杜库+；letsencrypt：能够获取子域的ssl，但不能获取根域_Ssl_Dns_Lets Encrypt_Dokku

杜库+；letsencrypt：能够获取子域的ssl，但不能获取根域

ssl dns

杜库+；letsencrypt：能够获取子域的ssl，但不能获取根域,ssl,dns,lets-encrypt,dokku,Ssl,Dns,Lets Encrypt,Dokku,我正在使用服务器端CLI为我的web应用程序获取SSL（按照以下说明：）完成安装后，我运行了： root@taaalk:~# dokku letsencrypt taaalk =====> Let's Encrypt taaalk -----> Updating letsencrypt docker image... 0.1.0: Pulling from dokku/letsencrypt Digest: sha256:af5f8529c407645e97821ad28e

我正在使用服务器端CLI为我的web应用程序获取SSL（按照以下说明：）

完成安装后，我运行了：

root@taaalk:~# dokku letsencrypt taaalk

=====> Let's Encrypt taaalk

-----> Updating letsencrypt docker image...

0.1.0: Pulling from dokku/letsencrypt

Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823

Status: Image is up to date for dokku/letsencrypt:0.1.0

docker.io/dokku/letsencrypt:0.1.0

Done updating

-----> Enabling ACME proxy for taaalk...

[ ok ] Reloading nginx configuration (via systemctl): nginx.service.

-----> Getting letsencrypt certificate for taaalk...

- Domain 'taaalk.taaalk.co'

darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.

listening on: http://0.0.0.0:80/

2020-04-28 23:12:10,728:INFO:__main__:1317: Generating new account key

2020-04-28 23:12:11,686:INFO:__main__:1343: By using simp_le, you implicitly agree to the CA's terms of service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf

2020-04-28 23:12:12,017:INFO:__main__:1406: Generating new certificate private key

2020-04-28 23:12:14,753:ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4241725520

2020-04-28 23:12:14,757:INFO:__main__:396: Saving account_key.json

2020-04-28 23:12:14,758:INFO:__main__:396: Saving account_reg.json

Challenge validation has failed, see error log.

Debugging tips: -v improves output verbosity. Help is available under --help.

-----> Certificate retrieval failed!

-----> Disabling ACME proxy for taaalk...

[ ok ] Reloading nginx configuration (via systemctl): nginx.service.

done

root@taaalk:~#

因此更容易阅读错误是：

2020-04-28 23:12:14753:错误：\uuuuu main\uuuuuuuu:1388:CA将某些授权标记为无效，这可能意味着它无法访问http://example.com/.well-known/acme-challenge/X. 您是否在-d example.com:path或--default\u root中设置了正确的路径？您的所有域都可以从internet访问吗？请检查域的DNS条目、主机的网络/防火墙设置和Web服务器配置。如果域的DNS条目同时设置了a和AAAA字段，则某些CA（如Let's Encrypt）将通过IPv6执行质询验证。如果您的DNS提供商没有正确响应CAA记录请求，Let's Encrypt将不会为您的域颁发证书（请参阅https://letsencrypt.org/docs/caa/). 未通过授权：https://acme-v02.api.letsencrypt.org/acme/authz-v3/4241725520

我在谷歌上搜索了很多次，我在这个主题上找到的最有希望的帖子是：

在帖子中，它建议检查我的

Dokku域错误配置

和

缺少网络侦听器

我运行了

dokku域：report

来检查配置错误。这返回：

root@taaalk:~# dokku domains:report
=====> taaalk domains information
       Domains app enabled:           true                     
       Domains app vhosts:            taaalk.taaalk.co         
       Domains global enabled:        true                     
       Domains global vhosts:         taaalk.co

然后我运行了

dokku-network:report

，检查是否缺少侦听器：

root@taaalk:~# dokku network:report
=====> taaalk network information
       Network attach post create:    
       Network attach post deploy:    
       Network bind all interfaces:   false
       Network web listeners:         172.17.0.4:5000

在和一个朋友讨论完之后，我们尝试用主机“taaalk.taaalk.co”向我的DNS添加一个“a”记录

然后我跑：

root@taaalk:~# dokku letsencrypt taaalk
=====> Let's Encrypt taaalk
-----> Updating letsencrypt docker image...
0.1.0: Pulling from dokku/letsencrypt
Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823
Status: Image is up to date for dokku/letsencrypt:0.1.0
docker.io/dokku/letsencrypt:0.1.0
       Done updating
-----> Enabling ACME proxy for taaalk...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
-----> Getting letsencrypt certificate for taaalk...
        - Domain 'taaalk.taaalk.co'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2020-04-30 13:39:58,623:INFO:__main__:1406: Generating new certificate private key
2020-04-30 13:40:03,879:INFO:__main__:396: Saving fullchain.pem
2020-04-30 13:40:03,880:INFO:__main__:396: Saving chain.pem
2020-04-30 13:40:03,880:INFO:__main__:396: Saving cert.pem
2020-04-30 13:40:03,880:INFO:__main__:396: Saving key.pem
-----> Certificate retrieved successfully.
-----> Installing let's encrypt certificates
-----> Unsetting DOKKU_PROXY_PORT
-----> Setting config vars
       DOKKU_PROXY_PORT_MAP:  http:80:5000
-----> Setting config vars
       DOKKU_PROXY_PORT_MAP:  http:80:5000 https:443:5000
-----> Configuring taaalk.taaalk.co...(using built-in template)
-----> Creating https nginx.conf
       Enabling HSTS
       Reloading nginx
-----> Configuring taaalk.taaalk.co...(using built-in template)
-----> Creating https nginx.conf
       Enabling HSTS
       Reloading nginx
-----> Disabling ACME proxy for taaalk...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
       done

