使用 certbot 更新证书以添加子域
Update certificate with certbot to add subdomain
我有一个域,其中安装了 LetsEncrypt 证书和 apache conf 设置,可以将 www 转发到非 www,将非 ssl 转发到 ssl。一切都很好,直到我决定添加一个子域并尝试生成一个新证书来涵盖这两个域。
现在我在 运行 certbot 时得到以下输出:
root@arthas:~# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: domain.com
2: playground.domain.com
3: www.playground.domain.com
4: www.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2,3,4
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/domain.com.conf)
It contains these names: domain.com, www.domain.com
You requested these names for the new certificate: domain.com,
playground.domain.com, www.playground.domain.com, www.domain.com.
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for playground.domain.com
http-01 challenge for www.domain.com
http-01 challenge for www.playground.domain.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Created an SSL vhost at /etc/apache2/sites-enabled/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
An unexpected error occurred:
ValueError: Unable to set value to path!
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
- Unable to install the certificate
- Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2019-07-19.
To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option.
To non-interactively renew *all* of your certificates, run "certbot renew"
- Some rewrite rules copied from /etc/apache2/sites-enabled/000-default.conf were disabled in the vhost for your HTTPS site located at /etc/apache2/sites-enabled/000-default-le-ssl.conf because they have the potential to create redirection loops.
此外,我已将我的 000-default.conf 文件的内容复制到下面:
# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.domain.com [OR]
RewriteCond %{SERVER_NAME} =domain.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName playground.domain.com
ServerAlias www.playground.domain.com
DocumentRoot /var/www/html/playground
<Directory /var/www/html/playground>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.playground.domain.com [OR]
RewriteCond %{SERVER_NAME} =playground.domain.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
您似乎有几个 .conf 个文件可能会导致冲突。
- 方法一:将所有
<VirtualHost *:80>和<VirtualHost *:443>
同一配置文件中的规则
- 方法二:分开放置
在末尾添加
Include /path/to/httpd-le-ssl.conf
000-default.conf
运行$ sudo certbot renew --dry-run查看修改配置成功还是失败
使用 --dry-run 不会影响您排除故障和修复配置时的限制。成功完成后,您可以通过各种方式 运行 certbot 并期望一切正常。
我在尝试一次为多个域安装证书时收到相同的错误消息。如果您将所有 VirtualHost 都放在同一个配置文件中并且不想将它们分开,请尝试分别为域安装证书。
示例:
当您需要为以下域安装证书时
- domain01.com
- www.domain01.com
- domain02.com
- www.domain02.com
在步骤
Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1,2,3,4
输入 1、2 而不是 1、2、3、4,然后重复安装 3、4
我遇到了同样的问题。下面的步骤已经解决了我的问题。
如果您已经尝试设置 SSL,请删除所有现有的 certbot 文件。
按照此 link 如何从系统中删除现有的 Certbot 文件
https://askubuntu.com/a/1195603/871518
将所有单独的域与单个 vhost.conf 文件分开。
示例:
domain1.conf
domain2.conf
Enable vhost in your created two new file by typing :
a2ensite domain1.conf
a2esnite domain2.conf
- 运行 certbot 命令:
sudo certbot --apache
如果“serverAlias”包含在您的虚拟列表中,您可能会看到 4 个域列表:
1. domain1.com
2. domain2.com
3. www.domain1.com
4. www.domain2.com
Select第一趟只有1和3
- 是的,您已经成功地完成了 domain1.com SSL 支持,并再次按照相同的方式进行 SSL 支持 domain2.com :
sudo certbot --apache
当您 运行 此命令时,请确保您的顺序也正确。因此,例如:example.org 应该在请求中的 mail.example.org 之前。否则,尤其是在使用 Route 53 选项时会收到奇怪的区域错误消息。
我有一个域,其中安装了 LetsEncrypt 证书和 apache conf 设置,可以将 www 转发到非 www,将非 ssl 转发到 ssl。一切都很好,直到我决定添加一个子域并尝试生成一个新证书来涵盖这两个域。
现在我在 运行 certbot 时得到以下输出:
root@arthas:~# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: domain.com
2: playground.domain.com
3: www.playground.domain.com
4: www.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2,3,4
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/domain.com.conf)
It contains these names: domain.com, www.domain.com
You requested these names for the new certificate: domain.com,
playground.domain.com, www.playground.domain.com, www.domain.com.
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for playground.domain.com
http-01 challenge for www.domain.com
http-01 challenge for www.playground.domain.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Created an SSL vhost at /etc/apache2/sites-enabled/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
An unexpected error occurred:
ValueError: Unable to set value to path!
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
- Unable to install the certificate
- Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2019-07-19.
To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option.
To non-interactively renew *all* of your certificates, run "certbot renew"
- Some rewrite rules copied from /etc/apache2/sites-enabled/000-default.conf were disabled in the vhost for your HTTPS site located at /etc/apache2/sites-enabled/000-default-le-ssl.conf because they have the potential to create redirection loops.
此外,我已将我的 000-default.conf 文件的内容复制到下面:
# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.domain.com [OR]
RewriteCond %{SERVER_NAME} =domain.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName playground.domain.com
ServerAlias www.playground.domain.com
DocumentRoot /var/www/html/playground
<Directory /var/www/html/playground>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.playground.domain.com [OR]
RewriteCond %{SERVER_NAME} =playground.domain.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
您似乎有几个 .conf 个文件可能会导致冲突。
- 方法一:将所有
<VirtualHost *:80>和<VirtualHost *:443>同一配置文件中的规则 - 方法二:分开放置
在末尾添加
Include /path/to/httpd-le-ssl.conf000-default.conf
运行$ sudo certbot renew --dry-run查看修改配置成功还是失败
使用 --dry-run 不会影响您排除故障和修复配置时的限制。成功完成后,您可以通过各种方式 运行 certbot 并期望一切正常。
我在尝试一次为多个域安装证书时收到相同的错误消息。如果您将所有 VirtualHost 都放在同一个配置文件中并且不想将它们分开,请尝试分别为域安装证书。
示例:
当您需要为以下域安装证书时
- domain01.com
- www.domain01.com
- domain02.com
- www.domain02.com
在步骤
Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1,2,3,4
输入 1、2 而不是 1、2、3、4,然后重复安装 3、4
我遇到了同样的问题。下面的步骤已经解决了我的问题。
如果您已经尝试设置 SSL,请删除所有现有的 certbot 文件。 按照此 link 如何从系统中删除现有的 Certbot 文件 https://askubuntu.com/a/1195603/871518
将所有单独的域与单个 vhost.conf 文件分开。 示例:
domain1.conf domain2.conf
Enable vhost in your created two new file by typing :
a2ensite domain1.conf a2esnite domain2.conf
- 运行 certbot 命令:
sudo certbot --apache
如果“serverAlias”包含在您的虚拟列表中,您可能会看到 4 个域列表:
1. domain1.com 2. domain2.com 3. www.domain1.com 4. www.domain2.com
Select第一趟只有1和3
- 是的,您已经成功地完成了 domain1.com SSL 支持,并再次按照相同的方式进行 SSL 支持 domain2.com :
sudo certbot --apache
当您 运行 此命令时,请确保您的顺序也正确。因此,例如:example.org 应该在请求中的 mail.example.org 之前。否则,尤其是在使用 Route 53 选项时会收到奇怪的区域错误消息。