Certbot-auto 更新失败 - 客户端缺乏足够的授权 - 为什么?
Certbot-auto renew failed - The client lacks sufficient authorization - Why?
多年来,我在同一台服务器上为多个域放置了一个 certbot-auto 证书 (Apache 2.2 - Debian 7)。但是今天我看到我的 crontab 没有更新证书,所以我尝试使用以下行在 SSH 中进行更新:
./certbot-auto renew
错误说明如下:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.domain1.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain2.fr
http-01 challenge for domain1.fr
http-01 challenge for www.domain2.fr
http-01 challenge for www.domain1.fr
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.domain1.fr) from /etc/letsencrypt/renewal/www.domain1.fr.conf produced an unexpected error: Failed authorization procedure. domain2.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain2.fr/.well-known/acme-challenge/ZIp1x0730t7J0iJii67jS95Fli2eLhPA12SgXGzR6P8 [151.80.100.117]: 503, www.domain1.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain1.fr/.well-known/acme-challenge/hoy1fNZkCyBkK2kA7gQhhW8QpWiCk7K00kFHsxNcZgc [151.80.100.117]: 503, domain1.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain1.fr/.well-known/acme-challenge/LvfaVWC1VzbOehKgFvJe1gNd3tsEWUH3eBDan1-q8Oo [151.80.100.117]: 503, www.domain2.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain2.fr/.well-known/acme-challenge/fOAwU_IAvKW7AC9nAFNZ6InVHrYB9VmuB9tGvEGpU2c [151.80.100.117]: 503. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.domain1.fr/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.domain1.fr/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: domain2.fr
Type: unauthorized
Detail: Invalid response from
http://domain2.fr/.well-known/acme-challenge/ZIp1x0730t7J0iJii67jS95Fli2eLhPA12SgXGzR6P8
[151.80.100.117]: 503
Domain: www.domain1.fr
Type: unauthorized
Detail: Invalid response from
http://www.domain1.fr/.well-known/acme-challenge/hoy1fNZkCyBkK2kA7gQhhW8QpWiCk7K00kFHsxNcZgc
[151.80.100.117]: 503
Domain: domain1.fr
Type: unauthorized
Detail: Invalid response from
http://domain1.fr/.well-known/acme-challenge/LvfaVWC1VzbOehKgFvJe1gNd3tsEWUH3eBDan1-q8Oo
[151.80.100.117]: 503
Domain: www.domain2.fr
Type: unauthorized
Detail: Invalid response from
http://www.domain2.fr/.well-known/acme-challenge/fOAwU_IAvKW7AC9nAFNZ6InVHrYB9VmuB9tGvEGpU2c
[151.80.100.117]: 503
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
我没有更改有关 Vhost 配置或服务器配置的任何内容,所以我不知道为什么 certbot 不再有授权更新。
EDIT :
所有域在 DNS 中都有一条 A 记录且 IP 正确。
我的 /.well-known/ 文件夹当前的权限为 0777。
确保每个主机名在DNS中都有一个A记录,并且每个目录.well-known/acme-challenge都可以访问;当它抱怨 503 Service Unavailable 时,它再明显不过了。日志文件 /var/log/letsencrypt/letsencrypt.log 可能包含更多信息。
a) 在一个域上,.well-known/acme-challenge 需要从 URL 重写中排除:
RewriteCond %{REQUEST_URI} !^\.well-known/(.*)$
b) 在另一个域中,:80 不能重定向到 :443。
我找到了替代解决方案,但没有解决问题。
我做了 here 这样的技巧:
我使用了以下命令:
./certbot-auto certonly -d www.domain1.fr -d domain1.fr -d domain2.fr -d www.domain2.fr
我的证书现在又可以使用了。
所以问题(我想)是 certbot-auto renew 匹配每个网站的 webroot 的方式。
非常感谢@Martin Zeitler 的帮助和时间。
尝试使用 nginx-certbot 解决方案
sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-nginx
sudo certbot --nginx -d xxx.xxx.com
在我们的例子中,我们的 DNS 工作正常,但仍然收到 lacks sufficient authorization 错误。
终于在这里找到资源:
https://webdock.io/en/docs/webdock-control-panel/common-certbot-errors
曝光 运行:
certbot rollback
其次是:
certbot renew
我们终于可以更新证书了。
我们正处于启动全新 VM 并将所有内容迁移过来的边缘 - 因为在多次尝试解决该问题之后,证书终于过期并且我们处于紧缩模式。
也许这会减轻一些人的悲伤。
在我的例子中,我已经为 Apache 配置中的一些虚拟主机更新了 DocumentRoot;从而打破了LE更新。
您可以在/etc/letsencrypt/renewal/mysite.com.conf
下查看LE更新配置
webroot_map 部分下的那些路径:
[[webroot_map]]
mysite.com = /var/www/vhosts/mysite.com
www.mysite.com = /var/www/vhosts/mysite.com
应与您的 Apache 虚拟主机配置中的 DocumentRoot 相匹配
按照我的示例,您可以比较使用:grep DocumentRoot /etc/apache2/sites-enabled/mysite.com.conf
我遇到了同样的问题,就我而言,这是组织防火墙新引入的规则,该规则明确阻止了 acme-protocol。是的,我花了好几个小时调查,最后,我将这样一个调用文件放在 .well-known/acme-challenge 文件夹中,并尝试在浏览器中加载它。只是为了获取该页面:
Application Blocked
Access to the application you were trying to use has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.
