1

我尝试设置,我认为这是一个相当简单的站点,使用nginx-proxydocker-letsencrypt-nginx-proxy-companion创建一个 https 安全站点。我已阅读https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/blob/master/docs/Invalid-authorizations.md并启用调试。我的日志的相关部分如下:

2020-05-18 18:10:07,185:DEBUG:acme.client:1102: Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/57595483:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzc0Mjk5NiIsICJub25jZSI6ICIwMDAxYVJ5MlZEYUxTMDRZY
XJjLUY0TnVMc2VzaV9IalFpREdfWWJZbDE2UFVRNCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My81NzU5NTQ4MyJ9",
  "signature": "HBZ-2lgBLzBAnoiFhStjMACkpw7bAB1Xenb4msUoFYLAAXUQXoXcibKYiOm9SKTKdHaQ3I8vOWsmKbUtLGXTLdNNrH5aSbCCeIEcfZGNJtg5-5M0gExvv_ch7l6AxLBwZ4dPeDWvILCubs5YH-g03otRt8LOL
4hqmj_FwIxtlHt-FWuOup3eMWMbYaUx1jOaHRsXc9uOgYz8I9STPP3qkA6COnP3hGoCTDZfMX8M2RQfHd0f-bJJYXo-I32wyhvVcWlMr5PwDy6f8hi6sQYJ_8q8jTQLIf-AbXEduaAZmoogdE73shBh1lHW0-ocrLXhdayxVpAk1v
CY8P1R5E7-_PUhB-GgVecBzo0jKR-TE2C-WN92pM8_9TXnQgq3GOvCnqOv8ZFpuuFVL8uBIYHS5WIvpCf7PQ7jSWMBz_v73QVMaiWs2ZTMxUL40kdBFVbj-he9Z1Ydeu5252QdZK6aLF4AnNsCUfuyeunms1J4ojn_EF_0lxqp3DB
rRNT2d-pbLKcVXFl6Abw7t9zGXHKa52__e162jdTedC-4msq18qblHisgzsCYtSFxva7mYEodIQTF9pdjtYAzmOBc6OX9AN9VB1j-rpv45Q6OZkX7jf5fH6C20mEpjRxLGRDue4VxA6RsTumKmeeVXFI1UtmzJa8DTB8QijYIcelA
VK1AVnI",
  "payload": ""
}
2020-05-18 18:10:07,248:DEBUG:urllib3.connectionpool:437: https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/57595483 HTTP/1.1" 200 1301
2020-05-18 18:10:07,250:DEBUG:acme.client:1145: Received response:
HTTP 200                                                                                                                                                                     
Server: nginx                                                                                                                                                                
Date: Mon, 18 May 2020 18:10:07 GMT                                                                                                                                          
Content-Type: application/json                                                                                                                                               
Content-Length: 1301                                                                                                                                                         
Connection: keep-alive                                                                                                                                                       
Boulder-Requester: 13742996                                                                                                                                                  
Cache-Control: public, max-age=0, no-cache                                                                                                                                   
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"                                                                                                   
Replay-Nonce: 00023X_fu6szDFRU3VHPGyDMdgLUl3tqlUVg5Bmbc-CFeU4                                                                                                                
X-Frame-Options: DENY                                                                                                                                                        
Strict-Transport-Security: max-age=604800                                                                                                                                    

