nginx Certbot acme-challenge失败(连接被拒绝)

kh212irz 于 2022-11-28 发布在 Nginx

关注(0)|答案(3)|浏览(1164)

我正在尝试使用docker + nginx按照教程Nginx and Let's Encrypt with Docker in Less Than 5 Minutes建立一个Django项目。
The issue is when I run the script init-letsencrypt.sh I end up with failed challenges.
下面是我的脚本内容：

#!/bin/bash

if ! [ -x "$(command -v docker-compose)" ]; then
  echo 'Error: docker-compose is not installed.' >&2
  exit 1
fi

domains=(xxxx.yyyy.net www.xxxx.yyyy.net)
rsa_key_size=4096
data_path="./data/certbot"
email="myemail@example.com" # Adding a valid address is strongly recommended
staging=1 # Set to 1 if you're testing your setup to avoid hitting request limits

if [ -d "$data_path" ]; then
  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
    exit
  fi
fi

if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
  echo "### Downloading recommended TLS parameters ..."
  mkdir -p "$data_path/conf/"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
  echo
fi

echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose -f docker-compose-deploy.yml run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
    -keyout '$path/privkey.pem' \
    -out '$path/fullchain.pem' \
    -subj '/CN=localhost'" certbot
echo

echo "### Starting nginx ..."
docker-compose -f docker-compose-deploy.yml up --force-recreate -d proxy
echo

echo "### Deleting dummy certificate for $domains ..."
docker-compose -f docker-compose-deploy.yml  run --rm --entrypoint "\
  rm -Rf /etc/letsencrypt/live/$domains && \
  rm -Rf /etc/letsencrypt/archive/$domains && \
  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo

echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
done

# Select appropriate email arg
case "$email" in
  "") email_arg="--register-unsafely-without-email" ;;
  *) email_arg="--email $email" ;;
esac

# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi

docker-compose  -f docker-compose-deploy.yml run --rm --entrypoint "\
  certbot -v certonly --webroot -w /var/www/certbot \
    $staging_arg \
    $email_arg \
    $domain_args \
    --rsa-key-size $rsa_key_size \
    --agree-tos \
    --force-renewal" certbot
echo

echo "### Reloading nginx ..."
docker-compose  -f docker-compose-deploy.yml exec proxy nginx -s reload

还有我的nginx配置文件：

server {
    listen 80;
    server_name xxxx.yyyy.net;
       
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    
    location / {
        return 301 https://$server_name$request_uri;
    }

}

server {
    listen 443 ssl;
    server_name xxxx.yyyy.net;
    
    ssl_certificate /etc/letsencrypt/live/xxxx.yyyy.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xxxx.yyyy.net/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 
    
    location /static {
        alias /vol/static;
    }

    location / {
        uwsgi_pass web:8000;
        include /etc/nginx/uwsgi_params;
    }

}

失败部分的输出：

Requesting a certificate for xxxx.yyyy.net and www.xxxx.yyyy.net
Performing the following challenges:
http-01 challenge for xxxx.yyyy.net
http-01 challenge for www.xxxx.yyyy.net
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain xxxx.yyyy.net
Challenge failed for domain www.xxxx.yyyy.net
http-01 challenge for xxxx.yyyy.net
http-01 challenge for www.xxxx.yyyy.net

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: xxxx.yyyy.net
  Type:   connection
  Detail: Fetching http://xxxx.yyyy.net/.well-known/acme-challenge/XJw9w39lRSSbPf-4tb45RLtTnSbjlUEi1f0Cqwsmt-8: Connection refused

  Domain: www.xxxx.yyyy.net
  Type:   connection
  Detail: Fetching http://www.xxxx.yyyy.net/.well-known/acme-challenge/b47s4WJARyOTS63oFkaji2nP7oOhiLx5hHp4kO9dCGI: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: 1

其中一条评论说：

但没有进一步的解释如何解决它。
Check the certbot commit

nginx

来源：https://stackoverflow.com/questions/68449947/certbot-failing-acme-challenge-connection-refused

3条答案

按热度按时间

ukqbszuj1#

问题出在nginx配置文件。由于缺少证书文件，容器无法正确启动。我注解掉了ssl服务器部分，重建了映像并再次执行了脚本。一切都很顺利。生成证书后，我只是取消了ssl配置的注解，重建了映像并组合了服务。

赞(0）回复(0）举报 2022-11-28

2wnc66cl2#

有同样的问题;解决方案是确保我在nginx和certbot服务中正确定义了卷块。

//other services

nginx:
container_name: nginx
image: nginx:1.13
ports:
  - "80:80"
  - "443:443"

volumes:
  - ./config/nginx/conf.d:/etc/nginx/conf.d
  - ./data/certbot/conf:/etc/letsencrypt
  - ./data/certbot/www:/var/www/certbot

certbot:
container_name: certbot
image: certbot/certbot
volumes:
  - ./data/certbot/conf:/etc/letsencrypt
  - ./data/certbot/www:/var/www/certbot

赞(0）回复(0）举报 2022-11-28

4zcjmb1e3#

此外，如果您使用EC2作为云服务器，请不要忘记为端口80和443添加入站规则。

赞(0）回复(0）举报 2022-11-28