我现在正在努力让请求库GET使用Let的加密证书对我的网站执行简单的请求.一切都很好的网站,我可以从Chrome访问它就好了.(我现在正在运行OSX El Capitan).
首先,我尝试GET向网站提出请求:
>>> import requests
>>> requests.get('https://example.com')
这给了我:
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
然后我尝试了各种各样的东西,包括获取Let的加密权限证书,以下openssl命令成功验证我的站点的证书:
> openssl s_client -CAfile ./letsencryptauthorityx1.pem -connect example.com:443
其输出包括以下内容:
...
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: ...
Session-ID-ctx:
Master-Key: ...
Key-Arg : None
Start Time: 1452865123
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
也许我在这里遗漏了一些东西,但它看起来好像我的网站已经根据我提供的Let's Encrypt授权证书进行了验证.所以,我很高兴地将我的Python代码更改为:
>>> requests.get('https://example.com', verify='./letsencryptauthorityx1.pem')
但我仍然不断收到requests.exceptions.SSLError错误.我也尝试使用DER权威证书的格式,但后来我收到以下错误requests:
requests.exceptions.SSLError: …这个命令:
$ letsencrypt certonly --manual --preferred-challenges dns --email foo@bar.com --domains test001.bar.com
输出:
letsencrypt: error: unrecognized arguments: --preferred-challenges dns
从这里的文档:https://certbot.eff.org/docs/using.html#certbot-command-line-options
我发现:
--preferred-challenges PREF_CHALLS
A sorted, comma delimited list of the preferred
challenge to use during authorization with the most
preferred challenge listed first (Eg, "dns" or "tls-
sni-01,http,dns"). Not all plugins support all
challenges. See
https://certbot.eff.org/docs/using.html#plugins for
details. ACME Challenges are versioned, but if you
pick "http" rather than "http-01", Certbot will select
the latest version automatically. (default: …我创建了 nodejs 应用程序,并且正在使用Lets EncryptSSL 证书。以下是我的代码
var express = require(\xe2\x80\x98express\xe2\x80\x99);\nvar https = require(\xe2\x80\x98https\xe2\x80\x99);\nvar fs = require(\xe2\x80\x98fs\xe2\x80\x99);\nvar option = {\n key: fs.readFileSync(\xe2\x80\x98/etc/letsencrypt/live/$DOMAIN/privkey.pem\xe2\x80\x99),\n cert: fs.readFileSync(\xe2\x80\x98/etc/letsencrypt/live/$DOMAIN/fullchain.pem\xe2\x80\x99)\n};\nconst app = express();\napp.use((req, res) =>\n{\n res.end(\xe2\x80\x98Hello World\xe2\x80\x99);\n});\n\nhttps.createServer(option, app).listen(8000);\n\n我已使用 pm2 使用以下命令启动此应用程序
\nsudo pm2 start app.js --watch
我正在使用以下 cronjob 更新 SSL 证书
\n0 8 * * * sudo certbot renew
我希望每当 certbot 更新 SSL 证书时自动重新加载 SSL 证书。我怎样才能实现这个目标?
\n我正在尝试验证 SSL 证书的文件上传。该文件需要是.well-known/acme-challenge/file
我已经成功地放置了如上的文件,但是在从 web 访问相同的文件时,出现了http://weburl.com/.well-known/acme-challenge/file404 错误。当我将同一个文件放在.well-known/文件中时,可以从路径http://weburl.com/.well-known/file成功访问。
我的nginx配置:
server {
listen 80;
server_name weburl.com;
root /var/www/html;
location ~ /.well-known {
allow all;
}
location ~ /\.well-known/acme-challenge/ {
allow all;
root /var/www/html;
try_files $uri =404;
break;
}
}
是的,当我尝试使用 https 运行 traefik 时,我得到了这个。问题是我在我的 Win7 机器上安装了目录,但我无法修改文件。
挂载正在运行,但文件权限已关闭。
看起来像这样:
volumes
- d:/docker/traefikcompose/acme/acme.json:/etc/traefik/acme/acme.json:rw
traefik | time="2018-09-04T12:57:11Z" level=error msg="启动提供程序时出错 *acme.Provider: 无法获取 ACME 帐户:/etc/traefik/acme/acme.json 的权限 777 太开放了,请使用 600"
如果我删除 acme.json 文件,我会得到这个:
错误:对于traefik 无法启动服务traefik:b'OCI 运行时创建失败:container_linux.go:348:启动容器进程导致“process_linux.go:402:容器初始化导致\”rootfs_linux.go:58:挂载\\\”/ d/docker/traefikcompose/acme/acme.json\\\" 到 rootfs \\\"/mnt/sda1/var/lib/docker/aufs/mnt/c84d8644252848bde8f0322bafba3d206513ceb8479eb95aeee0b72fsd"\\\at\mnt/sda1"\ /var/lib/docker/aufs/mnt/c84d8644252848bde8f0322bafba3d206513ceb8479eb95aeee0b4cafd4a7251/etc/traefik/acme/acme.json\\\"导致\\\"not a directory"尝试挂载:\"目录到文件(或反之亦然)?检查指定的主机路径是否存在并且是预期的类型'
我在我的应用程序中使用 Library autocert 来生成 ssl 证书,问题是 30% 的用户对我的应用程序有问题,我当前的代码是:
fmt.Println("Starting server on " + this.Params.Bind)