{                                                                                                                                                                            
  "identifier": {                                                                                                                                                            
    "type": "dns",                                                                                                                                                           
    "value": "mydomain"                                                                                                                                    
  },                                                                                                                                                                         
  "status": "invalid",                                                                                                                                                       
  "expires": "2020-05-25T18:10:05Z",                                                                                                                                         
  "challenges": [                                                                                                                                                            
    {                                                                                                                                                                        
      "type": "http-01",                                                                                                                                                     
      "status": "invalid",                                                                                                                                                   
      "error": {                                                                                                                                                             
        "type": "urn:ietf:params:acme:error:unauthorized",                                                                                                                   
        "detail": "Invalid response from http://mydomain/.well-known/acme-challenge/NhRLAy2VcaZrjbhwSzVcE2DmUZMA42G5fQnzGIiW7do [161.35.99.16]: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003enginx/1.17.6\u003c/ce\"",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/57595483/1s01Qw",
      "token": "NhRLAy2VcaZrjbhwSzVcE2DmUZMA42G5fQnzGIiW7do",
      "validationRecord": [
         {
          "url": "http://mydomain/.well-known/acme-challenge/NhRLAy2VcaZrjbhwSzVcE2DmUZMA42G5fQnzGIiW7do",
          "hostname": "mydomain",
          "port": "80",
          "addressesResolved": [
            "myip"
          ],
          "addressUsed": "myip"
        }
      ]
    }
  ]
}
2020-05-18 18:10:07,253:DEBUG:acme.client:1170: Storing nonce: 00023X_fu6szDFRU3VHPGyDMdgLUl3tqlUVg5Bmbc-CFeU4
2020-05-18 18:10:07,254:ERROR:simp_le:1396: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-chall
enge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your ho
st's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge v
alidation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.
org/docs/caa/). Failing authorizations: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/57595483
2020-05-18 18:10:07,258:INFO:simp_le:396: Saving account_key.json
2020-05-18 18:10:07,259:INFO:simp_le:396: Saving account_reg.json
2020-05-18 18:10:07,260:DEBUG:simp_le:1098: Removing validation file at /usr/share/nginx/html/.well-known/acme-challenge/NhRLAy2VcaZrjbhwSzVcE2DmUZMA42G5fQnzGIiW7do
Challenge validation has failed, see error log.

我的 docker-compose.yml 如下:

version: '3.7'
services:
  nginx-reverse-proxy:
    image: jwilder/nginx-proxy:alpine
    container_name: nginx-proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "${CONFIG}/nginx/certs:/etc/nginx/certs:ro"
      - "${CONFIG}/nginx/vhost.d:/etc/nginx/vhost.d"
      - "${CONFIG}/nginx/nginx_proxy.conf:/etc/nginx/conf.d/nginx_proxy.conf:ro"
      - "/var/run/docker.sock:/tmp/docker.sock:ro"
    environment:
      - "DEFAULT_HOST=${DOMAIN}.${TOP_LEVEL_DOMAIN}"
      - "DHPARAM_GENERATION=false"
    tty: true
    restart: unless-stopped

  letsencrypt-sidecar:
    image: jrcs/letsencrypt-nginx-proxy-companion:v1.12.1
    volumes:
      - "${CONFIG}/nginx/certs:/etc/nginx/certs"
      - "${CONFIG}/nginx/vhost.d:/etc/nginx/vhost.d"
      - "${CONFIG}/nginx/nginx_proxy.conf:/etc/nginx/conf.d/nginx_proxy.conf"
      - "${SITE}:/usr/share/nginx/html"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    environment:
      - "DEFAULT_EMAIL=info@${DOMAIN}.${TOP_LEVEL_DOMAIN}"
      - "NGINX_PROXY_CONTAINER=nginx-proxy"
      - "DEBUG=true"
      - "ACME_CA_URI=https://acme-staging-v02.api.letsencrypt.org/directory"
    tty: true
    restart: unless-stopped

  nginx-defaultsite:
    image: nginx:1.18.0-alpine
    volumes:
      - "${SITE}:/usr/share/nginx/html:ro"
    environment:
      - "VIRTUAL_HOST=${DOMAIN}.${TOP_LEVEL_DOMAIN}"
      - "LETSENCRYPT_HOST=${DOMAIN}.${TOP_LEVEL_DOMAIN}"
      - "LETSENCRYPT_EMAIL=info@${DOMAIN}.${TOP_LEVEL_DOMAIN}"
    restart: unless-stopped

我已确认在以下内容中正确创建了letsencrypt-sidecar文件nginx-defaultsite

docker exec -it letsencrypt-sidecar bash -c 'echo "Hello world!" > /usr/share/nginx/html/.well-known/acme-challenge/hello-world'

docker exec -it letsencrypt-sidecar /bin/bash bash -c 'cat /usr/share/nginx/html/.well-known/acme-challenge/hello-world'

docker exec -it nginx-defaultsite /bin/bash bash -c 'cat /usr/share/nginx/html/.well-known/acme-challenge/hello-world'

但是当我尝试去时,http://mydomiain/.well-known/acme-challenge/hello-world我得到了 404。

任何对我可能做错的事情的见解将不胜感激。我觉得我只是缺少一个关键组件,...

4

1 回答 1

1

问题是没有/usr/share/nginx/html在 nginx-reverse 代理映像上安装文件夹。我能够在所有服务之间三重挂载站点目录,并且它起作用了。

于 2020-05-26T18:13:40.840 回答