certbot-auto /letsencrypt 為指向同一服務器的多個域設置一個密鑰 (certbot-auto / letsencrypt setting up one key for multiple domains pointing to the same server)

問題描述

certbot‑auto /letsencrypt 為指向同一服務器的多個域設置一個密鑰 (certbot‑auto / letsencrypt setting up one key for multiple domains pointing to the same server)

我真的更像是一個前端開發人員，所以服務器配置的東西對我來說是一個非常新的領域，對不起，如果這是一個簡單的問題！

我在嘗試獲取時遇到了一些麻煩我的 certbot‑auto 為多個域生成 SSH 密鑰，指向一個框。

我有 3‑4 個域（domain1.net、domain2.io、domain3.me、domain4.codes），它們都指向同一個 Digital Ocean 水滴。

以前（幾個月前），我曾直接嘗試使用 letsencrypt （當時沒有 certbot ）。不知何故，我的所有域都使用了 SSL，但它們最近過期了，我現在似乎只能續訂 domain1。net 而不是其餘的。

我嘗試了以下命令：

./certbot‑auto certonly ‑a webroot ‑‑agree‑tos ‑w /var/www/domain1.net/public_html/ \‑‑expand ‑d domain1.net,www.domain1.net,domain2.io,www.domain2.io,domain3.me,www.domain3.me,domain4.codes,www.domain4.codes

...似乎可以工作，我得到了以下命令：

| Saving debug log to /var/log/letsencrypt/letsencrypt.log             │
│ Starting new HTTPS connection (1): acme‑v01.api.letsencrypt.org      │
│ Cert not yet due for renewal                                         │
│ Renewing an existing certificate                                     │
│ Performing the following challenges:                                 │
│ http‑01 challenge for domain1.net                                    │
│ http‑01 challenge for www.domain1.net                                │
│ http‑01 challenge for domain2.io                                     │
│ http‑01 challenge for www.domain2.io                                 │
│ http‑01 challenge for domain3.me                                     │
│ http‑01 challenge for www.domain3.me                                 │
│ http‑01 challenge for domain4.codes                                  │
│ http‑01 challenge for www.domain4.codes                              │
│ Using the webroot path /var/www/domain1.net/public_html for          │
│ all unmatched domains.                                               │
│ Waiting for verification...                                          │
│ Cleaning up challenges                                               │
│ Generating key (2048 bits):                                          │
│ /etc/letsencrypt/keys/0012_key‑certbot.pem                           │
│ Creating CSR: /etc/letsencrypt/csr/0012_csr‑certbot.pem

IMPORTANT NOTES:
 ‑ Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/domain1.net/fullchain.pem. Your cert
   will expire on 2017‑02‑20. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot‑auto again. To
   non‑interactively renew *all* of your certificates, run
   "certbot‑auto renew"
 ‑ If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate‑le

.. 好的，太好了！然而，只有 domain1.net 和 www.domain1.net 似乎在工作......其他域聲稱沒有使用 HTTPS！

我還在 /etc/letsencrypt/live/ 目錄中看到了多個文件。我之前曾試圖讓這個工作（直接使用letsencrypt，而不是通過certbot）並且一直工作到今天，當它們過期並拒絕續訂時。這是我在該目錄中看到的：

tom@Personal:/opt$ sudo ls ‑la /etc/letsencrypt/live/
total 20
drwx‑‑‑‑‑‑ 5 root root 4096 Nov 22 18:22 .
drwxr‑xr‑x 8 root root 4096 Nov 22 18:22 ..
drwxr‑xr‑x 2 root root 4096 Nov 22 18:41 domain1.net
drwxr‑xr‑x 2 root root 4096 Oct 16 00:00 domain1.net‑0001
drwxr‑xr‑x 2 root root 4096 Nov 22 18:22 www.domain1.net

hmm.. 不知道為什麼那裡有多個條目。不應該只有一個嗎？

無論如何——我對 HTTPS / 密鑰 / NginX 不夠精通，無法弄清楚這一點，並且正在扯掉我的頭髮。我只想獲得我的 SSL 密鑰：

1. 適用於上述所有域
2. 通過 certbot‑auto renew 自動更新

並且不完全確定我在哪裡搞砸了......非常感謝任何幫助！

編輯：這是我的服務器配置塊在 nginx 中的樣子：

server {
# listen 80 default_server;
# listen [::]:80 default_server ipv6only=on;


  # START LETS ENCRYPT ADDITIONS:
  listen 443 ssl;
  server_name domain1.net www.domain1.net domain2.io www.domain2.io domain3.me www.domain3.me domain4.codes www.domain4.codes;
  ssl_certificate /etc/letsencrypt/live/www.domain1.net/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/www.domain1.net/privkey.pem; # managed by Certbot
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  # /END LETS ENCRYPT ADDITION

  root /var/www/domain1.net/public_html;
  index index.php index.html index.htm;

  # FOR LETSENCRYPT AUTO‑RENEWAL, we must give it access to /.well‑known
  location ~ /.well‑known {
    allow all;
  }
  # /END LETSENCRYPT AUTO_RENEWAL

  location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;
    # Uncomment to enable naxsi on this location
    # include /etc/nginx/naxsi.rules
  }

參考解法

方法 1:

Just wanted to follow up ‑ I got this working!

Turns out my command was correct but I was misusing the ‑dflag ‑‑ it needs to be applied for each domain separately. So the corrected command:

./certbot‑auto certonly ‑a webroot ‑‑agree‑tos ‑w /var/www/domain1.net/public_html/ \‑‑expand ‑d domain1.net,www.domain1.net  ‑d domain2.io,www.domain2.io ‑d domain3.me,www.domain3.me ‑d domain4.codes,www.domain4.codes

(by tdc、tdc)

參考文件

1. certbot‑auto / letsencrypt setting up one key for multiple domains pointing to the same server (CC BY‑SA 2.5/3.0/4.0)