User: MY-IP-ADDRESS
Application: acme-protocol
因此,当所有其他答案都无法帮助您时,请尝试并检查来自 network-department 的此类不愉快的问候。
多年来,我在同一台服务器上为多个域放置了一个 certbot-auto 证书 (Apache 2.2 - Debian 7)。但是今天我看到我的 crontab 没有更新证书,所以我尝试使用以下行在 SSH 中进行更新:
./certbot-auto renew
错误说明如下:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.domain1.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain2.fr
http-01 challenge for domain1.fr
http-01 challenge for www.domain2.fr
http-01 challenge for www.domain1.fr
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.domain1.fr) from /etc/letsencrypt/renewal/www.domain1.fr.conf produced an unexpected error: Failed authorization procedure. domain2.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain2.fr/.well-known/acme-challenge/ZIp1x0730t7J0iJii67jS95Fli2eLhPA12SgXGzR6P8 [151.80.100.117]: 503, www.domain1.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain1.fr/.well-known/acme-challenge/hoy1fNZkCyBkK2kA7gQhhW8QpWiCk7K00kFHsxNcZgc [151.80.100.117]: 503, domain1.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain1.fr/.well-known/acme-challenge/LvfaVWC1VzbOehKgFvJe1gNd3tsEWUH3eBDan1-q8Oo [151.80.100.117]: 503, www.domain2.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain2.fr/.well-known/acme-challenge/fOAwU_IAvKW7AC9nAFNZ6InVHrYB9VmuB9tGvEGpU2c [151.80.100.117]: 503. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.domain1.fr/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.domain1.fr/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: domain2.fr
Type: unauthorized
Detail: Invalid response from
http://domain2.fr/.well-known/acme-challenge/ZIp1x0730t7J0iJii67jS95Fli2eLhPA12SgXGzR6P8
[151.80.100.117]: 503
Domain: www.domain1.fr
Type: unauthorized
Detail: Invalid response from
http://www.domain1.fr/.well-known/acme-challenge/hoy1fNZkCyBkK2kA7gQhhW8QpWiCk7K00kFHsxNcZgc
[151.80.100.117]: 503
Domain: domain1.fr
Type: unauthorized
Detail: Invalid response from
http://domain1.fr/.well-known/acme-challenge/LvfaVWC1VzbOehKgFvJe1gNd3tsEWUH3eBDan1-q8Oo
[151.80.100.117]: 503
Domain: www.domain2.fr
Type: unauthorized
Detail: Invalid response from
http://www.domain2.fr/.well-known/acme-challenge/fOAwU_IAvKW7AC9nAFNZ6InVHrYB9VmuB9tGvEGpU2c
[151.80.100.117]: 503
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
我没有更改有关 Vhost 配置或服务器配置的任何内容,所以我不知道为什么 certbot 不再有授权更新。
EDIT :
所有域在 DNS 中都有一条 A 记录且 IP 正确。
我的 /.well-known/ 文件夹当前的权限为 0777。
确保每个主机名在DNS中都有一个A记录,并且每个目录.well-known/acme-challenge都可以访问;当它抱怨 503 Service Unavailable 时,它再明显不过了。日志文件 /var/log/letsencrypt/letsencrypt.log 可能包含更多信息。
a) 在一个域上,.well-known/acme-challenge 需要从 URL 重写中排除:
RewriteCond %{REQUEST_URI} !^\.well-known/(.*)$
b) 在另一个域中,:80 不能重定向到 :443。
我找到了替代解决方案,但没有解决问题。
我做了 here 这样的技巧: 我使用了以下命令:
./certbot-auto certonly -d www.domain1.fr -d domain1.fr -d domain2.fr -d www.domain2.fr
我的证书现在又可以使用了。
所以问题(我想)是 certbot-auto renew 匹配每个网站的 webroot 的方式。
非常感谢@Martin Zeitler 的帮助和时间。
尝试使用 nginx-certbot 解决方案
sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-nginx
sudo certbot --nginx -d xxx.xxx.com
在我们的例子中,我们的 DNS 工作正常,但仍然收到 lacks sufficient authorization 错误。
终于在这里找到资源: https://webdock.io/en/docs/webdock-control-panel/common-certbot-errors
曝光 运行:
certbot rollback
其次是:
certbot renew
我们终于可以更新证书了。
我们正处于启动全新 VM 并将所有内容迁移过来的边缘 - 因为在多次尝试解决该问题之后,证书终于过期并且我们处于紧缩模式。
也许这会减轻一些人的悲伤。
在我的例子中,我已经为 Apache 配置中的一些虚拟主机更新了 DocumentRoot;从而打破了LE更新。
您可以在/etc/letsencrypt/renewal/mysite.com.conf
webroot_map 部分下的那些路径:
[[webroot_map]]
mysite.com = /var/www/vhosts/mysite.com
www.mysite.com = /var/www/vhosts/mysite.com
应与您的 Apache 虚拟主机配置中的 DocumentRoot 相匹配
按照我的示例,您可以比较使用:grep DocumentRoot /etc/apache2/sites-enabled/mysite.com.conf
我遇到了同样的问题,就我而言,这是组织防火墙新引入的规则,该规则明确阻止了 acme-protocol。是的,我花了好几个小时调查,最后,我将这样一个调用文件放在 .well-known/acme-challenge 文件夹中,并尝试在浏览器中加载它。只是为了获取该页面:
Application Blocked Access to the application you were trying to use has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.
User: MY-IP-ADDRESS
Application: acme-protocol
因此,当所有其他答案都无法帮助您时,请尝试并检查来自 network-department 的此类不愉快的问候。