使用 Ubuntu 20.04LTS 的 Apache + Flask 来创建和更新 Let’s Encrypt 的 SAN 证书的故事(解决无法更新的问题)

3 年 ago
文, 翔
11 minutes

首先

由於 Certbot 證書即將過期,嘗試進行更新但失敗了。無法解決此問題,因此紀錄下來作為個人筆記。除了 abc.example.com 之外,也要取得 www.abc.example.com 的證書。採用 SAN 證書方法(將 www.abc.example.com 別名設定為 abc.example.com 的證書)。

# certbot certonly --webroot -w /var/www/html/ -d abc.example.com -d www.abc.example.com --email info@example.com

如果在Flask中不使用http://abc.example.com/的/目录,则不会创建虚拟的首页页面并出现403错误,因此我们附上了创建首页页面的方法作为附加说明。

环境

    • Ubuntu 20.04LTS

 

    • Apache/2.4.41 (Ubuntu)

 

    abc.example.com のルートディレクトリは /var/www/html/

错误症状 (Incorrect symptoms)

出现了以下错误。

# certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/abc.example.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for abc.example.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain abc.example.com
http-01 challenge for abc.example.com
Cleaning up challenges
Attempting to renew cert (abc.example.com-0001) from /etc/letsencrypt/renewal/abc.example.com-0001.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/abc.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/abc.example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs could not be renewed:
  /etc/letsencrypt/live/abc.example.com-0001/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs were successfully renewed:
  /etc/letsencrypt/live/abc.example.com/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/abc.example.com-0001/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: abc.example.com
   Type:   unauthorized
   Detail: (IP ADDRESS): Invalid response from
   https://abc.example.com/.well-known/acme-challenge/N6LQ-oAE87fhrjVkCkgH7iNJpfxU22jAJ3D3vrWTZp4:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

但是当访问abc.example.com时,页面能够正常显示,不知道为什么会出现404错误…

问题解决方案

最终不知道为什么出现了404错误,但是一旦删除证书,使用”certbot certonly –apache”就解决了。以前获取证书时一直使用”certbot certonly –webroot”运行,但无法使用”–standalone”并且变得焦虑,但使用”–apache”运行就可以正常工作。最后重新启动Apache。

# certbot revoke --cert-path /etc/letsencrypt/live/abc.example.com/cert.pem
# certbot certonly --apache -w /var/www/html/ -d abc.example.com -d www.abc.example.com --email info@example.com
# systemctl restart apache2

各种记录都在最后记录。

额外的东西

为了避免每次都需要使用systemctl关闭Flask,我创建了一个虚拟页面。该项目被命名为hogeProject。

from django.urls import path
 
from . import views
 
# app_name = index
urlpatterns = [
    path('', views.index, name='index')
]

# from django.shortcuts import render
 
from django.http import HttpResponse
 
def index(request):
    return HttpResponse('This Page is for auto-renew SSL Certificate.')

中略
urlpatterns = [
    path('hoge/', include('hoge.urls', namespace='hoge')),
    path('admin/', admin.site.urls),
    path('', include('top.urls')),
]

# urlpatterns += static.static('/static/', document_root='static')
urlpatterns += static.static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)
urlpatterns += static.static(settings.CERT_URL, document_root=settings.CERT_ROOT)

中略
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
CERT_ROOT = os.path.join(BASE_DIR, '.well-known')
CERT_URL = '/.well-known/'

各种日志

# certbot certonly --apache -w /var/www/html/ -d abc.example.com -d www.abc.example.com --email info@example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for abc.example.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/abc.example.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/abc.example.com-0001/privkey.pem
   Your cert will expire on 2023-09-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@paris:/# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/abc.example.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for abc.example.com
http-01 challenge for www.abc.example.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/abc.example.com-0001/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/abc.example.com-0001/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# certbot revoke --cert-path /etc/letsencrypt/live/abc.example.com/cert.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you like to delete the cert(s) you just revoked, along with all earlier
and later versions of the cert?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es (recommended)/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate abc.example.com.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully revoked the certificate that was located
at /etc/letsencrypt/live/abc.example.com/cert.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# certbot certonly --webroot -w /var/www/html/ -d abc.example.com -d www.abc.example.com --email info@example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for abc.example.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain abc.example.com
http-01 challenge for abc.example.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: abc.example.com
   Type:   unauthorized
   Detail: (IP ADDRESS): Invalid response from
   https://abc.example.com/.well-known/acme-challenge/mujAsvwM5sxRsn_ecERGFTUNGicgFWnlHJs4zJWH9VM:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

# certbot certonly --standalone -w /var/www/html/ -d abc.example.com -d www.abc.example.com --email info@example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for abc.example.com
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

# certbot certonly --apache -w /var/www/html/ -d abc.example.com -d www.abc.example.com --email info@example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for abc.example.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/abc.example.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/abc.example.com-0001/privkey.pem
   Your cert will expire on 2023-09-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

# systemctl restart apache2

请参考所提供的文献。

 

bannerAds