[英]Error on Let's encrypt auto renewal (Nginx)
我正在嘗試設置greenlock-express來運行nginx代理。
這是我的nginx配置
...
# redirect
server {
listen 80;
listen [::]:80;
server_name mydomain.com;
location / {
return 301 https://$server_name$request_uri;
}
}
# serve
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mydomain.com;
# SSL settings
ssl on;
ssl_certificate C:/path/to/mydomain.com/fullchain.pem;
ssl_certificate_key C:/path/to/mydomain.com/privkey.pem;
# enable session resumption to improve https performance
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ciphers chosen for forward secrecy and compatibility
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# enable OCSP stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
resolver 8.8.8.8 8.8.4.4;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate C:/path/to/mydomain.com/chain.pem;
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
# added to make handshake take less resources
keepalive_timeout 70;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass https://127.0.0.1:3001/;
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
...
我有節點服務器在端口3000(http)和端口3001(https)上運行。 其他一切似乎都有效,但證書不會更新並在3個月后過期。
如果我關閉了nginx並在端口80(http)和端口443(https)上運行了節點服務器,那么它會更新證書。
我確保將.well-known/acme-challenge轉發到節點服務器,即當我轉到url http(s)://mydomain.com/.well-known/acme-challenge/randomstr我得到以下響應:
{
"error": {
"message": "Error: These aren't the tokens you're looking for. Move along."
}
}
分離webroot以進行ACME身份驗證的簡便方法。
為ACME身份驗證創建Webroot目錄。
C:\www\letsencrypt\.well-known
在nginx配置中,將用於ACME身份驗證的webroot設置為先前創建的目錄。
http://example.com/.well-known/acme-challenge/token - > C:/www/letsencrypt/.well-known/acme-challenge/token
server {
listen 80;
listen [::]:80;
server_name mydomain.com;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root C:/www/letsencrypt;
}
location / {
return 301 https://$server_name$request_uri;
}
}
重啟nginx。
您可以在certbot中更改您的webroot以再次進行身份驗證。
certbot certonly --webroot -w C:\www\letsencrypt\ -d exapmle.com --dry-run
首先,通過添加
--dry-run選項對其進行測試。 否則,您可能會遇到限制身份驗證嘗試次數的問題。
您看到的錯誤是當令牌放入您的
Webroot公司/。好知名/ ACME挑戰/令牌
然后讓我們的加密嘗試從互聯網驗證。 轉到http://yourdomain/.well-known/acme-challenge/token它收到404錯誤 - 找不到頁面。 究竟為什么它得到了404我無法確定。 如果您自己放置文件,是否可以從互聯網上訪問?
如果您想知道有幾種自動更新SSL的方法,而無需重新啟動您的nginx。 nginx用戶似乎更喜歡的是webroot插件:首先,使用以下內容獲取新證書:
certbot certonly --webroot -w /path/to/your/webroot -d example.com --post-hook="service nginx reload"
然后設置一個cron作業,每天運行一次或兩次certbot更新; 它只會在實際更新證書時運行post-hook。 如果您希望停止nginx以獨立模式運行certbot ,也可以使用--pre-hook標志。
還有一個完整的nginx插件,您可以使用--nginx激活--nginx 。 它仍在測試中,因此請自行承擔風險並報告任何錯誤。
注意: post-hook Flag將負責重新加載證書的nginx上傳續訂
Let 錯誤的重新聲明 - 如何找到它被重新分配的位置?
[英]Redeclaration of Let error - How to find where it's being reassigned?
Webpack的UglifyJsPlugin對包含let的Node模塊拋出錯誤
[英]Webpack's UglifyJsPlugin throws error with Node modules containing let
讓我們制作一個地圖Topojson不出現-沒有錯誤消息,但什么也沒有發生
[英]Let's make a map Topojson doesn't appear - no error msgs but nothing happens
如何確定客戶端的時間不等於服務器的時間? (假設2小時錯誤)
[英]How to make a condition of if client's time is not equal to server time? (let say 2 hours error)
是否可以運行JavaScript(NodeJS)命令/函數,並在出現錯誤時讓程序繼續運行?
[英]Is it possible to run a JavaScript (NodeJS) command/function and let the program continue if there's an error?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.