Certbot 证书续订失败

安装
,
1

我们在 certbot SSL 续订方面遇到问题。我们在 /etc/nginx/sites-available/ 下有多个站点。

我们为 .well-known 目录设置了此 location 块:

location ~ /\\.well-known {
    auth_basic off;
    root /etc/letsencrypt;
    allow all;
}

并且我们在 /etc/letsencrypt/renewal 目录下为每个站点设置了续订配置。
这是其中一个站点的示例。

#renew_before_expiry = 30 days
version = 2.7.4
archive_dir = /etc/letsencrypt/archive/redacted.com
cert = /etc/letsencrypt/live/redacted.com/cert.pem
privkey = /etc/letsencrypt/live/redacted.com/privkey.pem
chain = /etc/letsencrypt/live/redacted.com/chain.pem
fullchain = /etc/letsencrypt/live/redacted.com/fullchain.pem

#Options used in the renewal process
[renewalparams]
allow_subset_of_names = True
account = 670273d7a9a89f2d3494cf6e38739b1c
rsa_key_size = 4096
post_hook = /bin/systemctl reload nginx
authenticator = webroot
webroot_path = /etc/letsencrypt,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
[[webroot_map]]
redacted.com = /etc/letsencrypt

我们的 certbot 版本是 2.7.4,我们从 1.32.0 升级后仍然无法正常工作。

我们知道问题与 ip6tables 有关,但我们已经为 443 和 80 端口设置了 ACCEPT 规则。

当我们尝试在 certbot renew --dry-run 期间访问 acme-challenge 文件时,我们可以成功访问这些文件。所以 80 和 443 端口不应该是问题。

当我们把 ip6tables INPUT 过滤器从 DROP 改为 ACCEPT 时,所有站点都可以续订,但当我们使用 INPUT DROP 过滤器时,大多数站点都会因以下错误而续订失败。

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: redacted.com
Type: connection
Detail: xxx.xxx.xxx.xxx: Fetching https://redacted.com/.well-known/acme-challenge/EIJFF3UFqtZJCZtG_Kv9Ca7BGA5LiuBdb9JIWxXIhVg: Timeout during connect (likely firewall problem)

我们已经尝试了最少的规则集,并尝试在 input 链的顶部添加 80 和 443 端口的 ACCEPT 规则,但也没有奏效。所以我们卡在这里了。

Nginx 配置示例可以在下面的几行中找到。

server {
    listen [::]:80;
    server_name .redacted.com;
    return 301 https://redacted.com$request_uri;
}

server {
    listen [::]:443 ssl http2;
    server_name redacted.com;
    access_log /var/www/log/access/redacted.access.log main buffer=32k;
    error_log /var/www/log/error/redacted.com.error.log notice;
    limit_conn gulag 200;
    root /var/www/web/redacted.com/web;
    index index.php;

    ssl_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/redacted.com/privkey.pem;
    include ssl_params;

    ## Standard site protection
    include	snippets/standard.conf;

    location ~ /\\.well-known {
        auth_basic off;
        root /etc/letsencrypt;
        allow all;
    }

    ## Deny illegal Host headers
    if ($host !~* ^(redacted.com|redacted.com)$ ) {
        return 444;
        break;
    }

    ## Drupal configuration
    include snippets/drupal7-php7.4.conf;

    ## php handling
    include snippets/php7.4.conf;
}

顺便说一句,我们在 Nginx 日志中可以看到 certbot 续订期间 acme 文件的 HTTP 200 状态码。

2

我认为您可以在 nginx 或 let’s encrypt 论坛上获得更好的帮助。这实际上不是一个 Discourse 问题。