問題描述
certbot 工作時 Phpseclib 早期執行 (Phpseclib early execution while certbot working)
我正在使用phpseclib為我的域實現證書。
證書實現的典型過程是這樣的:
[root@centos web]# sudo certbot ‑‑nginx ‑d somedomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme‑v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http‑01 challenge for somedomain.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme‑v02.api.letsencrypt.org
Deploying Certificate to VirtualHost /home/admin/conf/web/somedomain.com.nginx.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑
1: No redirect ‑ Make no further changes to the webserver configuration.
2: Redirect ‑ Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑
Select the appropriate number [1‑2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /home/admin/conf/web/somedomain.com.nginx.conf
‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑
Congratulations! You have successfully enabled https://somedomain.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=somedomain.com
‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑ ‑
IMPORTANT NOTES:
‑ Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/somedomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/somedomain.com/privkey.pem
Your cert will expire on 2019‑11‑23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non‑interactively renew *all* of
your certificates, run "certbot renew"
‑ If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate‑le
同一命令的PHP腳本如下所示:
<?php
$hostname = '192.168.1.1'; //my hosting ip
$username = 'root';
$password = 'somesecret'; //password
include('Net/SSH2.php');
$ssh = new Net_SSH2($hostname);
if (!$ssh‑>login($username, $password)) {
exit('Login Failed');
}
echo $ssh‑>exec("sudo certbot ‑‑nginx ‑d somedomain.com");
我得到的輸出:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Process finished with exit code 0
問題是腳本應該等待特定的問題(“選擇適當的數字[1‑2]然後[輸入](按'c'取消):") 然後輸入 2...
我嘗試使用 ssh‑>write() 和 ssh‑>read() 但輸出相同。
<?php
$hostname = '192.168.1.1'; //my hosting ip
$username = 'root';
$password = 'somesecret'; //password
include('Net/SSH2.php');
$ssh = new Net_SSH2($hostname);
if (!$ssh‑>login($username, $password)) {
exit('Login Failed');
}
$ssh‑>write("sudo certbot ‑‑nginx ‑d somedomain.com");
echo $ssh‑>read("Select the appropriate number [1‑2] then [enter] (press 'c' to cancel):");
結果:
Last failed login: Sun Aug 25 21:04:23 CEST 2019 from 192.168.1.1 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Sun Aug 25 21:03:39 2019 from 192.168.1.1
sudo certbot ‑‑nginx ‑d somedomain.com[root@centos web]# sudo certbot ‑‑nginx ‑d somedomain.com
Process finished with exit code 0
請告知在哪裡繼續搜索。
參考解法
方法 1:
Even your latest pastebin.com link doesn't contain the full SSH logs but whatever. What that one included is enough to see what's going on:
<‑ NET_SSH2_MSG_CHANNEL_DATA (since last: 2.5204, network: 0.0001s)
00000000 00:00:00:02:00:00:00:3a:53:61:76:69:6e:67:20:64 .......:Saving d
00000010 65:62:75:67:20:6c:6f:67:20:74:6f:20:2f:76:61:72 ebug log to /var
00000020 2f:6c:6f:67:2f:6c:65:74:73:65:6e:63:72:79:70:74 /log/letsencrypt
00000030 2f:6c:65:74:73:65:6e:63:72:79:70:74:2e:6c:6f:67 /letsencrypt.log
00000040 0d:0a ..
‑> NET_SSH2_MSG_CHANNEL_EOF (since last: 7.4256, network: 0.0001s)
00000000 00:00:00:00 ....
phpseclib has a default timeout of 10s. The "Saving debug log" message takes 2.5s to display and the next line... idk how long it normally takes to display but phpseclib is giving up after ~7.5s. 7.5s+2.5s is 10s, which is the timeout, hence why phpseclib is closing the connection.
I'm guessing the certbot command takes a while to run.
My recommendation is to do one of the following:
- Use nohup
- Disable the timeout by doing
$ssh‑>setTimeout(0);
(by Steven Clay、neubert)