certificate - 证书更新失败，未授权/无效响应/404 .well-known/

Question

我知道这个问题很常见，我已经尝试了很多尝试来解决这个主题的许多不同变化。在过去，由于这个错误，我无法在 3 个月到期时更新 let's encrypt 证书。我已经重建了服务器并重新启动。然而，这一次，我从暂存证书开始，现在看来我被困住了。

这是一个 rails 服务器，在 ubuntu 20.04 上使用 nginx 运行，根据“Efficient Rails DevOps”一书通过 Ansible 进行设置。

它无法更新证书，因为它抱怨 .well-known 目录/页面不存在：

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ------.com.au
Using default address 80 for authentication.
Waiting for verification...
Challenge failed for domain -----.com.au
http-01 challenge for -----.com.au
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: -----.com.au
   Type:   unauthorized
   Detail: Invalid response from
   https://-----.com.au/.well-known/acme-challenge/DQ2urLrKOSQmBhtlciFcbfMOcPIltmAAdI3vrijWrsM
   [103.208.218.34]: "<!DOCTYPE html>\n<html>\n<head>\n  <title>The
   page you were looking for doesn't exist (404)</title>\n  <meta
   name=\"viewport\" content"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

我已经尝试从下面的 vhost conf 文件中进行解析，因此它代表原始...

server {
  listen nnn.nnn.nnn.nnn:80;
  listen nnn.nnn.nnn.nnn:443 ssl;
  server_name www.dddd.com.au;
  return 301 https://dddd.com.au$request_uri;

  ssl_certificate /etc/letsencrypt/live/dddd.com.au/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/dddd.com.au/privkey.pem;
  ssl_dhparam /etc/nginx/ssl/dddd.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_session_cache shared:SSL:10m;
  ssl_ecdh_curve secp384r1;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;

  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 5s;

  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
  add_header X-Frame-Options SAMEORIGIN always;
  add_header X-Content-Type-Options nosniff;

}

server {
  listen nnn.nnn.nnn.nnn:443 ssl;
  server_name dddd.com.au;
  ssl_certificate /etc/letsencrypt/live/dddd.com.au/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/dddd.com.au/privkey.pem;
  ssl_dhparam /etc/nginx/ssl/dddd.pem;
  root /var/www/dddd/application/public;
  client_max_body_size 4G;
  keepalive_timeout 5;
  access_log /var/log/nginx/access.dddd.com.au.log;
  error_log /var/log/nginx/error.dddd.com.au.log;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_session_cache shared:SSL:10m;
  ssl_ecdh_curve secp384r1;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;

  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 5s;

  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  location ~ ^/assets/ {
    root /var/www/dddd/application/public;
    gzip_static on;
    expires max;
    add_header Cache-Control public;
    add_header ETag "";
      break;
  }

  location / {
    try_files $uri @app;
  }

  location @app {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_pass http://dddd;
  }

  error_page 502 = @maintenance;

  location @maintenance {
    root /var/www/dddd/shared/maintenance;
    try_files $uri /index.html =502;
  }
}

提前致谢。

score 0 · Accepted Answer

所以...我刚刚进行了开发...我成功删除并重新颁发了完整的证书。

我想我还找到了一个适用于 .well-known 的位置块：

location ~ ^/.well-known/ {
    allow all;
  }

...并将其插入两个服务器块（用于端口 80 和 443），因为我执行了试运行更新并且没有更多错误...我得到“恭喜，所有更新都成功...”

我很高兴收到对此的任何更正，因为我对这些东西仍然很陌生。

谢谢。

certificate - 证书更新失败，未授权/无效响应/404 .well-known/

1 回答 1

Related

Reference