Certbot 申請 SSL certificate 錯誤問題

今天幫好友處理 Certbot 的問題,這伺服器上已經申請過一個,這次要申請另一個域名,卻怎麼樣都會出現「The client lacks sufficient authorization」的錯誤,試了一些時間總算完成。

Certbot 真的是個方便的東西,記得很久以前小蛙架部落格剛要轉 https 的時候,還要去 SSL for Free 網站手動申請及安裝(可參考這邊),SSL for Free 的好處是申請 SSL 完全免費,但是有一個缺點是每三個月必須自己手動去更新(renew),小蛙用了一段時間後發現,原來有 Certbot 這麼方便又好用的東西,之後有機會再來介紹這個,今天這篇只是要記錄使用 certbot 錯誤的解決方法。

是這樣的,在 Ubuntu 可以直接透過 certbot 申請 SSL 憑證,也包含了自動更新的功能,但是小蛙要申請一個新的網域的時候,卻發生了下列錯誤

[email protected]:/home/sysadm# certbot certonly --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
 
1: mydomain.com
 
Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mydomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.com/.well-known/acme-challenge/xxxxxx [xxx.xxx.xxx.xxx]: "\n\n404 Not Found\n\n Not Found \n<p"
 IMPORTANT NOTES:
 The following errors were reported by the server:
 Domain: mydomain.com
 Type:   unauthorized
 Detail: Invalid response from
 http://mydomain.com/.well-known/acme-challenge/xxxx
 [xxx.xxx.xxx.xxx]: "\n\n404 Not Found\n\n Not Found \n<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. 

裡面看到幾個關鍵「Failed authorization procedure」、「unauthorized」、「Invalid response from」、「The client lacks sufficient authorization」

第一直覺是檔案連不到,但直接連 http://mydomain.com/.well-known/acme-challenge/xxxxxx 又沒有問題,看到朋友的主機有一堆奇怪的 site 設定檔,先清一清看看,嗯 ~ 好,沒有反應,錯誤還是存在。

一直發生上面的錯誤,不斷測試不斷重試,結果得到下面的錯誤 … (嗚嗚嗚)

[email protected]:/etc/apache2/sites-enabled# certbot --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
 
 1: mydomain.com
 
Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1

Obtaining a new certificate
An unexpected error occurred:
  There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

進去錯誤訊息給的連結後,裡面有一段話寫著「我們還有網域驗證失敗限制,對於每個帳號每域名每小時 5 次的限制。在測試環境中並沒有那麼嚴格的限制,因此你可以使用測試環境來針對連線問題除錯。」

額外得知原來加了--dry-run就是測試環境,只會用來測試並不會真正儲存申請的憑證,而且限制比較沒那麼嚴格,如果是要測試為什麼申請失敗只要加上--dry-run,確定都沒有問題後才透過正式環境申請。小蛙這邊超過了每小時五次的限制,只能等到先用--dry-run來測試,等 unban 之後再到正式環境申請了。

經過重重困難後,決定一個參數一個參數試試看,於是試出了

[email protected]:/var/www/html# certbot certonly --webroot -w /var/www/html/ -d mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:
 Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/mydomain.com/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/mydomain.com/privkey.pem
 Your cert will expire on 2021-09-19. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot
 again. To non-interactively renew all of your certificates, run
 "certbot renew"
 If you like Certbot, please consider supporting our work by:
 Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
 Donating to EFF: https://eff.org/donate-le 

終於,加上了--webroot -w /var/www/html/之後就成功了 ~ 看起來可能是.well-known/acme-challenge/xxxxxxx的預設路徑不知道為什麼不在目前使用的目錄,導致驗證的時候會抓不到產生的驗證檔案而噴錯,加入該設定之後就完成了,這篇文章留給有需要的朋友 ~

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。