letsencrypt renew 的疑惑 , 求解

llyang · 发表于 2020-3-5 11:36:09

源码如下，用dry-run调试半天发现：
删除80端口server_name就可以，否则一直报错

基本环境: centos 8, nginx 1.14.1

[ol]

server {

listen 80;

# server_name www.abc.com abc.com;

return 301 https://$host$request_uri;

}

server {

listen 443 ssl http2;

server_name www.abc.com;

ssl_certificate /var/lib/letsencrypt/live/abc.com/fullchain.pem;

ssl_certificate_key /var/lib/letsencrypt/live/abc.com/privkey.pem;

ssl_trusted_certificate /var/lib/letsencrypt/live/abc.com/chain.pem;

return 301 https://abc.com$request_uri;

}

server {

listen 443 ssl http2;

server_name abc.com;

ssl_certificate /var/lib/letsencrypt/live/abc.com/fullchain.pem;

ssl_certificate_key /var/lib/letsencrypt/live/abc.com/privkey.pem;

ssl_trusted_certificate /var/lib/letsencrypt/live/abc.com/chain.pem;

}

[/ol]复制代码

cz8384 · 发表于 2020-3-8 13:08:23

我记得certbot申请证书到后面有个选项，1是301跳转，2是直接443，不知道你当时选择的是哪个？

llyang · 发表于 2020-3-8 10:45:13

看看周末有高人帮忙看下吗？

石沉大海，自己顶一下

头像一条狗 · 发表于 2020-3-8 10:48:33

没遇到过，lnmp一直都是丢着自己自动跟新的

Rayer · 发表于 2020-3-8 10:48:56

头像一条狗发表于 2020-3-8 10:48

一键脚本它不香吗？
https://certbot.eff.org/instructions
就是用的certbot一键自动更新呢

llyang · 发表于 2020-3-8 12:04:59

Rayer 发表于 2020-3-8 10:48

没遇到过，lnmp一直都是丢着自己自动跟新的
没用外面的script, 自己下捣鼓的

llyang · 发表于 2020-3-8 10:48:00

nginx 1.14应当不用在listen后加ssl这个参数了

没给出错代码，看不出来具体原因。不过http转https且www转不带的似乎不是你这么写。

listen 80之后直接写 return 301 https://abc.com$request_uri就行了吧，也就是80的统一转到abc.com，加一个443的www转no-www。

aRNoLD · 发表于 2020-3-8 12:33:00

七楼正解，安排吧

supermicro · 发表于 2020-3-8 10:48:00

[ol]

server {

listen 80;

server_name www.abc.com abc.com;

return 301 https://abc.com$request_uri;

}

server {

listen 443 ssl http2;

server_name www.abc.com;

ssl_certificate /var/lib/letsencrypt/live/abc.com/fullchain.pem;

ssl_certificate_key /var/lib/letsencrypt/live/abc.com/privkey.pem;

ssl_trusted_certificate /var/lib/letsencrypt/live/abc.com/chain.pem;

return 301 https://abc.com$request_uri;

}

server {

listen 443 ssl http2;

server_name abc.com;

ssl_certificate /var/lib/letsencrypt/live/abc.com/fullchain.pem;

ssl_certificate_key /var/lib/letsencrypt/live/abc.com/privkey.pem;

ssl_trusted_certificate /var/lib/letsencrypt/live/abc.com/chain.pem;

}

[/ol]复制代码
aRNoLD 发表于 2020-3-8 13:05

nginx 1.14应当不用在listen后加ssl这个参数了

没给出错代码，看不出来具体原因。不过http转https且www转 ...
按照你的说法修改2处

1、80端口下面return 301语句
2、删除listen中ssl

仍然报错
[ol]

Attempting to renew cert (abc.com) from /var/lib/letsencrypt/renewal/abc.com.conf produced an unexpected error: Some challenges have failed.. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/var/lib/letsencrypt/live/abc.com/fullchain.pem (failure)

Domain: www.abc.com

Type: connection

Detail: Fetching

https://abc.com/.well-known/acme-challenge/bEWma_iCofw9DriTtTuBL5jgi6l4Fiq3pnYEkoedD8A:

Error getting validation data

[/ol]复制代码

		自动登录	找回密码
密码			立即注册

letsencrypt renew 的疑惑 , 求解

浏览过的版块