nginx proxy_pass 条件下的 ssl 证书自动更新

由于 let’s encrypt 签发的证书有效期只有 90 天,并且有的服务没有绑定目录,是通过 proxy_pass 转发的其他服务,就导致在更新证书的时候经常会出问题。

之前为了更新证书都是修改配置文件,证书更新完成之后再把配置文件换回去,但是,一直这个做法总是比较麻烦。查看 acme 的日志就会发现,其实是文件访问失败了。:

[Wed 17 Jan 2024 12:21:11 AM CST] responseHeaders='HTTP/2 200 
server: nginx
date: Tue, 16 Jan 2024 16:21:11 GMT
content-type: application/json
content-length: 1309
boulder-requester: 1023612387
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: LPSUY_lxhOXaxMC2EZ9QV4b0zXRV24srjF5J4XvlRDA5S8Yb1zE
x-frame-options: DENY
strict-transport-security: max-age=604800

'
[Wed 17 Jan 2024 12:21:12 AM CST] code='200'
[Wed 17 Jan 2024 12:21:12 AM CST] original='{
  "identifier": {
    "type": "dns",
    "value": "c.oba.by"
  },
  "status": "invalid",
  "expires": "2024-01-23T16:21:04Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA",
      "token": "TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",
      "validationRecord": [
        {
          "url": "http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",
          "hostname": "c.oba.by",
          "port": "80",
          "addressesResolved": [
            "43.16.12.199"
          ],
          "addressUsed": "43.16.12.199"
        },
        {
          "url": "https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",
          "hostname": "c.oba.by",
          "port": "443",
          "addressesResolved": [
            "43.16.12.199"
          ],
          "addressUsed": "43.16.12.199"
        }
      ],
      "validated": "2024-01-16T16:21:06Z"
    }
  ]
}'
[Wed 17 Jan 2024 12:21:12 AM CST] response='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'
[Wed 17 Jan 2024 12:21:12 AM CST] original='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'
[Wed 17 Jan 2024 12:21:12 AM CST] response='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'
[Wed 17 Jan 2024 12:21:12 AM CST] status='invalid
invalid'
[Wed 17 Jan 2024 12:21:12 AM CST] error='"error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403'
[Wed 17 Jan 2024 12:21:12 AM CST] errordetail='43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404'
[Wed 17 Jan 2024 12:21:12 AM CST] Invalid status, c.oba.by:Verify error detail:43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404
[Wed 17 Jan 2024 12:21:12 AM CST] pid
[Wed 17 Jan 2024 12:21:12 AM CST] No need to restore nginx, skip.
[Wed 17 Jan 2024 12:21:12 AM CST] _clearupdns
[Wed 17 Jan 2024 12:21:12 AM CST] dns_entries
[Wed 17 Jan 2024 12:21:12 AM CST] skip dns.
[Wed 17 Jan 2024 12:21:12 AM CST] _on_issue_err
[Wed 17 Jan 2024 12:21:12 AM CST] Please check log file for more details: /usr/local/acme.sh/acme.sh.log

访问:https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw这个文件的时候 404 了。对应的 nginx 配置文件为:

server
    {
        listen 80;
        #listen [::]:80;
        server_name c.oba.by ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/c.oba.by;

        #include rewrite/none.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }


        location / {
            return 301 https://$host$request_uri;
        }

        access_log  /home/wwwlogs/c.oba.by.log;
    }

http 直接 301到了 https,那么反问 challenge 文件就会访问到对应的 https 端口下,而这个端口下同样没有这个文件。

那么要解决就需要让 nginx 能够正常的提供/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw访问权限。

之前尝试添加过 location 解决,但是依然失败,再次尝试:

server
    {
        listen 80;
        #listen [::]:80;
        server_name c.oba.by ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/c.oba.by;

        #include rewrite/none.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

location /.well-known {
        alias /home/wwwroot/c.oba.by/.well-known;
    }


        location / {
            return 301 https://$host$request_uri;
        }

        access_log  /home/wwwlogs/c.oba.by.log;
    }

不过这次把 location 提到最开始的位置了:

location /.well-known {
        alias /home/wwwroot/c.oba.by/.well-known;
    }

再次尝试更新证书就 ok 了,为了保险 https 配置下也可以加入这个路径,对应路径/home/wwwroot/c.oba.by/.well-known如果不存在的话需要重新创建。

[Wed 17 Jan 2024 08:59:51 AM CST] Your cert is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.cer
[Wed 17 Jan 2024 08:59:51 AM CST] Your cert key is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.key
[Wed 17 Jan 2024 08:59:51 AM CST] The intermediate CA cert is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/ca.cer
[Wed 17 Jan 2024 08:59:51 AM CST] And the full chain certs is there[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/fullchain.cer

