When I use certbot for normal use, I find that the certificate generation fails,
When I run:certbot --nginx --nginx-server-root=/usr/local/nginx/conf -d xxx.xxx.cc --agree-tos -n
Then the operation reports the following errors:
[root@xxx]# certbot --nginx --nginx-server-root=/opt/nginx/conf -d xxx.xxx.cc --agree-tos -n
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for xxx.xxx.cc
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: xxx.xxx.cc
Type: unauthorized
Detail: xxx.xxx.xxx.xxx: Invalid response from http://xxx.xxx.cc/.well-known/acme-challenge/WmZSZ365wHedn2mAFVP8Z2TWytMtcWm4FWHSte6tN7s: 404
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Then I check the log,Certbot did not modify the configuration file in the server I specified
This is my certbot log, as follows:
...
2022-08-25 13:42:21,053:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /opt/67_serv/nginx/conf/nginx.conf:
user www www;
worker_processes auto;
error_log /var/67_serv/log/nginx_error.log crit;
#error_log /var/67_serv/log/nginx_error.log debug;
pid /opt/67_serv/nginx/nginx.pid;
worker_rlimit_nofile 65535;
events {
use epoll;
worker_connections 65535;
}
http {
include /etc/letsencrypt/le_http_01_cert_challenge.conf;
include mime.types;
default_type application/octet-stream;
#charset gb2312;
server_names_hash_bucket_size 256;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 2048m;
sendfile on;
tcp_nopush on;
keepalive_timeout 600;
tcp_nodelay on;
server_tokens off;
fastcgi_connect_timeout 2400;
fastcgi_send_timeout 2400;
fastcgi_read_timeout 2400;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
fastcgi_intercept_errors on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
server {
listen 80 default;
access_log off;
return 500;
}
include 67/*.conf;
server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot
listen 80 ;
access_log off;
return 500;
server_name xxx.xxx.cc; # managed by Certbot
location = /.well-known/acme-challenge/WmZSZ365wHedn2mAFVP8Z2TWytMtcWm4FWHSte6tN7s{default_type text/plain;return 200 WmZSZ365wHedn2mAFVP8Z2TWytMtcWm4FWHSte6tN7s.R-5nWdcUHcKuP-ecXyT4IqJehtpHrqVRYmaAO6XTUzQ;} # managed by Certbot
}}
2022-08-25 13:42:22,237:DEBUG:acme.client:JWS payload:
b'{}'
2022-08-25 13:42:22,239:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/145898632867/9QaXgg:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTEzODYzOTc4IiwgIm5vbmNlIjogIjAwMDFub1J5eWlrOTdnNXQ0ME9ua19aRkIxVUc5V0M0TXgtMGpudVJSRTRFVnVBIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xNDU4OTg2MzI4NjcvOVFhWGdnIn0",
"signature": "Ik1oeF-MJxjdo8tZIxGmqBGpNiKJxaVUP82-_9rEnRCvuEg2ebBI9LHYpIu0qsubQ5nHXKPgHijcn2cftJJYqz20-bnP4MrxmOYVYDeYD9I1Q9lG4MtRhNr3WkcUOPQUUq5KFoFXV5grDwkBOsrvboKLKjshP3PPPKRQ1L7Mj50zZq4l_O_SKc7tJCEtGewlNLsO5QUXoAjwDdV1Sa34jF4qnNjBq9lkWoIj7K5H2Tv4DV6lD3xAW-EOGZi4U2QX48I_UYcPBN8Db0G3x_yOuJ_hhOqp0v1vLTqK3thpqabM-GnMIwBlQvLJJrsd5wIVdjnaoka8xtETyQJX-eYODQ",
"payload": "e30"
}
2022-08-25 13:42:22,402:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/145898632867/9QaXgg HTTP/1.1" 200 187
2022-08-25 13:42:22,403:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 25 Aug 2022 05:42:22 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 113863978
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/145898632867>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/145898632867/9QaXgg
Replay-Nonce: 0002bYqQqBmDJ_VLVOPCbf7lTmK0oHFOqH246R8-GM9OEuE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/145898632867/9QaXgg",
"token": "WmZSZ365wHedn2mAFVP8Z2TWytMtcWm4FWHSte6tN7s"
}
2022-08-25 13:42:22,403:DEBUG:acme.client:Storing nonce: 0002bYqQqBmDJ_VLVOPCbf7lTmK0oHFOqH246R8-GM9OEuE
2022-08-25 13:42:22,403:INFO:certbot._internal.auth_handler:Waiting for verification...
