我正在尝试在公共可访问的服务器上配置Let的加密证书.最初,服务器隐藏在路由器后面,但我已经转发了端口80和443.
证书似乎已完成大部分安装过程,但失败并显示以下消息:Failed to connect to host for DVSNI challenge.
完整堆栈跟踪:
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: sudo /bin/letsencrypt certonly --standalone -d example.net -d www.example.net
Failed authorization procedure. example.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge
IMPORTANT NOTES:
- The following 'urn:acme:error:connection' errors were reported by
the server:
Domains: example.net
Error: The server could not connect to the client to verify the
domain
任何支持将不胜感激!
我环顾四周寻找解决方案并没有太多运气.大多数其他类似情况通过转发端口443解决,但我确定此端口已经转发并打开,尽管当前没有服务正在运行.
它应该没有什么区别,但我正在尝试配置此证书以与Raspberry Pi上的Node JS一起使用.
我终于弄清楚发生了什么.我发现该--manual标志以交互方式逐步完成身份验证过程.
流程中的每个阶段都会显示类似于以下内容的提示:
Make sure your web server displays the following content at
http://www.example.net/.well-known/acme-challenge/twJCKQm9SbPEapgHpyU5TdAR1ErRaiCyxEB5zhhw0w8 before continuing:
twJCKQm9SbPEapgHpyU5TdAR1ErRaiCyxEB5zhhw0w8.t7J7DDTbktMGCCu2KREoIHv1zwkvwGfJTAkJrnELb4U
If you don't have HTTP server configured, you can run the following
command on the target server (as root):
mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
cd /tmp/letsencrypt/public_html
printf "%s" twJCKQm9SbPEapgHpyU5TdAR1ErRaiCyxEB5zhhw0w8.t7J7DDTbktMGCCu2KREoIHv1zwkvwGfJTAkJrnELb4U > .well-known/acme-challenge/twJCKQm9SbPEapgHpyU5TdAR1ErRaiCyxEB5zhhw0w8
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()"
Press ENTER to continue
正如我发现的那样,尽管以root身份运行,但该进程没有启动挑战服务器本身的权限.当然,这可能是API中的一个错误.
在提示中直接运行脚本会产生以下错误:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
> "import BaseHTTPServer, SimpleHTTPServer; \
> s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
> s.serve_forever()"
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python2.7/SocketServer.py", line 419, in __init__
self.server_bind()
File "/usr/lib/python2.7/BaseHTTPServer.py", line 108, in server_bind
SocketServer.TCPServer.server_bind(self)
File "/usr/lib/python2.7/SocketServer.py", line 430, in server_bind
self.socket.bind(self.server_address)
File "/usr/lib/python2.7/socket.py", line 224, in meth
return getattr(self._sock,name)(*args)
socket.error: [Errno 13] Permission denied
但是以root身份运行它(如提示本身所述)正确地启动了服务器,并且可以在外部服务器查询它以完成挑战时进行监视:
sudo $(command -v python2 || command -v python2.7 || command -v python2.6) -c "import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()"
66.133.109.36 - - [08/Jan/2016 21:25:10] "GET /.well-known/acme-challenge/SZ88SorxBGXBtSZCTn4FX2g7u5XjnPFOOV3f5S5DuXB HTTP/1.1" 200 -
66.133.109.36 - - [08/Jan/2016 21:25:10] "GET /.well-known/acme-challenge/twJCKQm9SbPEapgHpyU5TdAR1ErRaiCyxEB5zhhw0w8 HTTP/1.1" 200 -
这个错误需要一段时间来诊断,因为许多事情可以防止挑战失败,并且生成的服务器在后台默默地失败.
如果您在站点前使用Cloudflare DNS,请记住将DNS A,AAAA记录直接指向您的站点,直到续订完成.
京公网安备 11010802040832号 | 京ICP备19059560号-6 