让我们加密自动续订时出错(Nginx)
[英]Error on Let's encrypt auto renewal (Nginx)
问题描述
I am trying to set up greenlock-express to run behind nginx proxy. 
我正在尝试设置greenlock-express来运行nginx代理。
Here is my nginx config 这是我的nginx配置
...
# redirect
server {
listen 80;
listen [::]:80;
server_name mydomain.com;
location / {
return 301 https://$server_name$request_uri;
}
}
# serve
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mydomain.com;
# SSL settings
ssl on;
ssl_certificate C:/path/to/mydomain.com/fullchain.pem;
ssl_certificate_key C:/path/to/mydomain.com/privkey.pem;
# enable session resumption to improve https performance
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ciphers chosen for forward secrecy and compatibility
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# enable OCSP stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
resolver 8.8.8.8 8.8.4.4;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate C:/path/to/mydomain.com/chain.pem;
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
# added to make handshake take less resources
keepalive_timeout 70;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass https://127.0.0.1:3001/;
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
...
I have node server running on port 3000 (http) and port 3001 (https). 我有节点服务器在端口3000(http)和端口3001(https)上运行。 Everything else seems to be working, but certificates do not update and expire after 3 months. 其他一切似乎都有效,但证书不会更新并在3个月后过期。
If I closed nginx and ran node server on port 80 (http) and port 443 (https), then it updates certs. 如果我关闭了nginx并在端口80(http)和端口443(https)上运行了节点服务器,那么它会更新证书。
I made sure that .well-known/acme-challenge is forwarded to node server, ie when I go to url http(s)://mydomain.com/.well-known/acme-challenge/randomstr I get following response: 我确保将.well-known/acme-challenge转发到节点服务器,即当我转到url http(s)://mydomain.com/.well-known/acme-challenge/randomstr我得到以下响应:
{
"error": {
"message": "Error: These aren't the tokens you're looking for. Move along."
}
}
2 个解决方案
解决方案1
3 2018-03-10 05:13:44
The easy way to separate the webroot for ACME authentication. 分离webroot以进行ACME身份验证的简便方法。
Create a webroot directory for ACME authentication. 为ACME身份验证创建Webroot目录。
C:\www\letsencrypt\.well-known
In the nginx configuration, set the webroot for ACME authentication to the previously created directory. 在nginx配置中,将用于ACME身份验证的webroot设置为先前创建的目录。
http://example.com/.well-known/acme-challenge/token -> C:/www/letsencrypt/.well-known/acme-challenge/token
server {
listen 80;
listen [::]:80;
server_name mydomain.com;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root C:/www/letsencrypt;
}
location / {
return 301 https://$server_name$request_uri;
}
}
Restart nginx. 重启nginx。
You can change your webroot in certbot to get authentication again. 您可以在certbot中更改您的webroot以再次进行身份验证。
certbot certonly --webroot -w C:\www\letsencrypt\ -d exapmle.com --dry-run
First, test it by adding the
--dry-runoption.--dry-run选项对其进行测试。 Otherwise, you may experience issues limiting the number of authentication attempts.
解决方案2
1 2018-03-09 21:19:15
The error you are seeing is that when a token is placed in your 您看到的错误是当令牌放入您的
webroot/.well-known/acme-challenge/token Webroot公司/。好知名/ ACME挑战/令牌
Then Let's Encrypt tries to verify that from the internet. 然后让我们的加密尝试从互联网验证。 going to http://yourdomain/.well-known/acme-challenge/token it gets a 404 error - page not found. 转到http://yourdomain/.well-known/acme-challenge/token它收到404错误 - 找不到页面。 Exactly why it get's a 404 I can't be certain. 究竟为什么它得到了404我无法确定。 If you place a file there yourself, is it reachable from the internet ?. 如果您自己放置文件,是否可以从互联网上访问?
If you are wondering there are a couple of automatic ways to renew your SSL's without restarting your nginx. 如果您想知道有几种自动更新SSL的方法,而无需重新启动您的nginx。 The one most nginx users seem to prefer is the webroot plugin: first, obtain a new cert using something like: nginx用户似乎更喜欢的是webroot插件:首先,使用以下内容获取新证书:
certbot certonly --webroot -w /path/to/your/webroot -d example.com --post-hook="service nginx reload"
Then set up a cron job to run certbot renew once or twice a day; 然后设置一个cron作业,每天运行一次或两次certbot更新; it will only run the post-hook when it actually renews the certificate. 它只会在实际更新证书时运行post-hook。 You can also use --pre-hook flag if you prefer to stop nginx to run certbot in standalone mode. 如果您希望停止nginx以独立模式运行certbot ,也可以使用--pre-hook标志。
There's also a full nginx plugin, which you can activate with --nginx . 还有一个完整的nginx插件,您可以使用--nginx激活--nginx 。 It's still being tested, so experiment at your own risk and report any bugs. 它仍在测试中,因此请自行承担风险并报告任何错误。
Note: post-hook Flag will take care of reloading nginx upload renewal of your certs 注意: post-hook Flag将负责重新加载证书的nginx上传续订
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.