if this.Params.SSL {
fmt.Println("SSL Enabled")
m := autocert.Manager{
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist(this.Params.HostsWhitelist...),
Cache: autocert.DirCache(this.Params.CertCache),
}
log.Fatal(autotls.RunWithManager(r, &m))
} else {
r.Run(this.Params.Bind)
}
错误是:
2018/12/03 12:37:33 http: TLS handshake error from 68.71.48.249:55885: acme/autocert: missing server name
2018/12/03 12:37:33 http: TLS handshake error from 209.213.121.223:38284: acme/autocert: missing server name
2018/12/03 12:37:33 http: TLS handshake error from 209.213.121.223:38283: acme/autocert: missing server name
2018/12/03 12:37:33 http: TLS handshake error from …我正在尝试为我的域生成证书。我可以 ping 我的域,但仍然出错。我已将入站防火墙规则添加到我的数字海洋服务器以接受 ipv4 和 ipv6 上的端口 80。不知道出了什么问题。[注意:我的 nginx 服务器没有运行,因为我无法获得证书]
https://community.letsencrypt.org/t/invalid-response-404-nginx-docker-container/102525
我的域名是:www.1040nra.com
我运行了这个命令:sudo certbot certonly --staging --webroot -w /root/dt-app-data/ -d 1040nra.com -d www.1040nra.com
它产生了这个输出:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 1040nra.com
http-01 challenge for www.1040nra.com
Using the webroot path /root/dt-app-data for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. 1040nra.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://1040nra.com/.well-known/acme-challenge/22AD-KFmF62z373CPiUKzk6dlr-0s5wMOmnmrziMqd4: Connection refused, www.1040nra.com …当我从 Chrome 浏览我的网站时,它说证书无效,如果我检查详细信息,我会看到以下内容:
Issued to:
Common Name (CN) test.x.example.com
Organization (O) cert-manager
Organizational Unit (OU) <Not Part Of Certificate>
Issued by:
Common Name (CN) cert-manager.local
Organization (O) cert-manager
Organizational Unit (OU) <Not Part Of Certificate>
我不明白出了什么问题。从 cert-manager 的输出看来一切都很顺利:
I1002 15:56:52.761583 1 start.go:76] cert-manager "level"=0 "msg"="starting controller" "git-commit"="95e8b7de" "version"="v0.9.1"
I1002 15:56:52.765337 1 controller.go:169] cert-manager/controller/build-context "level"=0 "msg"="configured acme dns01 nameservers" "nameservers"=["10.44.0.10:53"]
I1002 15:56:52.765777 1 controller.go:134] cert-manager/controller "level"=0 "msg"="starting leader election"
I1002 15:56:52.767133 1 leaderelection.go:235] attempting to acquire leader lease cert-manager/cert-manager-controller...
I1002 15:56:52.767946 …google-cloud-platform kubernetes google-kubernetes-engine lets-encrypt cert-manager
我在使用 cert-manager 处理 tls 证书时遇到了一个问题,我正在关注文档并添加了一些额外的东西Traefik作为入口。
目前,我有这个YAML文件:
cluster-issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: secure-alexguedescom
spec:
acme:
email: user@gmail.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource used to store the account's private key.
name: letsencrypt-staging
# Add a single challenge solver, HTTP01 using nginx
solvers:
- selector: {}
http01:
ingress:
class: traefik-cert-manager
traefik-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
# add an annotation indicating the issuer to use.
cert-manager.io/cluster-issuer: letsencrypt-staging
name: secure-alexguedescom-ingress-http
namespace: secure-alexguedescom
spec:
rules: …我正在尝试使用 LetsEncrypt 和 Nginx 添加 https。我已经添加了 certbot 并且它运行成功。然后,当尝试运行 Nginx 服务器时,我收到此错误。
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: error: /etc/nginx/conf.d/default.conf is not a file or does not exist
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2020/11/21 06:24:07 [emerg] 1#1: open() "/etc/letsencrypt/options-ssl-nginx.conf" failed (2: No such file or directory) in /etc/nginx/conf.d/nginx.conf:23
nginx: [emerg] open() "/etc/letsencrypt/options-ssl-nginx.conf" failed (2: No such file or directory) in /etc/nginx/conf.d/nginx.conf:23
这是我的 …