![](/img/trans.png)
[英]SSL certificate works on subdomain but not main domain using cloudflare and certbot
[英]Certbot get certificate on nginx for subdomain on different server other than domain
我有我的域 example.com,它指向123.123.123.123
的 aws ec2 實例。 我在家庭服務器上也有一個 gitlab 實例,地址為231.231.231.231
。
我的域的記錄設置如下:
example.com
A 123.123.123.123
git.example.com
A 231.231.231.231
Nothing strange here: when I type example.com I go to the AWS EC2 instance, and when typing git.example.com I go to my static IP at home. 路由器將端口 80 上的所有請求發送到我的 Ubuntu 服務器,其中 nginx 運行 Gitlab 實例,一切正常。
nginx 配置:
server {
server_name git.example.com www.git.example.com;
location /.well-known/acme-challenge/ {
root /var/www;
try_files $uri =404;
}
location / {
proxy_pass http://127.0.0.1:4872;
}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding "";
proxy_set_header Proxy "";
}
現在我想用 certbot 設置 SSL。 我使用certonly
和--dry-run
因為我只想測試它是否有效。
sudo certbot certonly --cert-name example --nginx -d "git.example.com,www.git.example.com" --dry-run
響應是一個錯誤:
- The following errors were reported by the server:
Domain: git.example.com
Type: unauthorized
Detail: Invalid response from
http://git.example.com/.well-known/acme-challenge/...
[231.231.231.231]: "<!DOCTYPE html>\n<html>\n<head>\n<meta
charset=\"utf-8\">\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig"
Domain: www.git.example.com
Type: unauthorized
Detail: Invalid response from
http://www.git.example.com/.well-known/acme-challenge/...
[231.231.231.231]: "<!DOCTYPE html>\n<html>\n<head>\n<meta
charset=\"utf-8\">\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
如果我嘗試在手動模式下執行此操作,它將成功:
sudo certbot certonly --manual --preferred-challenges dns -d www.git.example.com -d git.example.com --dry-run
A
區域以及AAAA
已正確配置和傳播。
I think that maybe certbot is not just trying to check git.example.com and git.example.com at this IP, but also example.com and www.example.com . 由於它無法訪問它們,因此返回錯誤。
任何人都知道我是否是對的,或者這個錯誤是否來自不同的問題?
鑒於這是本地服務器,您是否打開了 HTTP 端口以允許 certbot 連接?
Certbot 利用端口 443 或 80 來挑戰域,您應該在防火牆上打開它。 如果這不可能,您可以嘗試不同的挑戰,您可以在此處找到更多信息。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.