我尝试设置,我认为这是一个相当简单的站点,使用nginx-proxy和docker-letsencrypt-nginx-proxy-companion创建一个 https 安全站点。我已阅读https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/blob/master/docs/Invalid-authorizations.md并启用调试。我的日志的相关部分如下:
2020-05-18 18:10:07,185:DEBUG:acme.client:1102: Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/57595483:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzc0Mjk5NiIsICJub25jZSI6ICIwMDAxYVJ5MlZEYUxTMDRZY
XJjLUY0TnVMc2VzaV9IalFpREdfWWJZbDE2UFVRNCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My81NzU5NTQ4MyJ9",
"signature": "HBZ-2lgBLzBAnoiFhStjMACkpw7bAB1Xenb4msUoFYLAAXUQXoXcibKYiOm9SKTKdHaQ3I8vOWsmKbUtLGXTLdNNrH5aSbCCeIEcfZGNJtg5-5M0gExvv_ch7l6AxLBwZ4dPeDWvILCubs5YH-g03otRt8LOL
4hqmj_FwIxtlHt-FWuOup3eMWMbYaUx1jOaHRsXc9uOgYz8I9STPP3qkA6COnP3hGoCTDZfMX8M2RQfHd0f-bJJYXo-I32wyhvVcWlMr5PwDy6f8hi6sQYJ_8q8jTQLIf-AbXEduaAZmoogdE73shBh1lHW0-ocrLXhdayxVpAk1v
CY8P1R5E7-_PUhB-GgVecBzo0jKR-TE2C-WN92pM8_9TXnQgq3GOvCnqOv8ZFpuuFVL8uBIYHS5WIvpCf7PQ7jSWMBz_v73QVMaiWs2ZTMxUL40kdBFVbj-he9Z1Ydeu5252QdZK6aLF4AnNsCUfuyeunms1J4ojn_EF_0lxqp3DB
rRNT2d-pbLKcVXFl6Abw7t9zGXHKa52__e162jdTedC-4msq18qblHisgzsCYtSFxva7mYEodIQTF9pdjtYAzmOBc6OX9AN9VB1j-rpv45Q6OZkX7jf5fH6C20mEpjRxLGRDue4VxA6RsTumKmeeVXFI1UtmzJa8DTB8QijYIcelA
VK1AVnI",
"payload": ""
}
2020-05-18 18:10:07,248:DEBUG:urllib3.connectionpool:437: https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/57595483 HTTP/1.1" 200 1301
2020-05-18 18:10:07,250:DEBUG:acme.client:1145: Received response:
HTTP 200
Server: nginx
Date: Mon, 18 May 2020 18:10:07 GMT
Content-Type: application/json
Content-Length: 1301
Connection: keep-alive
Boulder-Requester: 13742996
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00023X_fu6szDFRU3VHPGyDMdgLUl3tqlUVg5Bmbc-CFeU4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "mydomain"
},
"status": "invalid",
"expires": "2020-05-25T18:10:05Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://mydomain/.well-known/acme-challenge/NhRLAy2VcaZrjbhwSzVcE2DmUZMA42G5fQnzGIiW7do [161.35.99.16]: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003enginx/1.17.6\u003c/ce\"",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/57595483/1s01Qw",
"token": "NhRLAy2VcaZrjbhwSzVcE2DmUZMA42G5fQnzGIiW7do",
"validationRecord": [
{
"url": "http://mydomain/.well-known/acme-challenge/NhRLAy2VcaZrjbhwSzVcE2DmUZMA42G5fQnzGIiW7do",
"hostname": "mydomain",
"port": "80",
"addressesResolved": [
"myip"
],
"addressUsed": "myip"
}
]
}
]
}
2020-05-18 18:10:07,253:DEBUG:acme.client:1170: Storing nonce: 00023X_fu6szDFRU3VHPGyDMdgLUl3tqlUVg5Bmbc-CFeU4
2020-05-18 18:10:07,254:ERROR:simp_le:1396: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-chall
enge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your ho
st's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge v
alidation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.
org/docs/caa/). Failing authorizations: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/57595483
2020-05-18 18:10:07,258:INFO:simp_le:396: Saving account_key.json
2020-05-18 18:10:07,259:INFO:simp_le:396: Saving account_reg.json
2020-05-18 18:10:07,260:DEBUG:simp_le:1098: Removing validation file at /usr/share/nginx/html/.well-known/acme-challenge/NhRLAy2VcaZrjbhwSzVcE2DmUZMA42G5fQnzGIiW7do
Challenge validation has failed, see error log.
我的 docker-compose.yml 如下:
version: '3.7'
services:
nginx-reverse-proxy:
image: jwilder/nginx-proxy:alpine
container_name: nginx-proxy
ports:
- "80:80"
- "443:443"
volumes:
- "${CONFIG}/nginx/certs:/etc/nginx/certs:ro"
- "${CONFIG}/nginx/vhost.d:/etc/nginx/vhost.d"
- "${CONFIG}/nginx/nginx_proxy.conf:/etc/nginx/conf.d/nginx_proxy.conf:ro"
- "/var/run/docker.sock:/tmp/docker.sock:ro"
environment:
- "DEFAULT_HOST=${DOMAIN}.${TOP_LEVEL_DOMAIN}"
- "DHPARAM_GENERATION=false"
tty: true
restart: unless-stopped
letsencrypt-sidecar:
image: jrcs/letsencrypt-nginx-proxy-companion:v1.12.1
volumes:
- "${CONFIG}/nginx/certs:/etc/nginx/certs"
- "${CONFIG}/nginx/vhost.d:/etc/nginx/vhost.d"
- "${CONFIG}/nginx/nginx_proxy.conf:/etc/nginx/conf.d/nginx_proxy.conf"
- "${SITE}:/usr/share/nginx/html"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
environment:
- "DEFAULT_EMAIL=info@${DOMAIN}.${TOP_LEVEL_DOMAIN}"
- "NGINX_PROXY_CONTAINER=nginx-proxy"
- "DEBUG=true"
- "ACME_CA_URI=https://acme-staging-v02.api.letsencrypt.org/directory"
tty: true
restart: unless-stopped
nginx-defaultsite:
image: nginx:1.18.0-alpine
volumes:
- "${SITE}:/usr/share/nginx/html:ro"
environment:
- "VIRTUAL_HOST=${DOMAIN}.${TOP_LEVEL_DOMAIN}"
- "LETSENCRYPT_HOST=${DOMAIN}.${TOP_LEVEL_DOMAIN}"
- "LETSENCRYPT_EMAIL=info@${DOMAIN}.${TOP_LEVEL_DOMAIN}"
restart: unless-stopped
我已确认在以下内容中正确创建了letsencrypt-sidecar文件nginx-defaultsite:
docker exec -it letsencrypt-sidecar bash -c 'echo "Hello world!" > /usr/share/nginx/html/.well-known/acme-challenge/hello-world'
docker exec -it letsencrypt-sidecar /bin/bash bash -c 'cat /usr/share/nginx/html/.well-known/acme-challenge/hello-world'
docker exec -it nginx-defaultsite /bin/bash bash -c 'cat /usr/share/nginx/html/.well-known/acme-challenge/hello-world'
但是当我尝试去时,http://mydomiain/.well-known/acme-challenge/hello-world我得到了 404。
任何对我可能做错的事情的见解将不胜感激。我觉得我只是缺少一个关键组件,...