最近宝塔上的域名https过期了,一直在面板请求证书,但是这个域名面板只可以用ns txt记录来处理,然后宝塔的等待时间非常短,txt还没生效,这边就提示保存了,试了好多次都失败,结果提示认证频繁只能第二天试了。一个服务器1个小时只能失败5次。
|
1 |
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently |
安装Certbot手动请求证书
安装Certbot
|
1 |
yum install certbot -y |
申请证书
|
1 |
certbot certonly --webroot -w /www/wwwroot/api.xxx.com/.well-known/ -d api.xxx.com |
不出意外的出意外了,cerbot并不会自动的往.well-know目录写文件。我的解决办法是nginx直接捕捉到cerbot访问请求,返回内容,比较灵活。
配置nginx
2个规则都可以,用哪个都行
|
1 2 3 4 |
location ~ "^/\.well-known/acme-challenge/(.*)$" { default_type text/plain; return 200 "$1"; } |
|
1 2 3 4 5 6 7 8 |
location ^/\.well-known/acme-challenge/ { set $a $uri; if ( $uri ~ .*\\/([^/]+)$) { set $a $1; } default_type text/plain; return 200 $a; } |
这块有个小问题就是规则要加 ^,我之前没加一直不知道什么问题,一直访问404
再次请求
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
[root@VM-8-7-centos ~]# certbot certonly --webroot -w /www/wwwroot/api.xxx.com/.well-known/ -d api.xxx.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Requesting a certificate for api.tian.hu Performing the following challenges: http-01 challenge for api.xxx.com Using the webroot path /www/wwwroot/api.xxx.com.well-known for all unmatched domains. Waiting for verification... Challenge failed for domain api.tian.hu http-01 challenge for api.tian.hu Cleaning up challenges Some challenges have failed. IMPORTANT NOTES: - The following errors were reported by the server: Domain: api.xxx.com Type: unauthorized Detail: The key authorization file from the server did not match this challenge. Expected "jcDoMfs0C_I2OYNxMdb3a2UONf7nAmTvgnB8UXtgBlw.i9GCYBcYETecmnB4mMvPvAnfEAwHgRgqU_N7Jx293ig" (got "jcDoMfs0C_I2OYNxMdb3a2UONf7nAmTvgnB8UXtgBlw") To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. |
会发现出现个错误,意思是cerbot会自动请求api.xxx.com/.well-known/acme-challenge/jcDoMfs0C_I2OYNxMdb3a2UONf7nAmTvgnB8UXtgBlw 来认证网址,担是必须返回给他api.xxx.com/.well-known/acme-challenge/jcDoMfs0C_I2OYNxMdb3a2UONf7nAmTvgnB8UXtgBlw.i9GCYBcYETecmnB4mMvPvAnfEAwHgRgqU_N7Jx293ig
红色的我试了下,几次请求都是这个值,所以直接修改nginx规则。拼到请求的路径后边。
|
1 2 3 4 |
location ~ "^/\.well-known/acme-challenge/(.*)$" { default_type text/plain; return 200 "$1.i9GCYBcYETecmnB4mMvPvAnfEAwHgRgqU_N7Jx293ig"; } |
再次请求;
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
[root@VM-8-7-centos ~]# certbot certonly --webroot -w /www/wwwroot/api.xxx.com/.well-known/ -d api.xxx.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Requesting a certificate for api.tian.hu Performing the following challenges: http-01 challenge for api.tian.hu Using the webroot path /www/wwwroot/api.xxx.com/.well-known for all unmatched domains. Waiting for verification... Cleaning up challenges Subscribe to the EFF mailing list (email: 6077782@qq.com). Starting new HTTPS connection (1): supporters.eff.org IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/api.xxx.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/api.xxx.com/privkey.pem Your certificate will expire on 2023-10-03. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
成功申请到,配置到nginx就行了。