这是成功的

但是，现在taaalk.taaalk.co有一个SSL，而taaalk.co没有。

我不知道从这里到哪里去。我觉得将vhost从taaalk.taaalk.co更改为taaalk.co是有意义的，但我不确定这是否正确，也不确定如何执行。Dokku文档似乎没有涵盖更改vhost名称：

谢谢你的帮助

更新

我将vhost更改为taaalk.co，因此我现在有：

root@taaalk:~# dokku domains:report
=====> taaalk domains information
       Domains app enabled:           true                     
       Domains app vhosts:            taaalk.co                
       Domains global enabled:        true                     
       Domains global vhosts:         taaalk.co

但是，我仍然得到以下错误：

root@taaalk:~# dokku letsencrypt taaalk
=====> Let's Encrypt taaalk
-----> Updating letsencrypt docker image...
0.1.0: Pulling from dokku/letsencrypt
Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823
Status: Image is up to date for dokku/letsencrypt:0.1.0
docker.io/dokku/letsencrypt:0.1.0
       Done updating
-----> Enabling ACME proxy for taaalk...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
-----> Getting letsencrypt certificate for taaalk...
        - Domain 'taaalk.co'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2020-04-30 17:01:12,996:INFO:__main__:1406: Generating new certificate private key
2020-04-30 17:01:46,068:ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4277663330
Challenge validation has failed, see error log.

Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for taaalk...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
       done
root@taaalk:~#

为了便于阅读，再次复制如下：

2020-04-30 17:01:46068:错误：\uuuuu main\uuuuuuuu:1388:CA将某些授权标记为无效，这可能意味着它无法访问http://example.com/.well-known/acme-challenge/X. 您是否在-d example.com:path或--default\u root中设置了正确的路径？您的所有域都可以从internet访问吗？请检查域的DNS条目、主机的网络/防火墙设置和Web服务器配置。如果域的DNS条目同时设置了a和AAAA字段，则某些CA（如Let's Encrypt）将通过IPv6执行质询验证。如果您的DNS提供商没有正确响应CAA记录请求，Let's Encrypt将不会为您的域颁发证书（请参阅https://letsencrypt.org/docs/caa/). 未通过授权：https://acme-v02.api.letsencrypt.org/acme/authz-v3/4277663330
质询验证失败，请参阅错误日志。

修复非常简单。首先，我为指向服务器的url记录了www.和root

然后，我将vhosts设置为taaalk.co和www.taaalk.co，其中包含

dokku域：添加taaalk www.taaalk.co

，等等

然后，我用

dokku certs:remove taaalk

删除了所有与taaalk.co相关的证书

然后我运行了dokku letsencrypt taaalk，一切正常。

修复非常简单。首先，我为指向服务器的url记录了www.和root

然后，我将vhosts设置为taaalk.co和www.taaalk.co，其中包含

dokku域：添加taaalk www.taaalk.co

，等等

然后，我用

dokku certs:remove taaalk

删除了所有与taaalk.co相关的证书

然后我运行了dokku letsencrypt taaalk，一切都很好。

对于那些尝试Joshua所做但仍然没有让letsencrypt生成证书的人：

我的问题是我在dokku上没有端口80的任何端口映射，因此letsencrypt无法与服务器通信以授权新证书，出现以下错误：

ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4277663330
Challenge validation has failed, see error log.

愚蠢的我-我删除了dokku中的端口http 80映射，因为我认为这是不必要的

为了解决此问题，我刚刚再次添加了端口映射：

dokku proxy:ports-add myapp http:80:4000

（注意：我的应用程序连接到端口4000以上，因此您的端口可能不同）

然后运行dokku letsencrypt：

dokku letsencrypt myapp

此顺序很重要，正确设置代理端口可使letsencrypt连接并再次自动重新生成TLS证书。

对于任何查看Joshua所做尝试但仍无法让letsencrypt生成证书的人：

我的问题是我在dokku上没有端口80的任何端口映射，因此letsencrypt无法与服务器通信以授权新证书，出现以下错误：

ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4277663330
Challenge validation has failed, see error log.

愚蠢的我-我删除了dokku中的端口http 80映射，因为我认为这是不必要的

为了解决此问题，我刚刚再次添加了端口映射：

dokku proxy:ports-add myapp http:80:4000

（注意：我的应用程序连接到端口4000以上，因此您的端口可能不同）

然后运行dokku letsencrypt：

dokku letsencrypt myapp

此顺序很重要，正确设置代理端口可使letsencrypt连接并再次自动重新生成TLS证书