Para contextualizar:
Migramos de servidor, atualmente o certificado está válido em X IP, porém migramos a aplicação para outro servidor e agora ao ativar o certificado no servidor de Y IP, ocorre problema.
Posso ler respostas em inglês: Sim
Meu nome de domínio é: drive.sigin.inf.br e upload.sigin.inf.br
Executei esse comando: sudo certbot --nginx -d drive.sigin.inf.br -d upload.sigin.inf.br
Produziu essa saída:
root@cdn:~# sudo certbot --nginx -d drive.sigin.inf.br -d upload.sigin.inf.br
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for drive.sigin.inf.br
http-01 challenge for upload.sigin.inf.br
Waiting for verification...
Challenge failed for domain drive.sigin.inf.br
Challenge failed for domain upload.sigin.inf.br
http-01 challenge for drive.sigin.inf.br
http-01 challenge for upload.sigin.inf.br
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: drive.sigin.inf.br
Type: unauthorized
Detail: Invalid response from
https://drive.sigin.inf.br/.well-known/acme-challenge/qjwarBf1o1ioKttnxZf9ScqHu_Du16huQg37642MF_Q
[157.245.13.94]: "\n<html class="ng-csp"
data-placeholder-focus="false" lang="en" >\n\t<head
data-requesttoken="Jik6CwA8Jn04GiUKJB9gWD"To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. -
The following errors were reported by the server:
Domain: upload.sigin.inf.br
Type: connection
Detail: Fetching /s/KUaMWI0KKJqEI6v/authenticate: Cannot follow
HTTP 303 redirectsTo fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Meu servidor web é (com versão): nginx version: nginx/1.18.0 (Ubuntu)
O sistema operacional no meu servidor web é (com versão):
Distributor ID: Ubuntu
Description: Ubuntu 20.04.1 LTS
Release: 20.04
Codename: focal
Posso acessar um shell root na minha máquina (sim ou não, ou não sei): Sim
Uso um painel de controle para administrar meu site (não, ou indique o nome e a versão do painel de controle): Não.
Abaixo arquivos de configuração do nginx:
drive.sigin.inf.br:
upstream php-handler {
server 127.0.0.1:9000;
# Depending on your used PHP version
#server unix:/var/run/php5-fpm.sock;
#server unix:/var/run/php7-fpm.sock;
server unix:/var/run/php/php7.0-fpm.sock;
}
server {
index index.php;
server_name drive.sigin.inf.br;
access_log /var/log/nginx/drive.sigin.inf.br.access.log;
error_log /var/log/nginx/drive.sigin.inf.br.error.log error;
root /data/www/drive.sigin.inf.br;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this topic first.
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# set max upload size
#client_max_body_size 512M;
client_max_body_size 5G;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
# Enabling gzip would also make your server vulnerable to BREACH
# if no additional measures are done. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773332
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
return 404;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
return 404;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name; # necessary for owncloud to detect the contextroot https://github.com/owncloud/core/blob/v10.0.0/lib/private/AppFramework/Http/Request.php#L603
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_param front_controller_active true;
#fastcgi_read_timeout 180; # increase default timeout e.g. for long running carddav/ caldav syncs with 1000+ entries
fastcgi_read_timeout 3600;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off; #Available since NGINX 1.7.11
fastcgi_max_temp_file_size 6144m;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "max-age=15778463";
# Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into this topic first.
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|map)$ {
add_header Cache-Control "public, max-age=7200";
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
Diretorio especifico para arquivos
location /util {
alias /mnt/util;
}
location ~ .php$ {
try_files $uri /index.php =404;
fastcgi_split_path_info ^(.+.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_read_timeout 60000;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/drive.sigin.inf.br/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/drive.sigin.inf.br/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = drive.sigin.inf.br) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name drive.sigin.inf.br;
return 404; # managed by Certbot
}
upload.sigin.inf.br:
server {
server_name upload.sigin.inf.br;
gzip on;
access_log /var/log/nginx/upload.sigin.inf.br.access.log;
error_log /var/log/nginx/upload.sigin.inf.br.error.log error;
return 301 https://drive.sigin.inf.br/s/KUaMWI0KKJqEI6v;
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
listen 80;
listen [::]:80;
ssl_certificate /etc/letsencrypt/live/drive.sigin.inf.br/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/drive.sigin.inf.br/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Saída do status do firewall ref. nginx:
To Action From
ALLOW Anywhere
Nginx Full ALLOW Anywhere
Nginx Full (v6) ALLOW Anywhere (v6)