letsencrypt certbot 超时错误
letsencrypt certbot timeout error
我在尝试 运行 命令
时收到这个奇怪的 letsencrypt 错误
$ certbot certonly --standalone --email example@gmail.com --agree-tos -n -d trumporate.com,www.trumporate.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for trumporate.com
tls-sni-01 challenge for www.trumporate.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. trumporate.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, www.trumporate.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: trumporate.com
Type: connection
Detail: Timeout
Domain: www.trumporate.com
Type: connection
Detail: Timeout
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
现在我已经使用
生成了文件 dhparam
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
这是我当前的 nginx 配置文件
$ cat /etc/nginx/sites-available/trumporate
server {
listen 80;
server_name trumporate.com www.trumporate.com;
location / {
include proxy_params;
proxy_redirect off;
proxy_pass http://127.0.0.1:5000;
}
}
不确定我哪里出错了。在我 运行ning certbot 所在的虚拟机上 trumporate.com 应该可以解析吗?
再次停止 nginx 和 运行,出现同样的错误
我已经通过route53注册了域名。
它有 2 条 A 类记录指向附加到 ec2 盒子的弹性 IP。
一个用于 www 版本,一个没有它,有 4 个 NS 记录和一个 SOA 记录,我认为在创建托管区域时默认情况下就存在
Should trumporate.com be resolvable on this vm where I am running certbot?
听起来您没有 运行在您尝试获取证书的 ec2 机器上执行命令。这将是一个问题,因为 standalone 启动了一个网络服务器,然后尝试使用您提供的域从外部访问它。 "proves" 可以这么说,您拥有该域。您需要 运行 来自 ec2 框的命令,并且您需要打开它 运行 通过您的安全组通向世界的端口。您可以使用 --tls-sni-01-port 指定 tls-sni 端口(失败的端口),但默认情况下它在 443 上,因此您可能只需要打开端口 443。
您还提到您正在使用 route53,因此您可以只使用 route53 验证程序。这具有在任何地方工作的优势,您只需要在 运行 所在的计算机上设置访问权限 key/secret。
certbot certonly --dns-route53 --domains trumporate.com,www.trumporate.com
此类问题的一个选项是无法访问域上的 .well-known 文件夹。例如,.htaccess 将所有查询重定向到 index.php..
我在尝试 运行 命令
时收到这个奇怪的 letsencrypt 错误$ certbot certonly --standalone --email example@gmail.com --agree-tos -n -d trumporate.com,www.trumporate.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for trumporate.com
tls-sni-01 challenge for www.trumporate.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. trumporate.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, www.trumporate.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: trumporate.com
Type: connection
Detail: Timeout
Domain: www.trumporate.com
Type: connection
Detail: Timeout
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
现在我已经使用
生成了文件dhparam
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
这是我当前的 nginx 配置文件
$ cat /etc/nginx/sites-available/trumporate
server {
listen 80;
server_name trumporate.com www.trumporate.com;
location / {
include proxy_params;
proxy_redirect off;
proxy_pass http://127.0.0.1:5000;
}
}
不确定我哪里出错了。在我 运行ning certbot 所在的虚拟机上 trumporate.com 应该可以解析吗?
再次停止 nginx 和 运行,出现同样的错误
我已经通过route53注册了域名。 它有 2 条 A 类记录指向附加到 ec2 盒子的弹性 IP。 一个用于 www 版本,一个没有它,有 4 个 NS 记录和一个 SOA 记录,我认为在创建托管区域时默认情况下就存在
Should trumporate.com be resolvable on this vm where I am running certbot?
听起来您没有 运行在您尝试获取证书的 ec2 机器上执行命令。这将是一个问题,因为 standalone 启动了一个网络服务器,然后尝试使用您提供的域从外部访问它。 "proves" 可以这么说,您拥有该域。您需要 运行 来自 ec2 框的命令,并且您需要打开它 运行 通过您的安全组通向世界的端口。您可以使用 --tls-sni-01-port 指定 tls-sni 端口(失败的端口),但默认情况下它在 443 上,因此您可能只需要打开端口 443。
您还提到您正在使用 route53,因此您可以只使用 route53 验证程序。这具有在任何地方工作的优势,您只需要在 运行 所在的计算机上设置访问权限 key/secret。
certbot certonly --dns-route53 --domains trumporate.com,www.trumporate.com
此类问题的一个选项是无法访问域上的 .well-known 文件夹。例如,.htaccess 将所有查询重定向到 index.php..