search

liberal-boy / tls-shunt-proxy

分流 TLS 流量,支持按 sni 分流,分流 http 和无特征流量
325 stars 66 forks source link

获取证书失败 #10

Closed kecikeci closed 3 years ago

kecikeci commented 4 years ago

启动后报错,获取证书失败 域名已A记录解析到该服务器。服务器dns是8.8.8.8,服务器在香港,可以访问外网

Jul 10 09:00:25 ecs-rDQq tls-shunt-proxy[8276]: 2020/07/10 09:00:25 [INFO] [域名] acme: use http-01 solver
Jul 10 09:00:25 ecs-rDQq tls-shunt-proxy[8276]: 2020/07/10 09:00:25 [INFO] [域名] acme: Trying to solve HTTP-01
Jul 10 09:00:32 ecs-rDQq tls-shunt-proxy[8276]: 2020/07/10 09:00:32 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/75044397
Jul 10 09:00:32 ecs-rDQq tls-shunt-proxy[8276]: 2020/07/10 09:00:32 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/75044397
Jul 10 09:00:32 ecs-rDQq tls-shunt-proxy[8276]: 2020/07/10 09:00:32 [ERROR] acme: Error -> One or more domains had a problem:
Jul 10 09:00:32 ecs-rDQq tls-shunt-proxy[8276]: [域名] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://域名/.well-known/acme-challenge/tu9W8JY4FjUyDpwPQAyDawK6CZzSs6A5kdeH7EP9Nig: Error getting validation data, url:
Jul 10 09:00:32 ecs-rDQq tls-shunt-proxy[8276]: (challenge=http-01 remaining=[])
Jul 10 09:00:34 ecs-rDQq tls-shunt-proxy[8276]: 2020/07/10 09:00:34 [ERROR] attempt 2: [域名] Obtain: [域名] acme: Error -> One or more domains had a problem:
Jul 10 09:00:34 ecs-rDQq tls-shunt-proxy[8276]: [域名] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://域名/.well-known/acme-challenge/tu9W8JY4FjUyDpwPQAyDawK6CZzSs6A5kdeH7EP9Nig: Error getting validation data, url:
Jul 10 09:00:34 ecs-rDQq tls-shunt-proxy[8276]: - retrying in 2m0s (1m55.074590577s/720h0m0s elapsed)...
liberal-boy commented 4 years ago

请提供配置文件和更多日志。

kecikeci commented 4 years ago

config.yaml

listen: 0.0.0.0:443
vhosts:
    # 将 example.com 改为你的域名
  - name: 域名
    tlsoffloading: true
    managedcert: true
    alpn: h2,http/1.1
    # 如果不需要兼容 tls12, 可改为 tls13
    protocols: tls12,tls13
    http:
      handler: fileServer
      # /var/www/html 是静态网站目录
      args: /data/wwwroot/default
    default:
      handler: proxyPass
      args: 127.0.0.1:10000

上边的日志是service tls-shunt-proxy status -l打印的,服务器和服务都重启过了,相同的配置和方式用另一个域名和服务器没问题。 区别可能是我先启动了tls-shunt-proxy服务,后解析的域名?昨天刚开始这么操作了,以为是dns没刷新完,今天重启了tls-shunt-proxy服务,还是不能正常签发证书。

kecikeci commented 4 years ago 
sudo -u tls-shunt-proxy /usr/local/bin/tls-shunt-proxy -config /etc/tls-shunt-proxy/config.yaml

命令 报错没有权限? 哪个没权限呀。。。

tls-shunt-proxy version 0.5.1
2020/07/10 14:35:57 failed to listen on 0.0.0.0:443: listen tcp 0.0.0.0:443: bind: permission denied
liberal-boy commented 4 years ago

看不出什么问题,怀疑还是dns。

kecikeci commented 4 years ago

报错没有权限是什么?

Wikeolf commented 4 years ago

没有权限监听低端口 尝试在/etc/systemd/system/tls-shunt-proxy.service 下添加CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW

kecikeci commented 4 years ago

没有权限监听低端口 尝试在/etc/systemd/system/tls-shunt-proxy.service 下添加CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW

我试了下,不是低端口监听的问题。在刚启动的时候是打开了443端口,接着acme: error: 400 :: urn:ietf:params:acme:error:connection :: Error getting validation data, url:,可能是dns的问题,或者acme-v02.api.letsencrypt.org网站api的问题。

Wikeolf commented 4 years ago

单独用acme生成证书试试?

kecikeci commented 4 years ago

没用过acme,找了个教程试了下。

curl https://get.acme.sh | sh
cd cd /root/.acme.sh/
./acme.sh --issue -d 子域名 -d 根域名 --webroot /root/子域名/ --debug

输出日志 UK7jts.png UKHMnO.png

mzxwt commented 3 years ago

申请证书前安装nginx了?如果提前安装了可能会占用80端口,acme就无法申请证书。

kecikeci commented 3 years ago

申请证书前安装nginx了?如果提前安装了可能会占用80端口,acme就无法申请证书。

端口没有被占用,可能是centos系统问题吧。换了Ubuntu好了