使用Certbot为网站申请免费letsencrypt https证书-天狐博客

最近宝塔上的域名https过期了，一直在面板请求证书，但是这个域名面板只可以用ns txt记录来处理，然后宝塔的等待时间非常短，txt还没生效，这边就提示保存了，试了好多次都失败，结果提示认证频繁只能第二天试了。一个服务器1个小时只能失败5次。

There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently

1	There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently

安装Certbot手动请求证书

安装Certbot

yum install certbot -y

1	yum install certbot -y

申请证书

certbot certonly --webroot -w /www/wwwroot/api.xxx.com/.well-known/ -d api.xxx.com

1	certbot certonly --webroot -w /www/wwwroot/api.xxx.com/.well-known/ -d api.xxx.com

不出意外的出意外了，cerbot并不会自动的往.well-know目录写文件。我的解决办法是nginx直接捕捉到cerbot访问请求，返回内容，比较灵活。

配置nginx

2个规则都可以，用哪个都行

location ~ "^/\.well-known/acme-challenge/(.*)$" {
    default_type text/plain;
    return 200 "$1";
}

location ~ "^/\.well-known/acme-challenge/(.*)$" {

default_type text/plain;

return 200 "$1";

}

location ^/\.well-known/acme-challenge/ {
	set $a $uri;
	if ( $uri ~ .*\\/([^/]+)$) {
		set $a $1;
	}
	default_type    text/plain;
	return 200 $a;
}

location ^/\.well-known/acme-challenge/ {

set $a $uri;

if ( $uri ~ .*\\/([^/]+)$) {

set $a $1;

}

default_type text/plain;

return 200 $a;

}

这块有个小问题就是规则要加 ^，我之前没加一直不知道什么问题，一直访问404

再次请求

[root@VM-8-7-centos ~]# certbot certonly --webroot -w /www/wwwroot/api.xxx.com/.well-known/ -d api.xxx.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for api.tian.hu
Performing the following challenges:
http-01 challenge for api.xxx.com
Using the webroot path /www/wwwroot/api.xxx.com.well-known for all unmatched domains.
Waiting for verification...
Challenge failed for domain api.tian.hu
http-01 challenge for api.tian.hu
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: api.xxx.com
   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge. Expected
   "jcDoMfs0C_I2OYNxMdb3a2UONf7nAmTvgnB8UXtgBlw.i9GCYBcYETecmnB4mMvPvAnfEAwHgRgqU_N7Jx293ig"
   (got "jcDoMfs0C_I2OYNxMdb3a2UONf7nAmTvgnB8UXtgBlw")

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

[root@VM-8-7-centos ~]# certbot certonly --webroot -w /www/wwwroot/api.xxx.com/.well-known/ -d api.xxx.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator webroot, Installer None

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Requesting a certificate for api.tian.hu

Performing the following challenges:

http-01 challenge for api.xxx.com

Using the webroot path /www/wwwroot/api.xxx.com.well-known for all unmatched domains.

Waiting for verification...

Challenge failed for domain api.tian.hu

http-01 challenge for api.tian.hu

Cleaning up challenges

Some challenges have failed.

IMPORTANT NOTES:

- The following errors were reported by the server:

Domain: api.xxx.com

Type: unauthorized

Detail: The key authorization file from the server did not match

this challenge. Expected

"jcDoMfs0C_I2OYNxMdb3a2UONf7nAmTvgnB8UXtgBlw.i9GCYBcYETecmnB4mMvPvAnfEAwHgRgqU_N7Jx293ig"

(got "jcDoMfs0C_I2OYNxMdb3a2UONf7nAmTvgnB8UXtgBlw")

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

会发现出现个错误，意思是cerbot会自动请求api.xxx.com/.well-known/acme-challenge/jcDoMfs0C_I2OYNxMdb3a2UONf7nAmTvgnB8UXtgBlw 来认证网址,担是必须返回给他api.xxx.com/.well-known/acme-challenge/jcDoMfs0C_I2OYNxMdb3a2UONf7nAmTvgnB8UXtgBlw.i9GCYBcYETecmnB4mMvPvAnfEAwHgRgqU_N7Jx293ig

红色的我试了下，几次请求都是这个值，所以直接修改nginx规则。拼到请求的路径后边。

location ~ "^/\.well-known/acme-challenge/(.*)$" {
    default_type text/plain;
    return 200 "$1.i9GCYBcYETecmnB4mMvPvAnfEAwHgRgqU_N7Jx293ig";
}

location ~ "^/\.well-known/acme-challenge/(.*)$" {

default_type text/plain;

return 200 "$1.i9GCYBcYETecmnB4mMvPvAnfEAwHgRgqU_N7Jx293ig";

}

再次请求；

[root@VM-8-7-centos ~]# certbot certonly --webroot -w /www/wwwroot/api.xxx.com/.well-known/ -d api.xxx.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for api.tian.hu
Performing the following challenges:
http-01 challenge for api.tian.hu
Using the webroot path /www/wwwroot/api.xxx.com/.well-known for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: 6077782@qq.com).
Starting new HTTPS connection (1): supporters.eff.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/api.xxx.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/api.xxx.com/privkey.pem
   Your certificate will expire on 2023-10-03. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@VM-8-7-centos ~]# certbot certonly --webroot -w /www/wwwroot/api.xxx.com/.well-known/ -d api.xxx.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator webroot, Installer None

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Requesting a certificate for api.tian.hu

Performing the following challenges:

http-01 challenge for api.tian.hu

Using the webroot path /www/wwwroot/api.xxx.com/.well-known for all unmatched domains.

Waiting for verification...

Cleaning up challenges

Subscribe to the EFF mailing list (email: 6077782@qq.com).

Starting new HTTPS connection (1): supporters.eff.org

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/api.xxx.com/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/api.xxx.com/privkey.pem

Your certificate will expire on 2023-10-03. To obtain a new or

tweaked version of this certificate in the future, simply run

certbot again. To non-interactively renew *all* of your

certificates, run "certbot renew"

- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

成功申请到，配置到nginx就行了。

转载请注明：天狐博客 » 使用Certbot为网站申请免费letsencrypt https证书

使用Certbot为网站申请免费letsencrypt https证书

安装Certbot手动请求证书

安装Certbot

申请证书

配置nginx

与本文相关的文章

Hi，您需要填写昵称和邮箱！

安装Certbot手动请求证书

安装Certbot

申请证书

配置nginx

与本文相关的文章

Hi，您需要填写昵称和邮箱！

订阅天狐博客