wake-up-neo.com

Wie ändere ich die Herausforderung von tls-sni-01 auf webroot für ein vorhandenes letsencrypt-Zertifikat?

Ich versuche, mein Zertifikat zu erneuern, das abläuft. Ich habe das Apache-Plugin für diesen Certbot verwendet: Sudo certbot --Apache -d support.example.com.

Wenn ich jedoch versuche, es jetzt zu erneuern, verwendet es tls-sni-01 challlenge und kann sich daher nicht authentifizieren:

Processing /etc/letsencrypt/renewal/support.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator Apache, Installer Apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for support.example.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (support.example.com) from /etc/letsencrypt/renewal/support.example.com.conf produced an unexpected error: Failed authorization procedure. support.example.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 1ab20abd9ac656e814998274e38cd6e1.cfffa3659f04d5bb0c041a9fef293f9d.acme.invalid from <EXTERNAL IP-ADDRESS:443>. Received 2 certificate(s), first certificate had names "*.example.com". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/support.example.com/fullchain.pem (failure)

Und

 - The following errors were reported by the server:

   Domain: support.example.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   1ab20abd9ac656e814998274e38cd6e1.cfffa3659f04d5bb0c041a9fef293f9d.acme.invalid
   from <EXTERNAL IP-ADDRESS:443. Received 2 certificate(s), first
   certificate had names "*.example.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Hier ist die Ausgabe von support.example.com.conf

# renew_before_expiry = 30 days
version = 0.22.2
archive_dir = /etc/letsencrypt/archive/support.example.com
cert = /etc/letsencrypt/live/support.example.com/cert.pem
privkey = /etc/letsencrypt/live/support.example.com/privkey.pem
chain = /etc/letsencrypt/live/support.example.com/chain.pem
fullchain = /etc/letsencrypt/live/support.example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = Apache
installer = Apache
account = <ACCOUNT NUMBER>

Wie ich verstehe, versucht certbot, mit DNS-Challenge zu erneuern, während ich Webroot (über das Apache-Plugin) verwendet habe, damit es nicht erfolgreich ist.

Wie kann ich certbot so einstellen, dass webroot challenge korrekt verwendet wird?

aktualisieren:

Wenn ich certbot renew --dry-run durchführe, wird die richtige http-01-Abfrage verwendet

Processing /etc/letsencrypt/renewal/support.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator Apache, Installer Apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for support.example.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of Apache server; fullchain is
/etc/letsencrypt/live/support.example.com/fullchain.pem

Wie ist das möglich?

update 2:

Ich habe die Verschlüsselung von Erneuerungskonf geändert, um die richtige Webroot-Abfrage zu verwenden.

# renew_before_expiry = 30 days
version = 0.22.2
archive_dir = /etc/letsencrypt/archive/support.example.com
cert = /etc/letsencrypt/live/support.example.com/cert.pem
privkey = /etc/letsencrypt/live/support.example.com/privkey.pem
chain = /etc/letsencrypt/live/support.example.com/chain.pem
fullchain = /etc/letsencrypt/live/support.example.com/fullchain.pem

[renewalparams]
post_hook = service Apache2 start
installer = Apache
account = a57eab015444b60984498d853e6c3531
authenticator = webroot
pre_hook = service Apache2 stop
[[webroot_map]]
support.example.com = /var/www/support/

Wenn ich jetzt eine Erneuerung durchführe, wird der folgende Fehler angezeigt:

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer Apache
Running pre-hook command: service Apache2 stop
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for support.example.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (support.example.com) from /etc/letsencrypt/renewal/support.example.com.conf produced an unexpected error: Failed authorization procedure. support.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://support.example.com/.well-known/acme-challenge/VDmwSn8yXRbV2dFGe6dvsWelJBthNE33aoynDZ9i3qE: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/support.example.com/fullchain.pem (failure)

Ich kann http://support.example.com/.well-known/acme-challenge von außen erreichen, daher könnte dies meiner Meinung nach nicht das Problem sein.

2
wouter205

Okay, nach vielen Headscratches habe ich es herausgefunden. In meiner Erneuerungskonferenz habe ich angegeben, dass Apache gestoppt werden soll ... daher war meine Site nicht verfügbar und wir konnten keine Verbindung herstellen, daher der Fehler.

Unter den richtigen Einstellungen kann ich mein Zertifikat mit der Webroot-Methode erneuern (anstelle des Apache-Plugins mit tls-sni-01, was irgendwie nicht funktioniert).

# renew_before_expiry = 30 days
version = 0.26.1
archive_dir = /etc/letsencrypt/archive/support.example.com
cert = /etc/letsencrypt/live/support.example.com/cert.pem
privkey = /etc/letsencrypt/live/support.example.com/privkey.pem
chain = /etc/letsencrypt/live/support.example.com/chain.pem
fullchain = /etc/letsencrypt/live/support.example.com/fullchain.pem


[renewalparams]
installer = Apache
account = a57eab015444b60984498d853e6c3531
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
support.example.com = /var/www/support/

bearbeiten:

Der Vollständigkeit halber ist hier auch meine virtualhost-Konfiguration, um den Zugriff auf Standort ./well-known/acme-challenge zu ermöglichen und den gesamten Datenverkehr bis auf diesen einen Standort an https umzuleiten.

<VirtualHost *:80>
        ServerName support.example.com
        DocumentRoot /var/www/support/

<Location />
   Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
    Satisfy Any

 </Location>

        <Location /.well-known/acme-challenge/>
        DirectoryIndex index.html
        DirectoryIndex enabled
        Require all granted
        </Location>

RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).* https://suppor.example.com$0
</VirtualHost>
2
wouter205