Certbot 申請 SSL certificate 錯誤問題
今天幫好友處理 Certbot 的問題,這伺服器上已經申請過一個,這次要申請另一個域名,卻怎麼樣都會出現「The client lacks sufficient authorization」的錯誤,試了一些時間總算完成。
Certbot 真的是個方便的東西,記得很久以前小蛙架部落格剛要轉 https 的時候,還要去 SSL for Free 網站手動申請及安裝(可參考這邊),SSL for Free 的好處是申請 SSL 完全免費,但是有一個缺點是每三個月必須自己手動去更新(renew),小蛙用了一段時間後發現,原來有 Certbot 這麼方便又好用的東西,之後有機會再來介紹這個,今天這篇只是要記錄使用 certbot 錯誤的解決方法。
是這樣的,在 Ubuntu 可以直接透過 certbot 申請 SSL 憑證,也包含了自動更新的功能,但是小蛙要申請一個新的網域的時候,卻發生了下列錯誤
root@lc:/home/sysadm# certbot certonly --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Which names would you like to activate HTTPS for? 1: mydomain.com Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Performing the following challenges: http-01 challenge for mydomain.com Waiting for verification… Cleaning up challenges Failed authorization procedure. mydomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.com/.well-known/acme-challenge/xxxxxx [xxx.xxx.xxx.xxx]: "\n\n404 Not Found\n\n Not Found \n<p" IMPORTANT NOTES: The following errors were reported by the server: Domain: mydomain.com Type: unauthorized Detail: Invalid response from http://mydomain.com/.well-known/acme-challenge/xxxx [xxx.xxx.xxx.xxx]: "\n\n404 Not Found\n\n Not Found \n<p" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
裡面看到幾個關鍵「Failed authorization procedure」、「unauthorized」、「Invalid response from」、「The client lacks sufficient authorization」
第一直覺是檔案連不到,但直接連 http://mydomain.com/.well-known/acme-challenge/xxxxxx 又沒有問題,看到朋友的主機有一堆奇怪的 site 設定檔,先清一清看看,嗯 ~ 好,沒有反應,錯誤還是存在。
一直發生上面的錯誤,不斷測試不斷重試,結果得到下面的錯誤 … (嗚嗚嗚)
root@lc:/etc/apache2/sites-enabled# certbot --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Which names would you like to activate HTTPS for? 1: mydomain.com Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate An unexpected error occurred: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/ Please see the logfiles in /var/log/letsencrypt for more details.
進去錯誤訊息給的連結後,裡面有一段話寫著「我們還有網域驗證失敗限制,對於每個帳號每域名每小時 5 次的限制。在測試環境中並沒有那麼嚴格的限制,因此你可以使用測試環境來針對連線問題除錯。」
額外得知原來加了--dry-run就是測試環境,只會用來測試並不會真正儲存申請的憑證,而且限制比較沒那麼嚴格,如果是要測試為什麼申請失敗只要加上--dry-run,確定都沒有問題後才透過正式環境申請。小蛙這邊超過了每小時五次的限制,只能等到先用--dry-run來測試,等 unban 之後再到正式環境申請了。
經過重重困難後,決定一個參數一個參數試試看,於是試出了
root@lc:/var/www/html# certbot certonly --webroot -w /var/www/html/ -d mydomain.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for mydomain.com Using the webroot path /var/www/html for all unmatched domains. Waiting for verification… Cleaning up challenges IMPORTANT NOTES: Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/mydomain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/mydomain.com/privkey.pem Your cert will expire on 2021-09-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run "certbot renew" If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
終於,加上了--webroot -w /var/www/html/之後就成功了 ~ 看起來可能是.well-known/acme-challenge/xxxxxxx的預設路徑不知道為什麼不在目前使用的目錄,導致驗證的時候會抓不到產生的驗證檔案而噴錯,加入該設定之後就完成了,這篇文章留給有需要的朋友 ~
網站架設系列文章:
- 盤點那些曾經陪伴過小蛙的 VPS 虛擬主機
- 如何挑選 VPS + 最划算的買法
- 手把手教你如何購買 VPS
- 第一次買 KVM 虛擬主機
- 血的教訓 – HiFormance 跑路了 …
- 為自己申請一個域名 – HiNet 為例
- Cloudflare – 超強大的免費 CDN (?)
- 使用 Cloudflare 代管你的域名
- Ubuntu 16.04 設定環境語言編碼,讓中文可以正常顯示
- Ubuntu 16.04 安裝 fail2ban
- 一個腳本每天自動備份
- Linux tar 完整備份、增量備份及差異備份比較
- nginx + SSL Certificate – 讓 http 變身成為 https
- SSL For Free – 免費又有綠色鎖頭的 SSL Certificates
- Certbot 申請 SSL certificate 錯誤問題
- Certbot 錯誤:ACMEv1 is deprecated and you can …
- Ubuntu 18.04 安裝 AWStats 來統計網站流量
- PCHome 買網址續約流程