使用certbot更新证书以添加子域
使用certbot更新证书以添加子域
提问于 2019-04-21 00:01:42
我已经安装了一个带有LetsEncrypt证书的域,apache设置可以将www转发到non,而非ssl则转发到ssl。一切都很顺利,直到我决定添加一个子域,并尝试生成一个新的证书来涵盖这两个方面。
现在在运行certbot时得到以下输出:
root@arthas:~# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: domain.com
2: playground.domain.com
3: www.playground.domain.com
4: www.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2,3,4
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/domain.com.conf)
It contains these names: domain.com, www.domain.com
You requested these names for the new certificate: domain.com,
playground.domain.com, www.playground.domain.com, www.domain.com.
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for playground.domain.com
http-01 challenge for www.domain.com
http-01 challenge for www.playground.domain.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Created an SSL vhost at /etc/apache2/sites-enabled/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
An unexpected error occurred:
ValueError: Unable to set value to path!
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
- Unable to install the certificate
- Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2019-07-19.
To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option.
To non-interactively renew *all* of your certificates, run "certbot renew"
- Some rewrite rules copied from /etc/apache2/sites-enabled/000-default.conf were disabled in the vhost for your HTTPS site located at /etc/apache2/sites-enabled/000-default-le-ssl.conf because they have the potential to create redirection loops.此外,我还复制了我的1000-default.conf文件的内容,如下::
# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.domain.com [OR]
RewriteCond %{SERVER_NAME} =domain.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName playground.domain.com
ServerAlias www.playground.domain.com
DocumentRoot /var/www/html/playground
<Directory /var/www/html/playground>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.playground.domain.com [OR]
RewriteCond %{SERVER_NAME} =playground.domain.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>回答 4
Stack Overflow用户
回答已采纳
发布于 2019-05-08 05:46:24
看起来您有几个可能导致冲突的.conf文件。
- 方法1:将所有
<VirtualHost *:80>和<VirtualHost *:443>规则放在同一个配置文件中 - 方法2:将它们分开,并在000-default.conf末尾添加
Include /path/to/httpd-le-ssl.conf
运行$ sudo certbot renew --dry-run以检查修改后的配置是否成功。
使用--dry-run不会影响您的限制,因为您故障排除和修复配置。一旦它成功完成,您就可以以各种方式运行certbot,并期望一切都能正常工作。
Stack Overflow用户
发布于 2019-12-12 02:45:26
在一次尝试为多个域安装证书时,我会收到相同的错误消息。如果您的所有VirtualHost都位于同一个配置文件中,并且不想将它们分开,请尝试分别安装域的证书。
示例:
当您需要安装下列域的证书时
- domain01.com
- www.domain01.com
- domain02.com
- www.domain02.com
在台阶上
Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1,2,3,4输入1,2,3,4而不是1,2,3,4,然后重复安装3,4
Stack Overflow用户
发布于 2021-05-24 10:07:01
在运行此命令时,请确保订单也是正确的。因此,例如: example.org应该在请求中的mail.example.org之前。否则,特别是在使用路由53选项时,获取奇怪的区域错误消息。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/55778765
复制相关文章
相似问题
腾讯云开发者
