xdtianyu
commented
8 years ago 可以贴下详细的输出吗?注意不要暴露你的域名和IP。另外是哪一个脚本?
Open BROBIRD opened 8 years ago
xdtianyu
commented
8 years ago 可以贴下详细的输出吗?注意不要暴露你的域名和IP。另外是哪一个脚本?
BROBIRD
commented
8 years ago Cloudxns的脚本。
# INFO: Using main config file /home/wwwroot/aa.bbb.cccc/cloudxns.conf
Processing aa.bbb.cccc
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Jul 14 14:14:00 2016 GMT (Less than 30 days). Renewing!
+ Signing domains...
+ Generating signing request...
+ Requesting challenge for aa.bbb.cccc...然后就没有了
xdtianyu
commented
8 years ago 很奇怪啊,我这里本地测试都是可以通过 Requesting challenge 的
./le-cloudxns.sh cloudxns.conf
# INFO: Using main config file cloudxns.conf
Processing example.com with alternative names: www.example.com im.example.com
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for example.com...
+ Requesting challenge for www.example.com...
+ Requesting challenge for im.example.com...贴一下 /home/wwwroot/aa.bbb.cccc/cloudxns.conf 的内容吧,注意不要把 cloudxns 的 api key 泄漏。
BROBIRD
commented
8 years ago API_KEY="********" SECRET_KEY="********" DOMAIN="bbb.cccc" CERT_DOMAINS="aa.bbb.cccc" ECC=TRUE
xdtianyu
commented
8 years ago 在 腾讯云 curl -v https://acme-v01.api.letsencrypt.org/acme/new-authz 看下 lets-encrypt 的服务器通吗?我新建了一个广州二区机器,第一次运行时出现了 ERROR: Problem connecting to server (post for https://acme-v01.api.letsencrypt.org/acme/new-authz; curl returned with 35) 的错误,可能与 ipv6 不通有关。
# INFO: Using main config file cloudxns.conf
+ Generating account key...
+ Registering account key with letsencrypt...
Processing bbb.cccc
+ Signing domains...
+ Creating new directory ./certs/bbb.cccc ...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for bbb.cccc...
+ ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-authz (Status 400)
Details:
{
"type": "urn:acme:error:malformed",
"detail": "Error creating new authz :: Name does not end in a public suffix",
"status": 400
}root@VM-12-8-ubuntu:~# ping6 acme-v01.api.letsencrypt.org
connect: Network is unreachable
root@VM-12-8-ubuntu:~#
root@VM-12-8-ubuntu:~# ping acme-v01.api.letsencrypt.org
PING e981.dscb.akamaiedge.net.0.1.cn.akamaiedge.net (23.198.115.87) 56(84) bytes of data.
64 bytes from a23-198-115-87.deploy.static.akamaitechnologies.com (23.198.115.87): icmp_seq=1 ttl=50 time=217 ms
64 bytes from a23-198-115-87.deploy.static.akamaitechnologies.com (23.198.115.87): icmp_seq=2 ttl=50 time=213 ms
64 bytes from a23-198-115-87.deploy.static.akamaitechnologies.com (23.198.115.87): icmp_seq=3 ttl=50 time=217 ms我这里没问题啊
[root@VM_82_50_centos ~]# curl -v https://acme-v01.api.letsencrypt.org/acme/new-authz
* Trying 2.17.50.15...
* Connected to acme-v01.api.letsencrypt.org (2.17.50.15) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: CN=*.api.letsencrypt.org; O=INTERNET SECURITY RESEARCH GROUP; L=Mountain View; ST=California; C=US
* start date: Jun 26 17:05:45 2015 GMT
* expire date: Jun 25 17:05:45 2018 GMT
* subjectAltName: host "acme-v01.api.letsencrypt.org" matched cert's "*.api.letsencrypt.org"
* issuer: C=US; O=IdenTrust; OU=TrustID Server; CN=TrustID Server CA A52
* SSL certificate verify ok.
> GET /acme/new-authz HTTP/1.1
> Host: acme-v01.api.letsencrypt.org
> User-Agent: curl/7.48.0
> Accept: */*
>
< HTTP/1.1 405 Method Not Allowed
< Server: nginx
< Content-Type: application/problem+json
< Content-Length: 91
< Allow: POST
< Boulder-Request-Id: glU0ASbxaSZ-XIkTzKk-SdnR4tCchZuMLC2epmCPkyU
< Replay-Nonce: 9cFAKb0R_VTELjzwCQzKKC-qjSufMiRLa8PL6PJdAuU
< Expires: Tue, 05 Jul 2016 17:35:42 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Tue, 05 Jul 2016 17:35:42 GMT
< Connection: keep-alive
<
{
"type": "urn:acme:error:malformed",
"detail": "Method not allowed",
"status": 405
* Connection #0 to host acme-v01.api.letsencrypt.org left intact换一个新目录,按照 readme 重新下载脚本,什么都不配置直接运行,看会不会卡在你的那个错误。
BROBIRD
commented
8 years ago 试了一下,申请新证书没问题,更新证书就会出现我上述的问题
xdtianyu
commented
8 years ago @BROBIRD 感谢反馈~我再确认下
BROBIRD
commented
8 years ago 请问下 首次获取生成的DNS记录是不是要保留?我之前清理DNS记录的时候把challenge记录删了,我在想是不是这个原因?
xdtianyu
commented
8 years ago 这个没试过,不过应该没关系,会自动处理的。建议不要删除中间文件,下一次更新还要再生成的。
BROBIRD notifications@github.com于2016年7月15日星期五 18:10写道:
请问下 首次获取生成的DNS记录是不是要保留?我之前清理DNS记录的时候把challenge记录删了,我在想是不是这个原因?
— You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/xdtianyu/scripts/issues/23#issuecomment-232913159, or mute the thread https://github.com/notifications/unsubscribe-auth/ACe8s2gqcHJ7tnNo24ihoeyxBJzviH4Oks5qV1x8gaJpZM4JDBzy .
BROBIRD
commented
8 years ago 中间文件我没有删,只是删了DNS记录
xdtianyu
commented
8 years ago 验证结束后删除DNS记录是不影响的
BROBIRD notifications@github.com于2016年7月15日星期五 20:34写道:
中间文件我没有删,只是删了DNS记录
— You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/xdtianyu/scripts/issues/23#issuecomment-232939940, or mute the thread https://github.com/notifications/unsubscribe-auth/ACe8s6Yd-vmlohCD9vPmZvwzb0fBsmRkks5qV35cgaJpZM4JDBzy .
BROBIRD
commented
8 years ago 这真是 奇怪极了……
总是到这一步:Requesting challenge for aa.bbb.cccc 就断了,检查了API,没错,环境是腾讯云