【问题标题】:certbot-auto: Client lacks sufficient authorizationcertbot-auto:客户端缺乏足够的授权
【发布时间】:2017-06-30 20:37:58
【问题描述】:

我知道这个问题已经被问过好几次了,但我需要一些具体的帮助,因为我一直在听取其他几个主题的建议,但到目前为止没有任何效果。

我正在尝试使用certbot-auto renew 在 Ubuntu 14.04 中更新我的 SSL 证书,并且我正在运行 Apache2 服务器和 nginx。我得到certbot-auto renew 的以下输出:

  root@PostgreSQLServer:/# sudo certbot-auto renew
  Saving debug log to /var/log/letsencrypt/letsencrypt.log

  -------------------------------------------------------------------------------
  Processing /etc/letsencrypt/renewal/my-domain.com.conf
  -------------------------------------------------------------------------------
  Cert is due for renewal, auto-renewing...
  Renewing an existing certificate
  Performing the following challenges:
  http-01 challenge for my-domain.com
  Waiting for verification...
  Cleaning up challenges
  Attempting to renew cert from /etc/letsencrypt/renewal/my-domain.com.conf produced an unexpected error: Failed authorization procedure. my-domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://my-domain.com/.well-known/acme-challenge/ailNmgZADpb4QBipKM57sOi9w3PwNkwBwVFiRYs7i40: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <html><head>
  <title>404 Not Found</title>
  </head><body>
  <h1>Not Found</h1>
  <p". Skipping.

  All renewal attempts failed. The following certs could not be renewed:
    /etc/letsencrypt/live/my-domain.com/fullchain.pem (failure)
  1 renew failure(s), 0 parse failure(s)

  IMPORTANT NOTES:
   - The following errors were reported by the server:

     Domain: my-domain.com
     Type:   unauthorized
     Detail: Invalid response from
     http://my-domain.com/.well-known/acme-challenge/ailNmgZADpb4QBipKM57sOi9w3PwNkwBwVFiRYs7i40:
     "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
     <html><head>
     <title>404 Not Found</title>
     </head><body>
     <h1>Not Found</h1>
     <p"

     To fix these errors, please make sure that your domain name was
     entered correctly and the DNS A record(s) for that domain
     contain(s) the right IP address.

我确保/var/www/my-domain.com/public_html 中存在.well-known 文件夹,当我在浏览器中导航到http://my-domain.com/.well-known/ 时,我能够看到该目录的内容。我还在.well-known 中添加了一个acme-challenge 文件夹,并包含一个test.txt 文件用于测试;我能够在浏览器中访问目录和文本文件。

我发现运行certbot-auto 命令时没有创建acme-challenge 文件夹,所以这似乎是权限问题。我正在以 root 身份运行 certbot-auto,但也向 www-data 用户授予了对 .well-knownacme-challenge 文件夹的写入权限(root 和 www-data 用户正在运行 apache2 和 nginx 进程)。

即使在授予该写入权限后,我仍然会收到上面详述的 404 错误。

我还有一个通过crontab 运行的自动证书更新过程,并且我将输出记录到本地文件中。在该日志文件中,我看到续订请求似乎工作正常,直到 certbot-auto 从 0.9.3 升级到 0.10.1。以下是升级发生时日志文件中的示例:

  -------------------------------------------------------------------------------
  Processing /etc/letsencrypt/renewal/offensively-bad.com.conf
  -------------------------------------------------------------------------------

  The following certs are not due for renewal yet:
    /etc/letsencrypt/live/offensively-bad.com/fullchain.pem (skipped)
  No renewals were attempted.

  -------------------------------------------------------------------------------
  Processing /etc/letsencrypt/renewal/offensively-bad.com.conf
  -------------------------------------------------------------------------------

  The following certs are not due for renewal yet:
    /etc/letsencrypt/live/offensively-bad.com/fullchain.pem (skipped)
  No renewals were attempted.
  Upgrading certbot-auto 0.9.3 to 0.10.1...
  Replacing certbot-auto...
  Creating virtual environment...
  Installing Python packages...
  Installation succeeded.

  -------------------------------------------------------------------------------
  Processing /etc/letsencrypt/renewal/offensively-bad.com.conf
  -------------------------------------------------------------------------------

  All renewal attempts failed. The following certs could not be renewed:
    /etc/letsencrypt/live/offensively-bad.com/fullchain.pem (failure)
  IMPORTANT NOTES:
   - The following errors were reported by the server:

     Domain: offensively-bad.com
     Type:   unauthorized
     Detail: Invalid response from
     http://offensively-bad.com/.well-known/acme-challenge/tkSc8l-r1XVPIF5TosTbEXiYMa8sQnoXEjAEgAwRoqI:
     "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
     <html><head>
     <title>404 Not Found</title>
     </head><body>
     <h1>Not Found</h1>
     <p"

     To fix these errors, please make sure that your domain name was
     entered correctly and the DNS A record(s) for that domain
     contain(s) the right IP address.

您可以看到升级后,进程开始失败并显示 404 消息。

我已经尝试了所有可以在网上找到的建议,但完全被难住了,因此我将不胜感激。提前致谢!

【问题讨论】:

    标签: apache ssl nginx ubuntu-14.04 certbot


    【解决方案1】:

    我不得不编辑这个conf文件:/etc/letsencrypt/renewal/offensively-bad.com.conf并修改[[webroot_map]]下面的行:

    [[webroot_map]]
    offensively-bad.com = /path/to/what/certbot/thinks/is/the/correct/webroot/path/initially/specified/by/the/user
    

    就我而言,我将其更改为

        offensively-bad.com = /var/www/offensively-bad.com/public_html/
    

    感谢letsencrypt论坛帮助我。

    【讨论】:

      【解决方案2】:

      我的问题是我的 raspberry pi raspbian Stretch 上的 certbot 版本太旧:

      certbot --version
      

      给了

      certbot 0.10.2

      apt-get install python-certbot-apache -t stretch-backports
      

      成功了:

      certbot 0.21.1

      然后就是

      certbot --apache -d domain.com

      希望这会有所帮助!

      【讨论】:

        猜你喜欢
        • 2019-06-23
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        相关资源
        最近更新 更多