해킹 보안
우분투 20.04 SSL 설정 오류 certbot challenge failed for domain connection refused
하우코드
본문
Let 's Encrypt 와일드 카드 SSL 인증서
우분투 20.04 에서 cerbot 설치시 오류 발생되는경우
certbot -d domain.com 으로 도메인을 지정하고 방화벽을 443 설정해도 안되는경우
해결방법은 도메인에서 2개의 TXT를 추가해야한다.
_acme-challenge.domain.com TXT AAA5E4aG-WCALqVPFZ68C-uSypSwlFEFaElWbhNDPWY
_acme-challenge.domain.com TXT BBB5E4aG-WCALqVPFZ68C-uSypSwlFEFaElWbhNDPWY
=================================================================
# certbot certonly --manual --preferred-challenges=dns --email email@email.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d domain.com -d *.domain.com
# certbot -d domain.com -d *.domain.com
# service apache2 restart
====================================================================
오류 내용...
certbot -d domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
Waiting for verification...
Challenge failed for domain domain.com
http-01 challenge for domain.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: domain.com
Type: connection
Detail: Fetching
http://domain.com/.well-known/acme-challenge/5aUKtAJZuv7fk3NPPUWKiPFMDYISCnHhfxzUqmnqNFs:
Error getting validation data
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
=================================================================
해결방법
먼저 TXT를 추가하기위해 DNS 레코드 변경을 해야함..
certbot certonly --manual --preferred-challenges=dns --email email@email.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d domain.com -d *.domain.com
=================================================================
완료되면 업데이트 한다.
# certbot certonly --manual --preferred-challenges=dns --email email@email.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d domain.com -d *.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for domain.com
dns-01 challenge for domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.domain.com with the following value:
WMc5E4aG-WCALqVPFZ68C-uSypSwlFEFaElWbhNDPWY
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.domain.com with the following value:
Cu11TNBTwkYHT94DhZPl0OePDaFem4mm8hdOVC8Shhc
Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2021-10-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
# certbot -d domain.com -d *.domain.com Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/domain.com.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-enabled/site-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/site-le-ssl.conf
Which VirtualHosts would you like to install the wildcard certificate for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/apache2/sites-enabled/site-le-ssl.conf
Addresses: *:443
Names: domain.com, www.domain.com
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/site-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/site.conf to ssl vhost in /etc/apache2/sites-enabled/site-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://domain.com and
https://*.domain.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=domain.com
https://www.ssllabs.com/ssltest/analyze.html?d=*.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2021-10-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
=================================================================
아파치 재가동
# service apache2 restart
=================================================================
DNS레코드 변경 잘 되었는지 확인하기 위해서는
https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.domain.com 으로 확인해서
두개의 TXT가 나와야 한다..
TXT
TTL: 2 minutes 53 seconds
VALUE: AAAu11TNBTwkYHT94DhZPl0OePDaFem4mm8hdOVC8Shhc
TTL: 2 minutes 53 seconds
VALUE: BBBc5E4aG-WCALqVPFZ68C-uSypSwlFEFaElWbhNDPWY
엔터를 누르고 레코드값나오면 추가하고 두번째 값나오면 또 추가하고 업데이트 대기 시간이 필요하다..
=================================================================
도메인별로 cerbot 오류가 1시간에 5번이 되면 .. 시간이 초과되었다고 나온다.. 또 시간 지연.,.,.
Revoking certificates does not reset rate limits, because the resources used to issue those certificates have already been consumed.
There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems. Exceeding the Failed Validations limit is reported with the error message too many failed authorizations recently.
-- 출처 : howcode.co.kr
우분투 20.04 에서 cerbot 설치시 오류 발생되는경우
certbot -d domain.com 으로 도메인을 지정하고 방화벽을 443 설정해도 안되는경우
해결방법은 도메인에서 2개의 TXT를 추가해야한다.
_acme-challenge.domain.com TXT AAA5E4aG-WCALqVPFZ68C-uSypSwlFEFaElWbhNDPWY
_acme-challenge.domain.com TXT BBB5E4aG-WCALqVPFZ68C-uSypSwlFEFaElWbhNDPWY
=================================================================
# certbot certonly --manual --preferred-challenges=dns --email email@email.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d domain.com -d *.domain.com
# certbot -d domain.com -d *.domain.com
# service apache2 restart
====================================================================
오류 내용...
certbot -d domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
Waiting for verification...
Challenge failed for domain domain.com
http-01 challenge for domain.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: domain.com
Type: connection
Detail: Fetching
http://domain.com/.well-known/acme-challenge/5aUKtAJZuv7fk3NPPUWKiPFMDYISCnHhfxzUqmnqNFs:
Error getting validation data
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
=================================================================
해결방법
먼저 TXT를 추가하기위해 DNS 레코드 변경을 해야함..
certbot certonly --manual --preferred-challenges=dns --email email@email.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d domain.com -d *.domain.com
=================================================================
완료되면 업데이트 한다.
# certbot certonly --manual --preferred-challenges=dns --email email@email.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d domain.com -d *.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for domain.com
dns-01 challenge for domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.domain.com with the following value:
WMc5E4aG-WCALqVPFZ68C-uSypSwlFEFaElWbhNDPWY
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.domain.com with the following value:
Cu11TNBTwkYHT94DhZPl0OePDaFem4mm8hdOVC8Shhc
Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2021-10-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
# certbot -d domain.com -d *.domain.com Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/domain.com.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-enabled/site-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/site-le-ssl.conf
Which VirtualHosts would you like to install the wildcard certificate for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/apache2/sites-enabled/site-le-ssl.conf
Addresses: *:443
Names: domain.com, www.domain.com
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/site-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/site.conf to ssl vhost in /etc/apache2/sites-enabled/site-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://domain.com and
https://*.domain.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=domain.com
https://www.ssllabs.com/ssltest/analyze.html?d=*.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2021-10-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
=================================================================
아파치 재가동
# service apache2 restart
=================================================================
DNS레코드 변경 잘 되었는지 확인하기 위해서는
https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.domain.com 으로 확인해서
두개의 TXT가 나와야 한다..
TXT
TTL: 2 minutes 53 seconds
VALUE: AAAu11TNBTwkYHT94DhZPl0OePDaFem4mm8hdOVC8Shhc
TTL: 2 minutes 53 seconds
VALUE: BBBc5E4aG-WCALqVPFZ68C-uSypSwlFEFaElWbhNDPWY
엔터를 누르고 레코드값나오면 추가하고 두번째 값나오면 또 추가하고 업데이트 대기 시간이 필요하다..
=================================================================
도메인별로 cerbot 오류가 1시간에 5번이 되면 .. 시간이 초과되었다고 나온다.. 또 시간 지연.,.,.
Revoking certificates does not reset rate limits, because the resources used to issue those certificates have already been consumed.
There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems. Exceeding the Failed Validations limit is reported with the error message too many failed authorizations recently.
-- 출처 : howcode.co.kr
댓글목록
등록된 댓글이 없습니다.