今天突然发现某个网站证书显示未过期。证书我都是统一用acme.sh进行管理的,都是开通了自动续期的。难道出问题了?
手动跑一遍:
"/home/xxx/.acme.sh"/acme.sh --cron --home "/home/xxx/.acme.sh" > /dev/null --debug
看报错,很明显的权限问题。改了权限之后再跑:
:Verify error:Invalid response from http://xxx.com/.well-known/acme-challenge/gshdujxs0n9aunF-sY1TUcsRslfITySZsTWC3hUCL6D4sRXjy8
这个是用来验证域名所有权的链接,很明显,我早就把这块的配置干掉了,因为我自己都不记得有这东西了。。。
于是乎在nginx中补上:
location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; alias /.../letsencrypt/.well-known; }
好了,这下可以访问了,再试试又报错了:
An unexpected error occurred: There were too many requests of a given type :: Error creating new authz :: Too many failed authorizations recently.
这个报错很明显,所以良好的错误返回设计相当重要啊!
看一下letsencrypt的官方文档:
There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems. Exceeding the Failed Validations limit is reported with the error message too many failed authorizations recently
.
那就等等吧。
过了一小时后再试,OK了,更新成功。
[Mon May 4 09:38:16 CEST 2018] Your cert is in111.com.cer [Mon May 4 09:38:16 CEST 2018] Your cert key is in 111.com.key [Mon May 4 09:38:16 CEST 2018] The intermediate CA cert is in 111.com/ca.cer [Mon May 4 09:38:16 CEST 2018] And the full chain certs is there: 111.com/fullchain.cer [Mon May 4 09:38:16 CEST 2018] Installing key to:111.com.key [Mon May 4 09:38:16 CEST 2018] Installing full chain to:111.com.crt [Mon May 4 09:38:16 CEST 2018] Run reload cmd: systemctl restart nginx [Mon May 4 09:38:16 CEST 2018] Reload success [Mon May 4 09:38:16 CEST 2018] ===End cron===