(Http-01): urn: ietf: params: acme: error: unauthorized error when I execute "$ sudo certbot renew --dry-run" command
(Http-01): urn: ietf: params: acme: error: unauthorized error when I execute "$ sudo certbot renew --dry-run" command
环境 ・Nginx ・CentOS 7 ・Certbot 0.31.0
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/hoge.example.com.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hoge.example.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (hoge.example.com) from /etc/letsencrypt/renewal/hoge.example.com.conf produced an unexpected error: Failed authorization procedure. hoge.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://hoge.example.com/.well-known/acme-challenge/xxxx [IP address]: "<!doctype html>\r\n<html lang=\"ja\">\r\n<head>\r\n\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\t<meta http-e". Skipping.
问题
・授权过程失败到底是什么意思?
・错误内容在Skipping中被截断。我应该怎么做才能全部显示出来?
2019/4/16 加
$ sudo less /var/log/letsencrypt/letsencrypt.log
2019-04-16 20:40:54,333:DEBUG:certbot.updater:Skipping renewal deployer in dry-run mode.
2019-04-16 20:40:55,401:DEBUG:certbot.updater:Skipping updaters in dry-run mode.
2019-04-16 20:40:55,455:DEBUG:certbot.cli:Var dry_run=True (set by user).
2019-04-16 20:40:55,455:DEBUG:certbot.cli:Var server=set(['staging', 'dry_run']) (set by user).
2019-04-16 20:40:55,456:DEBUG:certbot.cli:Var dry_run=True (set by user).
2019-04-16 20:40:55,456:DEBUG:certbot.cli:Var server=set(['staging', 'dry_run']) (set by user).
2019-04-16 20:40:55,456:DEBUG:certbot.cli:Var account=set(['server']) (set by user).
2019-04-16 20:40:55,482:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2019-05-01 22:55:56 UTC.
2019-04-16 20:40:55,482:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2019-04-16 20:40:55,482:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2019-04-16 20:40:55,483:DEBUG:certbot.plugins.disco:Other error:(PluginEntryPoint#manual): An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/plugins/disco.py", line 132, in prepare
self._initialized.prepare()
File "/usr/lib/python2.7/site-packages/certbot/plugins/manual.py", line 133, in prepare
self.option_name('auth-hook')))
PluginError: An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
2019-04-16 20:40:55,516:DEBUG:certbot.plugins.selection:No candidate plugin
2019-04-16 20:40:55,516:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2019-04-16 20:40:55,516:INFO:certbot.main:Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
2019-04-16 20:40:55,520:WARNING:certbot.renewal:Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
2019-04-16 20:40:55,527:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 452, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1187, in renew_cert
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
File "/usr/lib/python2.7/site-packages/certbot/plugins/selection.py", line 237, in choose_configurator_plugins
diagnose_configurator_problem("authenticator", req_auth, plugins)
File "/usr/lib/python2.7/site-packages/certbot/plugins/selection.py", line 341, in diagnose_configurator_problem
raise errors.PluginSelectionError(msg)
PluginSelectionError: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
2019-04-16 20:40:55,527:ERROR:certbot.renewal:The following certs could not be renewed:
2019-04-16 20:40:55,527:ERROR:certbot.renewal: /etc/letsencrypt/live/entrepreneur.0mode.tokyo/fullchain.pem (failure)
/etc/letsencrypt/live/example.com/fullchain.pem (failure)
2019-04-16 20:40:55,528:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 9, in <module>
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1272, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 477, in handle_renewal_request
len(renew_failures), len(parse_failures)))
这里的问题是您正在尝试更新 hoge.example.com 上的证书,您几乎肯定不拥有该证书。 letsencrypt nginx 插件将更新您的 nginx 配置,以便在域 hoge.example.com 的端口 80 (http) 上有一个服务器块。它将在 .well-known/<some-hash> 处提供路径。然后 letsencrypt 服务器向 http://hoge.example.com/.well-known/<some-hash> 发送一个 HTTP 请求。这是失败的,因为您实际上并不拥有域。
您需要更改配置,以便为您拥有的域创建证书。
EDIT: 有了日志,我知道了更多信息。
日志的关键行是:
Requested authenticator manual and installer None
Other error:(PluginEntryPoint#manual): An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
这意味着您没有使用 nginx 插件,而是 manual plugin。当你使用手动插件时,你需要指定一个授权挂钩,这基本上是一种证明你拥有你所说的网站的方式。可能是你的配置有问题。
这是我的样子:
# renew_before_expiry = 30 days
version = 0.32.0
archive_dir = /etc/letsencrypt/archive/my-domain.net
cert = /etc/letsencrypt/live/my-domain.net/cert.pem
privkey = /etc/letsencrypt/live/my-domain.net/privkey.pem
chain = /etc/letsencrypt/live/my-domain.net/chain.pem
fullchain = /etc/letsencrypt/live/my-domain.net/fullchain.pem
# Options used in the renewal process
[renewalparams]
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
account = xxx123456789xxx
authenticator = nginx
注意 installer 和 authenticator 部分。你的看起来应该很相似。
我首先建议您确保您的配置看起来像我的,然后再试一次。如果这不起作用,您可能应该删除并重新创建您的证书。
环境 ・Nginx ・CentOS 7 ・Certbot 0.31.0
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/hoge.example.com.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hoge.example.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (hoge.example.com) from /etc/letsencrypt/renewal/hoge.example.com.conf produced an unexpected error: Failed authorization procedure. hoge.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://hoge.example.com/.well-known/acme-challenge/xxxx [IP address]: "<!doctype html>\r\n<html lang=\"ja\">\r\n<head>\r\n\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\t<meta http-e". Skipping.
