Certbot:"Some challenges failed" 尝试在 Google Cloud Platform 的 App Engine 上为应用程序创建通配符证书时

Certbot: "Some challenges failed" when trying to create certificate for wildcard for app on Google Cloud Platform's App Engine

example.com只是一个例子。我确实拥有我正在尝试使用的域。

我想做什么?

我想使用 certbot 生成 SSL 通配符证书以在 Google 云平台上使用,这样像 https://this.example.com 这样的 url 就可以工作了。

我做了什么?

我有一个使用自定义域名 (example.com) 的应用引擎实例 运行。 我在 Cloud DNS 中有一个 DNS 区域,其中 example.com 作为 DNS 名称。 A/AAAA 指向与 App Engine 的自定义域选项卡中指定的相同 IPv4 和 IPv6 地址的记录。

什么有效?

导航到 https://example.com or https://www.example.com works. Navigating to http://example.com or http://www.example.com 重定向到 https。

什么不起作用?

这是命令我运行:

sudo certbot certonly --dns-google --dns-google-credentials *CREDENTIALS* -d *.example.com

凭据是我的服务帐户密钥文件的位置。

几分钟后,我得到一个错误:

Domain: example.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.example.com

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

我认为它可能是什么?

我希望更新需要一段时间,但我不确定。

**编辑: 日志。在我在这里分享之前,它通过了一个自动秘密删除工具。如果它删除了您需要查看的内容,请告诉我!

**EDIT2:为 SA 添加了新日志和 IAM 角色

我使用的服务帐户具有 DNS 管理员角色。

FILE_LOCATION = Location of credentials file
***** = Hidden

2021-11-25 21:18:03,991:DEBUG:certbot.main:certbot version: 0.40.0
2021-11-25 21:18:03,992:DEBUG:certbot.main:Arguments: ['--dns-google', '--dns-google-credentials', 'FILE_LOCATION', '-d', '*.example.com', '--dns-google-propagation-seconds', '120']
2021-11-25 21:18:03,992:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-google,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-11-25 21:18:04,003:DEBUG:certbot.log:Root logging level set at 20
2021-11-25 21:18:04,003:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-11-25 21:18:04,004:DEBUG:certbot.plugins.selection:Requested authenticator dns-google and installer None
2021-11-25 21:18:04,004:DEBUG:certbot.plugins.selection:Single candidate plugin: * dns-google
Description: Obtain certificates using a DNS TXT record (if you are using Google Cloud DNS for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-google = certbot_dns_google.dns_google:Authenticator
Initialized: <certbot_dns_google.dns_google.Authenticator object at 0x7ff1c3afc7c0>
Prep: True
2021-11-25 21:18:04,004:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_dns_google.dns_google.Authenticator object at 0x7ff1c3afc7c0> and installer None
2021-11-25 21:18:04,004:INFO:certbot.plugins.selection:Plugins selected: Authenticator dns-google, Installer None
2021-11-25 21:18:04,008:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/*****', new_authzr_uri=None, terms_of_service=None), *****, Meta(creation_dt=datetime.datetime(2021, 11, 24, 22, 26, 59, tzinfo=<UTC>), creation_host='*****'))>
2021-11-25 21:18:04,008:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-11-25 21:18:04,010:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-11-25 21:18:04,489:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-11-25 21:18:04,491:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 25 Nov 2021 20:18:04 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "HgGq9-KQs_w": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-11-25 21:18:04,493:INFO:certbot.main:Obtaining a new certificate
2021-11-25 21:18:04,525:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0036_key-certbot.pem
2021-11-25 21:18:04,529:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0036_csr-certbot.pem
2021-11-25 21:18:04,530:DEBUG:acme.client:Requesting fresh nonce
2021-11-25 21:18:04,530:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-11-25 21:18:04,747:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-11-25 21:18:04,749:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 25 Nov 2021 20:18:04 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: *****
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2021-11-25 21:18:04,749:DEBUG:acme.client:Storing nonce: *****
2021-11-25 21:18:04,750:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "*.example.com"\n    }\n  ]\n}'
2021-11-25 21:18:04,757:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "*****",
  "signature": "*****",
  "payload": "*****"
}
2021-11-25 21:18:05,475:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 338
2021-11-25 21:18:05,476:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 25 Nov 2021 20:18:05 GMT
Content-Type: application/json
Content-Length: 338
Connection: keep-alive
Boulder-Requester: *****
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/*****/*****
Replay-Nonce: *****
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2021-12-02T20:18:05Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.example.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/*****"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/*****/*****"
}
2021-11-25 21:18:05,477:DEBUG:acme.client:Storing nonce: *****
2021-11-25 21:18:05,478:DEBUG:acme.client:JWS payload:
b''
2021-11-25 21:18:05,484:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/*****:
{
  "protected": "*****",
  "signature": "*****",
  "payload": ""
}
2021-11-25 21:18:06,101:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/***** HTTP/1.1" 200 386
2021-11-25 21:18:06,103:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 25 Nov 2021 20:18:06 GMT
Content-Type: application/json
Content-Length: 386
Connection: keep-alive
Boulder-Requester: *****
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: *****
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "example.com"
  },
  "status": "pending",
