問題描述
certbot‑auto /letsencrypt 為指向同一服務器的多個域設置一個密鑰 (certbot‑auto / letsencrypt setting up one key for multiple domains pointing to the same server)
我真的更像是一個前端開發人員,所以服務器配置的東西對我來說是一個非常新的領域,對不起,如果這是一個簡單的問題!
我在嘗試獲取時遇到了一些麻煩我的 certbot‑auto 為多個域生成 SSH 密鑰,指向一個框。
我有 3‑4 個域(domain1.net
、domain2.io
、domain3.me
、domain4.codes
),它們都指向同一個 Digital Ocean 水滴。
以前(幾個月前),我曾直接嘗試使用 letsencrypt
(當時沒有 certbot
)。不知何故,我的所有域都使用了 SSL,但它們最近過期了,我現在似乎只能續訂 domain1。net
而不是其餘的。
我嘗試了以下命令:
./certbot‑auto certonly ‑a webroot ‑‑agree‑tos ‑w /var/www/domain1.net/public_html/ \‑‑expand ‑d domain1.net,www.domain1.net,domain2.io,www.domain2.io,domain3.me,www.domain3.me,domain4.codes,www.domain4.codes
...似乎可以工作,我得到了以下命令:
| Saving debug log to /var/log/letsencrypt/letsencrypt.log │
│ Starting new HTTPS connection (1): acme‑v01.api.letsencrypt.org │
│ Cert not yet due for renewal │
│ Renewing an existing certificate │
│ Performing the following challenges: │
│ http‑01 challenge for domain1.net │
│ http‑01 challenge for www.domain1.net │
│ http‑01 challenge for domain2.io │
│ http‑01 challenge for www.domain2.io │
│ http‑01 challenge for domain3.me │
│ http‑01 challenge for www.domain3.me │
│ http‑01 challenge for domain4.codes │
│ http‑01 challenge for www.domain4.codes │
│ Using the webroot path /var/www/domain1.net/public_html for │
│ all unmatched domains. │
│ Waiting for verification... │
│ Cleaning up challenges │
│ Generating key (2048 bits): │
│ /etc/letsencrypt/keys/0012_key‑certbot.pem │
│ Creating CSR: /etc/letsencrypt/csr/0012_csr‑certbot.pem
IMPORTANT NOTES:
‑ Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/domain1.net/fullchain.pem. Your cert
will expire on 2017‑02‑20. To obtain a new or tweaked version of
this certificate in the future, simply run certbot‑auto again. To
non‑interactively renew *all* of your certificates, run
"certbot‑auto renew"
‑ If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate‑le
.. 好的,太好了!然而,只有 domain1.net
和 www.domain1.net
似乎在工作......其他域聲稱沒有使用 HTTPS!
我還在 /etc/letsencrypt/live/
目錄中看到了多個文件。我之前曾試圖讓這個工作(直接使用letsencrypt,而不是通過certbot)並且一直工作到今天,當它們過期並拒絕續訂時。這是我在該目錄中看到的:
tom@Personal:/opt$ sudo ls ‑la /etc/letsencrypt/live/
total 20
drwx‑‑‑‑‑‑ 5 root root 4096 Nov 22 18:22 .
drwxr‑xr‑x 8 root root 4096 Nov 22 18:22 ..
drwxr‑xr‑x 2 root root 4096 Nov 22 18:41 domain1.net
drwxr‑xr‑x 2 root root 4096 Oct 16 00:00 domain1.net‑0001
drwxr‑xr‑x 2 root root 4096 Nov 22 18:22 www.domain1.net
hmm.. 不知道為什麼那裡有多個條目。不應該只有一個嗎?
無論如何——我對 HTTPS / 密鑰 / NginX 不夠精通,無法弄清楚這一點,並且正在扯掉我的頭髮。我只想獲得我的 SSL 密鑰:
- 適用於上述所有域
- 通過 certbot‑auto renew 自動更新
並且不完全確定我在哪裡搞砸了......非常感謝任何幫助!
編輯:這是我的服務器配置塊在 nginx 中的樣子:
server {
# listen 80 default_server;
# listen [::]:80 default_server ipv6only=on;
# START LETS ENCRYPT ADDITIONS:
listen 443 ssl;
server_name domain1.net www.domain1.net domain2.io www.domain2.io domain3.me www.domain3.me domain4.codes www.domain4.codes;
ssl_certificate /etc/letsencrypt/live/www.domain1.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.domain1.net/privkey.pem; # managed by Certbot
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# /END LETS ENCRYPT ADDITION
root /var/www/domain1.net/public_html;
index index.php index.html index.htm;
# FOR LETSENCRYPT AUTO‑RENEWAL, we must give it access to /.well‑known
location ~ /.well‑known {
allow all;
}
# /END LETSENCRYPT AUTO_RENEWAL
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
參考解法
方法 1:
Just wanted to follow up ‑ I got this working!
Turns out my command was correct but I was misusing the ‑d
flag ‑‑ it needs to be applied for each domain separately. So the corrected command:
./certbot‑auto certonly ‑a webroot ‑‑agree‑tos ‑w /var/www/domain1.net/public_html/ \‑‑expand ‑d domain1.net,www.domain1.net ‑d domain2.io,www.domain2.io ‑d domain3.me,www.domain3.me ‑d domain4.codes,www.domain4.codes