2022-08-25 13:42:23,404:DEBUG:acme.client:JWS payload:
b''
2022-08-25 13:42:23,406:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/145898632867:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTEzODYzOTc4IiwgIm5vbmNlIjogIjAwMDJiWXFRcUJtREpfVkxWT1BDYmY3bFRtSzBvSEZPcUgyNDZSOC1HTTlPRXVFIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xNDU4OTg2MzI4NjcifQ",
"signature": "OpSn1eO6Jmu-z6CznJNRBFB08K29j4JzJp0EqLX_5X0Ar9ue-844StyvWsNUpwycIVlWix4VCdhUvZh5WBNRvFgI78r0uuM3OqCjfSsGVqufSbDxpD29FaKrsOhULrLpu5MZSrwzngY6urzRgAMwtTrAyavKKZ3zVrbElmFu85-nFl5MpCdvgfX_cwKFfbZ2edDH8PTOOpUBmLPrHc_3es42QwaEYp1BycRl4Bws8m2p-EYXvuGH_lwYujCs6jlGSyCs93V7RXoqByVSrATdxQCt6mRl04S-9dTMqlvBRn5wQ3Dz1LAYRySEdQ5Wj10XoD25oqnlUGAqX4HhDzAVRw",
"payload": ""
}
2022-08-25 13:42:23,571:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/145898632867 HTTP/1.1" 200 1027
2022-08-25 13:42:23,571:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 25 Aug 2022 05:42:23 GMT
Content-Type: application/json
Content-Length: 1027
Connection: keep-alive
Boulder-Requester: 113863978
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 0001yOA7Rr_UDMFbLH521Tq-yRwKuHVkincbOHEO3DKL1qE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "xxx.xxx.cc"
},
"status": "invalid",
"expires": "2022-09-01T05:42:19Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "xxx.xxx.xxx.xxx: Invalid response from http://xxx.xxx.cc/.well-known/acme-challenge/WmZSZ365wHedn2mAFVP8Z2TWytMtcWm4FWHSte6tN7s: 404",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/145898632867/9QaXgg",
"token": "WmZSZ365wHedn2mAFVP8Z2TWytMtcWm4FWHSte6tN7s",
"validationRecord": [
{
"url": "http://xxx.xxx.cc/.well-known/acme-challenge/WmZSZ365wHedn2mAFVP8Z2TWytMtcWm4FWHSte6tN7s",
"hostname": "xxx.xxx.cc",
"port": "80",
"addressesResolved": [
"xxx.xxx.xxx.xxx"
],
"addressUsed": "xxx.xxx.xxx.xxx"
}
],
"validated": "2022-08-25T05:42:22Z"
}
]
}
2022-08-25 13:42:23,571:DEBUG:acme.client:Storing nonce: 0001yOA7Rr_UDMFbLH521Tq-yRwKuHVkincbOHEO3DKL1qE
2022-08-25 13:42:23,571:INFO:certbot._internal.auth_handler:Challenge failed for domain xxx.xxx.cc
2022-08-25 13:42:23,572:INFO:certbot._internal.auth_handler:http-01 challenge for xxx.xxx.cc
2022-08-25 13:42:23,572:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: xxx.xxx.cc
Type: unauthorized
Detail: xxx.xxx.xxx.xxx: Invalid response from http://xxx.xxx.cc/.well-known/acme-challenge/WmZSZ365wHedn2mAFVP8Z2TWytMtcWm4FWHSte6tN7s: 404
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
2022-08-25 13:42:23,572:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-08-25 13:42:23,572:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-08-25 13:42:23,572:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-08-25 13:42:26,851:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/2192/bin/certbot", line 8, in <module>
sys.exit(main())
File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/main.py", line 1744, in main
return config.func(config, plugins)
File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/main.py", line 1441, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/client.py", line 530, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/client.py", line 442, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/client.py", line 510, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-08-25 13:42:26,852:ERROR:certbot._internal.log:Some challenges have failed.
When I finished reading the log, I found that certbot directly modified nginx Conf, which is added in the last line, causes nginx to ignore it (because nginx is the first to read the same server first) and does not enter the configuration file corresponding to my domain name for modification,
This is not correct. Normally, certbot should output the log as follows:
2022-08-20 22:31:43,725:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /opt/nginx/conf/server/cloud:
...
2022-08-20 22:31:43,759:INFO:certbot_nginx._internal.configurator:Deploying Certificate to VirtualHost /opt/nginx/conf/server/cloud.conf
2022-08-20 22:31:43,760:DEBUG:certbot._internal.display.obj:Notifying user: Successfully deployed certificate for jenkins.oneboy.cc to /opt/nginx/conf/server/cloud.conf
2022-08-20 22:31:43,761:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /opt/nginx/conf/server/cloud.conf:
I have reinstalled certbot, and all ports are open. Do you have any solutions? help!!!!!!!