Dan*_* K. 5 ssl-certificate renew lets-encrypt
我试图更新我的服务器的证书。现在的已经1个月前过期了,但是我到现在都没去处理。
我尝试使用该letsencrypt-auto renew命令但失败了:
注意:我更改了域/用户/服务器名称。
user@vps:~/letsencrypt# ./letsencrypt-auto renew
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: sudo /home/user/.local/share/letsencrypt/bin/letsencrypt renew
Processing /etc/letsencrypt/renewal/www.example.com.conf
2016-04-02 07:07:00,862:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/www.example.com.conf produced an unexpected error: You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: www.example.com, example.com). We will not do that unless you use the --break-my-certs flag!. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.example.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
我愚蠢地尝试了带有--break-my-certs标志的命令:
user@vps:~/letsencrypt# ./letsencrypt-auto renew --break-my-certs
Updating letsencrypt and virtual environment dependencies...You are using pip version 7.1.2, however version 8.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
....
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt renew --break-my-certs
Processing /etc/letsencrypt/renewal/www.example.com.conf
new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/www.example.com/fullchain.pem
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.example.com/fullchain.pem (success)
我以为是这样,但是当我尝试连接到我的网站时,我收到一条错误消息,告诉我证书是由不受信任的一方颁发的。(但是,有效日期是可以的。)
所以我再次尝试了第一个命令:
user@vps:~/letsencrypt# ./letsencrypt-auto renew
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt renew
Processing /etc/letsencrypt/renewal/www.example.com.conf
The following certs are not due for renewal yet:
/etc/letsencrypt/live/www.example.com/fullchain.pem (skipped)
No renewals were attempted.
但正如你所看到的,它不起作用。
小智 7
请记住,仅当您以前的证书是使用 letencrypt-auto 0.4.0 或更高版本颁发时,使用 letencrypt-auto 的续订程序才能正常工作。如果您的证书是使用较旧的 letencrypt-auto 版本颁发的,那么您需要以与第一次相同的方式、相同的选项和参数再次颁发证书,之后,letsencrypt-auto 更新将按预期工作。
无论如何,您尝试续订域时收到的第一条消息是:
You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: www.example.com, example.com). We will not do that unless you use the --break-my-certs flag!. Skipping.
这意味着您的域拥有有效的证书,但更新命令检测到您正在尝试使用临时服务器而不是生产服务器更新证书(注意:临时服务器是 letencrypt 基础架构的一部分,并允许测试要发布的过程您的域的证书,但由假 CA 颁发,如果您检查您的证书,您可以看到颁发者是Fake LE Intermediate X1)。
因此,当您重复更新过程但使用该标志时,--break-my-certs您现在拥有一个由假 CA 颁发的证书,连接到您站点的客户端都不会信任该证书。
我想你在玩一些 conf文件/etc/letsencrypt/cli.{conf,ini},/etc/letsencrypt/renewal/yourdomain.conf或者你用来颁发第一个证书的任何配置文件,在一些 conf 中你指定了标志分期,所以 letencrypt-auto 试图使用它而不是生产来更新你的证书。
针对您的续订 conf 文件执行此命令:
grep -E 'server\ =|config_file\ =' /etc/letsencrypt/renewal/yourdomain.conf
注意:如果您为您的域颁发了多个证书,并且您从证书中包含的 FQDN 子集中添加或删除了域,而不是yourdomain.conf您可以拥有yourdomain-0001.conf,yourdomain-0002.conf等等。
config_file 将显示您是否正在为您的域使用配置文件,如果您不使用任何配置文件,您将看到“无”一词。
服务器将显示您是针对临时服务器还是生产服务器颁发证书。
如果它正在登台,您将看到:
server = https://acme-staging.api.letsencrypt.org/directory
如果是生产,你会看到:
server = https://acme-v01.api.letsencrypt.org/directory
如果您看到该服务器指向暂存,请编辑您域的续订配置文件并将其更改为生产 https://acme-v01.api.letsencrypt.org/directory
此外,如果您有一个 config_file,您应该检查该配置文件以确保服务器选项指向生产并且没有像 staging、staging = True、test-cert 或 test-cert = True 这样的选项
删除暂存选项并将服务器更改为 config_file 和更新配置文件中的生产服务器后,您可以尝试再次更新您的证书。
./letsencrypt-auto renew --force-renewal
如果您最终获得了域的证书,请注意祝贺消息,该消息将告诉您保存证书的目录,请记住配置您的 Web 服务器、邮件服务器,以及任何具有正确路径的证书.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/yourdomain/fullchain.pem. Your cert
will expire on xxxx-xx-xx. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
| 归档时间: |
|
| 查看次数: |
18369 次 |
| 最近记录: |