问题
・授权过程失败到底是什么意思?
・错误内容在Skipping中被截断。我应该怎么做才能全部显示出来?
2019/4/16 加
$ sudo less /var/log/letsencrypt/letsencrypt.log
2019-04-16 20:40:54,333:DEBUG:certbot.updater:Skipping renewal deployer in dry-run mode.
2019-04-16 20:40:55,401:DEBUG:certbot.updater:Skipping updaters in dry-run mode.
2019-04-16 20:40:55,455:DEBUG:certbot.cli:Var dry_run=True (set by user).
2019-04-16 20:40:55,455:DEBUG:certbot.cli:Var server=set(['staging', 'dry_run']) (set by user).
2019-04-16 20:40:55,456:DEBUG:certbot.cli:Var dry_run=True (set by user).
2019-04-16 20:40:55,456:DEBUG:certbot.cli:Var server=set(['staging', 'dry_run']) (set by user).
2019-04-16 20:40:55,456:DEBUG:certbot.cli:Var account=set(['server']) (set by user).
2019-04-16 20:40:55,482:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2019-05-01 22:55:56 UTC.
2019-04-16 20:40:55,482:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2019-04-16 20:40:55,482:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2019-04-16 20:40:55,483:DEBUG:certbot.plugins.disco:Other error:(PluginEntryPoint#manual): An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/plugins/disco.py", line 132, in prepare
self._initialized.prepare()
File "/usr/lib/python2.7/site-packages/certbot/plugins/manual.py", line 133, in prepare
self.option_name('auth-hook')))
PluginError: An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
2019-04-16 20:40:55,516:DEBUG:certbot.plugins.selection:No candidate plugin
2019-04-16 20:40:55,516:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2019-04-16 20:40:55,516:INFO:certbot.main:Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
2019-04-16 20:40:55,520:WARNING:certbot.renewal:Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
2019-04-16 20:40:55,527:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 452, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1187, in renew_cert
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
File "/usr/lib/python2.7/site-packages/certbot/plugins/selection.py", line 237, in choose_configurator_plugins
diagnose_configurator_problem("authenticator", req_auth, plugins)
File "/usr/lib/python2.7/site-packages/certbot/plugins/selection.py", line 341, in diagnose_configurator_problem
raise errors.PluginSelectionError(msg)
PluginSelectionError: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
2019-04-16 20:40:55,527:ERROR:certbot.renewal:The following certs could not be renewed:
2019-04-16 20:40:55,527:ERROR:certbot.renewal: /etc/letsencrypt/live/entrepreneur.0mode.tokyo/fullchain.pem (failure)
/etc/letsencrypt/live/example.com/fullchain.pem (failure)
2019-04-16 20:40:55,528:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 9, in <module>
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1272, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 477, in handle_renewal_request
len(renew_failures), len(parse_failures)))
这里的问题是您正在尝试更新 hoge.example.com 上的证书,您几乎肯定不拥有该证书。 letsencrypt nginx 插件将更新您的 nginx 配置,以便在域 hoge.example.com 的端口 80 (http) 上有一个服务器块。它将在 .well-known/<some-hash> 处提供路径。然后 letsencrypt 服务器向 http://hoge.example.com/.well-known/<some-hash> 发送一个 HTTP 请求。这是失败的,因为您实际上并不拥有域。
您需要更改配置,以便为您拥有的域创建证书。
EDIT: 有了日志,我知道了更多信息。
日志的关键行是:
Requested authenticator manual and installer None
Other error:(PluginEntryPoint#manual): An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
这意味着您没有使用 nginx 插件,而是 manual plugin。当你使用手动插件时,你需要指定一个授权挂钩,这基本上是一种证明你拥有你所说的网站的方式。可能是你的配置有问题。
这是我的样子:
# renew_before_expiry = 30 days
version = 0.32.0
archive_dir = /etc/letsencrypt/archive/my-domain.net
cert = /etc/letsencrypt/live/my-domain.net/cert.pem
privkey = /etc/letsencrypt/live/my-domain.net/privkey.pem
chain = /etc/letsencrypt/live/my-domain.net/chain.pem
fullchain = /etc/letsencrypt/live/my-domain.net/fullchain.pem
# Options used in the renewal process
[renewalparams]
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
account = xxx123456789xxx
authenticator = nginx
注意 installer 和 authenticator 部分。你的看起来应该很相似。
我首先建议您确保您的配置看起来像我的,然后再试一次。如果这不起作用,您可能应该删除并重新创建您的证书。