사이트 내 전체검색
해킹 보안
검색목록
우분투 20.04 SSL 설정 오류 certbot challenge failed for domain connection refused
하우코드
https://cmd.kr/hack/2 URL이 복사되었습니다.

본문

Let 's Encrypt 와일드 카드 SSL 인증서
우분투 20.04 에서 cerbot 설치시 오류 발생되는경우
certbot -d domain.com 으로 도메인을 지정하고 방화벽을 443 설정해도 안되는경우
해결방법은 도메인에서 2개의 TXT를 추가해야한다.
_acme-challenge.domain.com  TXT AAA5E4aG-WCALqVPFZ68C-uSypSwlFEFaElWbhNDPWY
_acme-challenge.domain.com  TXT BBB5E4aG-WCALqVPFZ68C-uSypSwlFEFaElWbhNDPWY
=================================================================


# certbot certonly --manual --preferred-challenges=dns --email email@email.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d domain.com -d *.domain.com

# certbot -d domain.com -d *.domain.com

# service apache2 restart


====================================================================

오류 내용...
certbot -d domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
Waiting for verification...
Challenge failed for domain domain.com
http-01 challenge for domain.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

  Domain: domain.com
  Type:  connection
  Detail: Fetching
  http://domain.com/.well-known/acme-challenge/5aUKtAJZuv7fk3NPPUWKiPFMDYISCnHhfxzUqmnqNFs:
  Error getting validation data

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.
=================================================================
해결방법
먼저 TXT를 추가하기위해 DNS 레코드 변경을 해야함..
certbot certonly --manual --preferred-challenges=dns --email email@email.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d domain.com -d *.domain.com


=================================================================
완료되면 업데이트 한다.

# certbot certonly --manual --preferred-challenges=dns --email email@email.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d domain.com -d *.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for domain.com
dns-01 challenge for domain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.domain.com with the following value:

WMc5E4aG-WCALqVPFZ68C-uSypSwlFEFaElWbhNDPWY

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.domain.com with the following value:

Cu11TNBTwkYHT94DhZPl0OePDaFem4mm8hdOVC8Shhc

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/domain.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/domain.com/privkey.pem
  Your cert will expire on 2021-10-04. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew *all* of your certificates, run
  "certbot renew"
 - If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate
  Donating to EFF:                    https://eff.org/donate-le

# certbot -d domain.com -d *.domain.com    Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/domain.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-enabled/site-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/site-le-ssl.conf

Which VirtualHosts would you like to install the wildcard certificate for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/apache2/sites-enabled/site-le-ssl.conf
Addresses: *:443
Names: domain.com, www.domain.com
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/site-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/site.conf to ssl vhost in /etc/apache2/sites-enabled/site-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://domain.com and
https://*.domain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=domain.com
https://www.ssllabs.com/ssltest/analyze.html?d=*.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/domain.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/domain.com/privkey.pem
  Your cert will expire on 2021-10-04. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot again
  with the "certonly" option. To non-interactively renew *all* of
  your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate
  Donating to EFF:                    https://eff.org/donate-le

=================================================================
아파치 재가동
# service apache2 restart

=================================================================
DNS레코드 변경 잘 되었는지 확인하기 위해서는
https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.domain.com 으로 확인해서

두개의 TXT가 나와야 한다..
TXT
TTL: 2 minutes 53 seconds
VALUE: AAAu11TNBTwkYHT94DhZPl0OePDaFem4mm8hdOVC8Shhc
TTL: 2 minutes 53 seconds
VALUE: BBBc5E4aG-WCALqVPFZ68C-uSypSwlFEFaElWbhNDPWY

엔터를 누르고 레코드값나오면 추가하고 두번째 값나오면 또 추가하고 업데이트 대기 시간이 필요하다..

=================================================================
도메인별로 cerbot 오류가 1시간에 5번이 되면 .. 시간이 초과되었다고 나온다.. 또 시간 지연.,.,.

Revoking certificates does not reset rate limits, because the resources used to issue those certificates have already been consumed.

There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems. Exceeding the Failed Validations limit is reported with the error message too many failed authorizations recently.



-- 출처 : howcode.co.kr

댓글목록

등록된 댓글이 없습니다.

Search

Copyright © Cmd 명령어 3.128.226.128