nginx proxy_pass 条件下的 ssl 证书自动更新

由于 let’s encrypt 签发的证书有效期只有 90 天,并且有的服务没有绑定目录,是通过 proxy_pass 转发的其他服务,就导致在更新证书的时候经常会出问题。

之前为了更新证书都是修改配置文件,证书更新完成之后再把配置文件换回去,但是,一直这个做法总是比较麻烦。查看 acme 的日志就会发现,其实是文件访问失败了。:

[Wed 17 Jan 2024 12:21:11 AM CST] responseHeaders='HTTP/2 200 
server: nginx
date: Tue, 16 Jan 2024 16:21:11 GMT
content-type: application/json
content-length: 1309
boulder-requester: 1023612387
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: LPSUY_lxhOXaxMC2EZ9QV4b0zXRV24srjF5J4XvlRDA5S8Yb1zE
x-frame-options: DENY
strict-transport-security: max-age=604800

'
[Wed 17 Jan 2024 12:21:12 AM CST] code='200'
[Wed 17 Jan 2024 12:21:12 AM CST] original='{
  "identifier": {
    "type": "dns",
    "value": "c.oba.by"
  },
  "status": "invalid",
  "expires": "2024-01-23T16:21:04Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA",
      "token": "TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",
      "validationRecord": [
        {
          "url": "http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",
          "hostname": "c.oba.by",
          "port": "80",
          "addressesResolved": [
            "43.16.12.199"
          ],
          "addressUsed": "43.16.12.199"
        },
        {
          "url": "https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",
          "hostname": "c.oba.by",
          "port": "443",
          "addressesResolved": [
            "43.16.12.199"
          ],
          "addressUsed": "43.16.12.199"
        }
      ],
      "validated": "2024-01-16T16:21:06Z"
    }
  ]
}'
[Wed 17 Jan 2024 12:21:12 AM CST] response='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'
[Wed 17 Jan 2024 12:21:12 AM CST] original='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'
[Wed 17 Jan 2024 12:21:12 AM CST] response='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'
[Wed 17 Jan 2024 12:21:12 AM CST] status='invalid
invalid'
[Wed 17 Jan 2024 12:21:12 AM CST] error='"error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403'
[Wed 17 Jan 2024 12:21:12 AM CST] errordetail='43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404'
[Wed 17 Jan 2024 12:21:12 AM CST] Invalid status, c.oba.by:Verify error detail:43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404
[Wed 17 Jan 2024 12:21:12 AM CST] pid
[Wed 17 Jan 2024 12:21:12 AM CST] No need to restore nginx, skip.
[Wed 17 Jan 2024 12:21:12 AM CST] _clearupdns
[Wed 17 Jan 2024 12:21:12 AM CST] dns_entries
[Wed 17 Jan 2024 12:21:12 AM CST] skip dns.
[Wed 17 Jan 2024 12:21:12 AM CST] _on_issue_err
[Wed 17 Jan 2024 12:21:12 AM CST] Please check log file for more details: /usr/local/acme.sh/acme.sh.log

访问:https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw这个文件的时候 404 了。对应的 nginx 配置文件为:

server
    {
        listen 80;
        #listen [::]:80;
        server_name c.oba.by ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/c.oba.by;

        #include rewrite/none.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }


        location / {
            return 301 https://$host$request_uri;
        }

        access_log  /home/wwwlogs/c.oba.by.log;
    }

http 直接 301到了 https,那么反问 challenge 文件就会访问到对应的 https 端口下,而这个端口下同样没有这个文件。

那么要解决就需要让 nginx 能够正常的提供/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw访问权限。

之前尝试添加过 location 解决,但是依然失败,再次尝试:

server
    {
        listen 80;
        #listen [::]:80;
        server_name c.oba.by ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/c.oba.by;

        #include rewrite/none.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

location /.well-known {
        alias /home/wwwroot/c.oba.by/.well-known;
    }


        location / {
            return 301 https://$host$request_uri;
        }

        access_log  /home/wwwlogs/c.oba.by.log;
    }

不过这次把 location 提到最开始的位置了:

location /.well-known {
        alias /home/wwwroot/c.oba.by/.well-known;
    }

再次尝试更新证书就 ok 了,为了保险 https 配置下也可以加入这个路径,对应路径/home/wwwroot/c.oba.by/.well-known如果不存在的话需要重新创建。

[Wed 17 Jan 2024 08:59:51 AM CST] Your cert is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.cer
[Wed 17 Jan 2024 08:59:51 AM CST] Your cert key is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.key
[Wed 17 Jan 2024 08:59:51 AM CST] The intermediate CA cert is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/ca.cer
[Wed 17 Jan 2024 08:59:51 AM CST] And the full chain certs is there[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/fullchain.cer