  "expires": "2021-12-02T20:18:05Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/*****/*****",
      "token": "*****"
    }
  ],
  "wildcard": true
}
2021-11-25 21:18:06,103:DEBUG:acme.client:Storing nonce: *****
2021-11-25 21:18:06,104:INFO:certbot.auth_handler:Performing the following challenges:
2021-11-25 21:18:06,105:INFO:certbot.auth_handler:dns-01 challenge for example.com
2021-11-25 21:18:06,106:WARNING:certbot.plugins.dns_common:Unsafe permissions on credentials configuration file: FILE_LOCATION
2021-11-25 21:18:06,110:INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
2021-11-25 21:18:06,400:INFO:googleapiclient.discovery:URL being requested: GET https://dns.googleapis.com/dns/v1/projects/*****/managedZones?dnsName=example.com.&alt=json
2021-11-25 21:18:06,401:INFO:oauth2client.transport:Attempting refresh to obtain initial access_token
2021-11-25 21:18:06,403:INFO:oauth2client.client:Refreshing access_token
2021-11-25 21:18:06,796:DEBUG:certbot_dns_google.dns_google:Found id of ***** for example.com using name example.com
2021-11-25 21:18:06,800:INFO:googleapiclient.discovery:URL being requested: GET https://dns.googleapis.com/dns/v1/projects/*****/managedZones/*****/rrsets?alt=json
2021-11-25 21:18:06,998:INFO:googleapiclient.discovery:URL being requested: POST https://dns.googleapis.com/dns/v1/projects/*****/managedZones/*****/changes?alt=json
2021-11-25 21:18:07,676:INFO:googleapiclient.discovery:URL being requested: GET https://dns.googleapis.com/dns/v1/projects/*****/managedZones/*****/changes/46?alt=json
2021-11-25 21:18:07,894:INFO:certbot.plugins.dns_common:Waiting 120 seconds for DNS changes to propagate
2021-11-25 21:20:07,995:INFO:certbot.auth_handler:Waiting for verification...
2021-11-25 21:20:07,996:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "challenge",\n  "type": "dns-01"\n}'
2021-11-25 21:20:08,008:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/*****/*****:
{
  "protected": "*****",
  "signature": "*****",
  "payload": "*****"
}
2021-11-25 21:20:08,782:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/*****/***** HTTP/1.1" 200 185
2021-11-25 21:20:08,784:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 25 Nov 2021 20:20:08 GMT
Content-Type: application/json
Content-Length: 185
Connection: keep-alive
Boulder-Requester: *****
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/*****>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/*****/*****
Replay-Nonce: *****
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/*****/*****",
  "token": "*****"
}
2021-11-25 21:20:08,784:DEBUG:acme.client:Storing nonce: *****
2021-11-25 21:20:09,786:DEBUG:acme.client:JWS payload:
b''
2021-11-25 21:20:09,793:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/*****:
{
  "protected": "*****",
  "signature": "*****",
  "payload": ""
}
2021-11-25 21:20:11,326:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/***** HTTP/1.1" 200 668
2021-11-25 21:20:11,327:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 25 Nov 2021 20:20:11 GMT
Content-Type: application/json
Content-Length: 668
Connection: keep-alive
Boulder-Requester: *****
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: *****
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "example.com"
  },
  "status": "invalid",
  "expires": "2021-12-02T20:18:05Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.example.com - check that a DNS record exists for this domain",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/*****/*****",
      "token": "*****",
      "validated": "2021-11-25T20:20:08Z"
    }
  ],
  "wildcard": true
}
2021-11-25 21:20:11,328:DEBUG:acme.client:Storing nonce: *****
2021-11-25 21:20:11,329:WARNING:certbot.auth_handler:Challenge failed for domain example.com
2021-11-25 21:20:11,330:INFO:certbot.auth_handler:dns-01 challenge for example.com
2021-11-25 21:20:11,330:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: example.com
Type:   dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.example.com - check that a DNS record exists for this domain
2021-11-25 21:20:11,331:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-11-25 21:20:11,331:DEBUG:certbot.error_handler:Calling registered functions
2021-11-25 21:20:11,331:INFO:certbot.auth_handler:Cleaning up challenges
2021-11-25 21:20:11,334:INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
2021-11-25 21:20:12,254:INFO:googleapiclient.discovery:URL being requested: GET https://dns.googleapis.com/dns/v1/projects/*****/managedZones?dnsName=example.com.&alt=json
2021-11-25 21:20:12,254:INFO:oauth2client.transport:Attempting refresh to obtain initial access_token
2021-11-25 21:20:12,256:INFO:oauth2client.client:Refreshing access_token
2021-11-25 21:20:12,832:DEBUG:certbot_dns_google.dns_google:Found id of ***** for example.com using name example.com
2021-11-25 21:20:12,836:INFO:googleapiclient.discovery:URL being requested: GET https://dns.googleapis.com/dns/v1/projects/*****/managedZones/*****/rrsets?alt=json
2021-11-25 21:20:13,009:INFO:googleapiclient.discovery:URL being requested: POST https://dns.googleapis.com/dns/v1/projects/*****/managedZones/*****/changes?alt=json
2021-11-25 21:20:13,628:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1265, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

经过长时间的评论,我们找到了问题所在。

OP 正在为 Authoritative Name Servers 使用 Google 个域。

Certbot 没有用于 Google 域 DNS 服务器的 plugin。 Google Domains 未发布 API。

解决方法是手动创建所需的DNS资源记录或switch to another supported DNS server such as Google Cloud DNS