最新消息:前端博客、web前端博客、Angularjs、javascript、jQuery、HTML5、CSS3

使用certbot renewal更新letsencrypt https证书报Connection reset by peer错误或DNS找不到解决方法

杂谈/运维 AZ 2656浏览 0评论

最近维护的一个论坛老是自动挂掉,查看日志和分析定时任务时发现是更新https脚本引起的。优化脚本时才发现,报错了,所定时任务执行到后面挂起不执行了。大致错误如下:

DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/renewal.py”, line 430, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 1168, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/renewal.py”, line 305, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py”, line 335, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py”, line 371, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py”, line 161, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py”, line 232, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. www.jzxn.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.jzxn.com/.well-known/acme-challenge/54K-Z68JeLJr0UNnbhdtCBuARrhDkwyy-4LIU5EqnTE: Connection reset by peer

后面又改了下发现还是报错

Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

按照网上的方法修改还是报错

DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1156
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 29 Nov 2018 07:50:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 29 Nov 2018 07:50:10 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “www.jzxn.com”
},
“status”: “pending”,
“expires”: “2018-12-06T07:50:08Z”,
“challenges”: [
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/r3M-mOk4T4irPDxYUjReSvCdkvR4Jqh8IOts0zISn-I/9774611202″,
“token”: “tczjffrzdkU6JzKGszk1AHEGWQwev6bIki37Or8UG7s”
},
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/r3M-mOk4T4irPDxYUjReSvCdkvR4Jqh8IOts0zISn-I/9774611209″,
“token”: “5sxqp-hsY68W75I0vaVSxNX3bVCecWem5ZeKPy_ykOE”
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/r3M-mOk4T4irPDxYUjReSvCdkvR4Jqh8IOts0zISn-I/9774611223″,
“token”: “bHtpeB8nYBQkpsnnS2lEtehxsXP9WAHNiJ2MmQ0kcZA”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/r3M-mOk4T4irPDxYUjReSvCdkvR4Jqh8IOts0zISn-I/9774611227″,
“token”: “yekZF4ZIjR5nNyV0qmrk-cS6SfRZRt_HtKoetHqflYw”
}
]
}

在网上各种搜索,后面终于看到被自己略过的一句话。官方规则自2018-08-01更新了,我的程序没更新,脚本也没更新。需要加上–server,大概是官方更新了支持泛域名解析后需要指定。不指定会提示DNS出错什么的,那错误提示没记录下来,有点可惜。
最后调整脚本优化成不关闭nginx服务进行更新证书。

 /bin/certbot –webroot -w /hom/wwwroot/jzxn –force-renew renew –server https://acme-v01.api.letsencrypt.org/directory –disable-hook-validation –renew-hook “/etc/init.d/nginx reload”

可能理解有错,在此记录一下。

转载请注明:TUTERM.COM » 使用certbot renewal更新letsencrypt https证书报Connection reset by peer错误或DNS找不到解决方法

如果您觉得本文的内容对您的学习有所帮助,您可以支付宝(左)或微信(右):
alipay weichat

您必须 登录 才能发表评论!