☆版权☆

* 网站名称:obaby@mars
* 网址:https://lang.ma/
* 个性:https://oba.by/
* 本文标题: 《nginx proxy_pass 条件下的 ssl 证书自动更新》
* 本文链接:https://nai.dog/2024/01/15152
* 短链接:https://oba.by/?p=15152
* 转载文章请标明文章来源,原文标题以及原文链接。请遵从 《署名-非商业性使用-相同方式共享 2.5 中国大陆 (CC BY-NC-SA 2.5 CN) 》许可协议。


You may also like

35 comments

  1.  Level 4
    Google Chrome 120 Google Chrome 120 Mac OS X 10.15 Mac OS X 10.15 cn河北省石家庄市 电信

    曾经尝试过npm,部署了好多遍都没成功,后来的方案是,国内服务器用宝塔面板,国外服务器用1panel,免费、自动续期,纵享丝滑~

    1. 公主 Queen 
      Google Chrome 120 Google Chrome 120 Android 10 Android 10 cn山东省临沂市 联通

      嗯嗯 一般的话面板方便,我这里服务比较多。还不如直接命令来得快,另外这些面板之前装过熟悉这些面板的功夫我都改完了 yes

    1. 公主 Queen 
      Google Chrome 120 Google Chrome 120 Android 10 Android 10 cn山东省临沂市 联通

      这个不大好办啦 有的cdn支持自动签发免费证书,目前用的失控是这样的。但是无畏云貌似不支持 用的一年的免费证书

  2. Level 4
    Google Chrome 120 Google Chrome 120 Mac OS X 10.15 Mac OS X 10.15 cn广东省清远市 电信

    为了解决这个证书问题,大家的解决办法都不太一样呢,不过只要解决了问题就好。

    1. 公主 Queen 
      Google Chrome 120 Google Chrome 120 Android 10 Android 10 cn山东省临沂市 联通

      嗯嗯 cdn用的是腾讯的。这种能自动部署的用的工具

  3. Level 5
    Firefox 121 Firefox 121 Windows 10 Windows 10 cnAsia/Shanghai

    我说你前两天的文章,怎么今天才在订阅中显示的呢。
    话说这个自动更新,老是安装不了。最后放弃了

    1. 公主 Queen 
      Google Chrome 120 Google Chrome 120 Windows 10 Windows 10 cn山东省临沂市 联通

      rss发了篇文章发挂了
      自动更新的工具还是挺多的,可以换一个试试

  4. Level 2
    Firefox 121 Firefox 121 Windows 10 Windows 10 cn广东省深圳市 移动

    域名快点转入成功,我就要申请SSL证书了,然后又要百度做难了

  5.  Level 3
    Google Chrome 120 Google Chrome 120 Mac OS X 10.15 Mac OS X 10.15 cn江苏省无锡市 电信

    像那些90天就要过期的是真的麻烦 有自动更新还好 那些cdn要自己上传证书简直要全程骂骂咧咧

    1. 公主 Queen 
      Google Chrome 120 Google Chrome 120 Windows 10 Windows 10 cn山东省临沂市 联通

      是的,时间短了之后就是手工上传就恶心了。

  6. Level 4
    Google Chrome 120 Google Chrome 120 Android 10 Android 10 cnAsia/Shanghai

    我都懒得折腾ssl,自从各平台都开始变成90天证书之后,目前国内大厂似乎只剩腾讯云还是提供免费的一年期证书了。但是我还是选择了30块一年的通配符证书

  7. Level 3
    Google Chrome 120 Google Chrome 120 Mac OS X 10.15 Mac OS X 10.15 cn湖北省武汉市 电信

    阿里云的证书策略现在改成了「每年20张的免费额度,但要在3个月内用完。」就挺恶心的,无奈我也换成了面板自动续期的证书了。

    1. 公主 Queen 
      Google Chrome 120 Google Chrome 120 Android 10 Android 10 cn山东省临沂市 联通

      阿里这个吃相贼恶心,从免费邮箱推送改额度之后就不敢用他们的免费服务了。垃圾

  8.  Level 5
    Google Chrome 119 Google Chrome 119 Mac OS X 10.15 Mac OS X 10.15 cn北京市 联通

    不用面板,纯手搓,羡慕这个动手能力,我如果会这些,我要一天折腾一遍服务器。 diablo

      1. 公主 Queen 
        Google Chrome 118 Google Chrome 118 Mac OS X 10.15 Mac OS X 10.15 cn山东省青岛市 联通

        这个是全匹配的,嘎嘎。等找时间优化下匹配逻辑。

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注