7lNa4AN5RQPogavKGCIE99KdPQTXckX-Frame-Options: DENYStrict-Transport-Security: max-age=604800Expires: Fri, 13 Oct 2017 03:00:06 GMTCache-Control: max-age=0, no-cache, no-storePragma: no-cacheDate: Fri, 13 Oct 2017 03:00:06 GMTConnection: keep-alive
{  "identifier": {    "type": "dns",    "value": "www.camrent.cc"  },  "status": "invalid",  "expires": "2017-10-20T02:59:58Z",  "challenges": [    {      "type": "dns-01",      "status": "pending",      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/PPauEXZ6fp6TSmIMXjepkPCgZwTGaBtgDTfz-MSaFHM/2193144211",      "token": "w6GJLQlEpBoFSWEecl26js8_DbEFYiPJeEEsiMrGLeE"    },    {      "type": "http-01",      "status": "invalid",      "error": {        "type": "urn:acme:error:unknownHost",        "detail": "No valid IP addresses found for www.camrent.cc",        "status": 400      },      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/PPauEXZ6fp6TSmIMXjepkPCgZwTGaBtgDTfz-MSaFHM/2193144212",      "token": "82cnk26eMPtjirtomDsBYycfldtGtRkeWIZMspUQV-Y",      "keyAuthorization": "82cnk26eMPtjirtomDsBYycfldtGtRkeWIZMspUQV-Y.4qDzOoz-1dt3mm5aDEmrZjsyWm5-BKLjYuqPpphM6k8",      "validationRecord": [        {          "url": "http://www.camrent.cc/.well-known/acme-challenge/82cnk26eMPtjirtomDsBYycfldtGtRkeWIZMspUQV-Y",          "hostname": "www.camrent.cc",          "port": "80",          "addressesResolved": [],          "addressUsed": "",          "addressesTried": []        }      ]    },    {      "type": "tls-sni-01",      "status": "pending",      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/PPauEXZ6fp6TSmIMXjepkPCgZwTGaBtgDTfz-MSaFHM/2193144213",      "token": "YNDsAK5n1Mvc6Q9QRcY3d1NxkcXKC-X7dTQfdIQDyps"    }  ],  "combinations": [    [      0    ],    [      1    ],    [      2    ]  ]}2017-10-13 03:00:06,287:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
Domain: www.camrent.ccType:   unknownHostDetail: No valid IP addresses found for www.camrent.cc
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.2017-10-13 03:00:06,287:INFO:certbot.auth_handler:Cleaning up challenges2017-10-13 03:00:06,287:DEBUG:certbot.plugins.webroot:Removing /home/wwwroot/camera/apps/default/public/.well-known/acme-challenge/82cnk26eMPtjirtomDsBYycfldtGtRkeWIZMspUQV-Y2017-10-13 03:00:06,288:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /home/wwwroot/camera/apps/default/public/.well-known/acme-challenge2017-10-13 03:00:06,288:DEBUG:certbot.log:Exiting abnormally:Traceback (most recent call last):  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>    sys.exit(main())  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 861, in main    return config.func(config, plugins)  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 786, in certonly    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 85, in _get_and_save_cert    lineage = le_client.obtain_and_enroll_certificate(domains, certname)  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate    certr, chain, key, _ = self.obtain_certificate(domains)  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 318, in obtain_certificate    self.config.allow_subset_of_names)  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 81, in get_authorizations    self._respond(resp, best_effort)  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 138, in _respond    self._poll_challenges(chall_update, best_effort)  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges    raise errors.FailedChallenges(all_failed_achalls)FailedChallenges: Failed authorization procedure. www.camrent.cc (http-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for www.camrent.cc
[ 本帖最后由 Tomcat 于 2017-10-13 11:10 编辑 ]
作者: licess    时间: 2017-10-13 18:42     标题: 回复 8# 的帖子

看上面应该是没解析出ip,域名换其他dns试试




欢迎光临 VPS侦探论坛 (http://bbs.vpser.net/) Powered by Discuz! 6.0.0