记录一次letsencrypt证书更新的小问题

/ 浏览:156 次

故障起因: 自己把证书更新命令搞错了,官方原版直接是./letsencrypt-auto certonly --renew-by-default --email 邮箱 -d 域名 -d 域名,但是这个命令的前提是你要把你的letsencrypt目录要先定义好,所以需要指定目录root/letsencrypt/letsencrypt-auto

证书过期导致网站访问异常,尝试通过官方命令更新证书/root/letsencrypt/letsencrypt-auto certonly --renew-by-default --email 邮箱 -d 域名 -d 域名,但是返回如下错误提示:

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xxx
   Type:   unauthorized
   Detail: Invalid response from
   http://xxx/.well-known/acme-challenge/YxN0U1DuMpbN_3qixJYgguURTy2rLNyTDxxxE:
   "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
   bgcolor=\"white\">\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

大概意思是网站域名验证失败,dns是没有问题的,主要是证书过期了,正常步骤更新也有了问题。

后来谷歌搜索,尝试用强制更新命令先行解决证书过期问题:

/root/letsencrypt/letsencrypt-auto renew --force-renewal --renew-hook "/etc/init.d/nginx reload

执行这个命令之前你需要关闭你得Nginx,不然80端口用不了。

nginx -s quit

正常执行后,证书就已经更新延期了,返回内容提示如下:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/xxxxx.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxxx
http-01 challenge for xxxx
Waiting for verification...
Cleaning up challenges

Connection closed.

随后进入crontab -e更新证书更新命令,手工再次更新一次命令,提示没有问题:

root/letsencrypt/letsencrypt-auto certonly --renew-by-default --email 邮箱 -d xxx -d xxx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxxx
http-01 challenge for xxxx
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xxxx/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/xxxx/privkey.pem
   Your cert will expire on 2019-02-22. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

最后附加性小问题:

报nginx配置文件目录不对错误

nginx: [emerg] open() "/etc/nginx/nginx.conf" failed (2: No such file or directory)

解决办法:

cp -r /usr/local/nginx/conf/* /etc/nginx/

如果你想转载,请注明来源或者出处