☆版权☆

* 网站名称:obaby@mars
* 网址:https://obaby.org.cn/
* 个性:https://oba.by/
* 本文标题: 《nginx proxy_pass 条件下的 ssl 证书自动更新》
* 本文链接:https://obaby.org.cn/2024/01/15152
* 短链接:https://oba.by/?p=15152
* 转载文章请标明文章来源,原文标题以及原文链接。请遵从 《署名-非商业性使用-相同方式共享 2.5 中国大陆 (CC BY-NC-SA 2.5 CN) 》许可协议。


You may also like

37 comments

  1.  Level 5
    Google Chrome 120 Google Chrome 120 Mac OS X 10.15 Mac OS X 10.15 cn中国–河北–石家庄 电信

    曾经尝试过npm,部署了好多遍都没成功,后来的方案是,国内服务器用宝塔面板,国外服务器用1panel,免费、自动续期,纵享丝滑~

    1. 公主 Queen 
      Google Chrome 120 Google Chrome 120 Android 10 Android 10 cn中国–山东–临沂 联通

      嗯嗯 一般的话面板方便,我这里服务比较多。还不如直接命令来得快,另外这些面板之前装过熟悉这些面板的功夫我都改完了 yes

    1. 公主 Queen 
      Google Chrome 120 Google Chrome 120 Android 10 Android 10 cn中国–山东–临沂 联通

      这个不大好办啦 有的cdn支持自动签发免费证书,目前用的失控是这样的。但是无畏云貌似不支持 用的一年的免费证书

  2.  Level 6
    Google Chrome 120 Google Chrome 120 Windows 10 Windows 10 cn中国–北京–北京 联通

    是不是又动RSS了,XML Fatal Error 63: CData section not finished

  3. Level 4
    Google Chrome 120 Google Chrome 120 Mac OS X 10.15 Mac OS X 10.15 cn中国–广东–清远 电信

    为了解决这个证书问题,大家的解决办法都不太一样呢,不过只要解决了问题就好。

    1. 公主 Queen 
      Google Chrome 120 Google Chrome 120 Android 10 Android 10 cn中国–山东–临沂 联通

      嗯嗯 cdn用的是腾讯的。这种能自动部署的用的工具

  4. Level 6
    Firefox 121 Firefox 121 Windows 10 Windows 10 cn中国 中国移动

    我说你前两天的文章,怎么今天才在订阅中显示的呢。
    话说这个自动更新,老是安装不了。最后放弃了

    1. 公主 Queen 
      Google Chrome 120 Google Chrome 120 Windows 10 Windows 10 cn中国–山东–临沂 联通

      rss发了篇文章发挂了
      自动更新的工具还是挺多的,可以换一个试试

  5. Level 2
    Firefox 121 Firefox 121 Windows 10 Windows 10 cn中国–广东–深圳 移动

    域名快点转入成功,我就要申请SSL证书了,然后又要百度做难了

  6.  Level 4
    Google Chrome 120 Google Chrome 120 Mac OS X 10.15 Mac OS X 10.15 cn中国–江苏–无锡 电信

    像那些90天就要过期的是真的麻烦 有自动更新还好 那些cdn要自己上传证书简直要全程骂骂咧咧

    1. 公主 Queen 
      Google Chrome 120 Google Chrome 120 Windows 10 Windows 10 cn中国–山东–临沂 联通

      是的,时间短了之后就是手工上传就恶心了。

  7. Level 4
    Google Chrome 120 Google Chrome 120 Android 10 Android 10 cn中国–江苏 广电网

    我都懒得折腾ssl,自从各平台都开始变成90天证书之后,目前国内大厂似乎只剩腾讯云还是提供免费的一年期证书了。但是我还是选择了30块一年的通配符证书

  8. Level 3
    Google Chrome 120 Google Chrome 120 Mac OS X 10.15 Mac OS X 10.15 cn中国–湖北–武汉 电信

    阿里云的证书策略现在改成了「每年20张的免费额度,但要在3个月内用完。」就挺恶心的,无奈我也换成了面板自动续期的证书了。

    1. 公主 Queen 
      Google Chrome 120 Google Chrome 120 Android 10 Android 10 cn中国–山东–临沂 联通

      阿里这个吃相贼恶心,从免费邮箱推送改额度之后就不敢用他们的免费服务了。垃圾

  9.  Level 6
    Google Chrome 119 Google Chrome 119 Mac OS X 10.15 Mac OS X 10.15 cn中国–北京–北京 联通

    不用面板,纯手搓,羡慕这个动手能力,我如果会这些,我要一天折腾一遍服务器。 diablo

    1.  Level 6
      Google Chrome 119 Google Chrome 119 Mac OS X 10.15 Mac OS X 10.15 cn中国–北京–北京 联通

      评论区友链识别 http和https 是不同结果啊,不显示友链了。

      1. 公主 Queen 
        Google Chrome 118 Google Chrome 118 Mac OS X 10.15 Mac OS X 10.15 cn中国–山东–青岛 联通

        这个是全匹配的,嘎嘎。等找时间优化下匹配逻辑。

  10. Level 5
    Google Chrome 126 Google Chrome 126 Windows 10 Windows 10 us美国

    前来考古,喵喵喵,我就记得你好像发过。

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注