用Certbot部署Let's Encrypt遇到的常见问题
相关部署:
文章搜集在Lets Encrypt部署时常见的问题,持续更新。
一 在使用Certbot命令时出现错误
Traceback (most recent call last):
File "/usr/bin/certbot", line 9, in <module>
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 570, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2687, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2341, in load
return self.resolve()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2347, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 18, in <module>
from certbot import account
File "/usr/lib/python2.7/site-packages/certbot/account.py", line 18, in <module>
from acme import messages
File "/usr/lib/python2.7/site-packages/acme/messages.py", line 11, in <module>
from acme import challenges
File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 12, in <module>
import requests
File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in <module>
from . import utils
File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in <module>
from .exceptions import InvalidURL
File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in <module>
from .packages.urllib3.exceptions import HTTPError as BaseHTTPError
File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 95, in load_module
raise ImportError("No module named '%s'" % (name,))
ImportError: No module named 'requests.packages.urllib3'看最后一行已经提醒的很明显了,缺失了python-urllib3包,由于版本过低引起的问题,可通过升级pip来解决这个问题:
pip install --upgrade pip
如果依旧得不到解决,可以使用命令
pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3
重新安装。
二 站点在线验证失败
certbot --nginx -d yourdomain.com 命令会在线验证网站内容,如果在使用此命令过程中验证失败很可能是因为你的网站无法访问,下面为验证成功的提示:
Obtaining a new certificate Performing the following challenges: http-01 challenge for yourdomain.com http-01 challenge for www.yourdomain.com Waiting for verification... Cleaning up challenges
20191118更新补充
一个使用了腾讯云的站点(笔者在《使用腾讯云CDN给HTTPS站点加速》一文中有提过选择腾讯云内容分发的原因:腾讯云CDN没有额外收取https费用),这个站点不管是crontab自动更新,还是用/usr/sbin/certbot renew手动更新在执行证书的时候都在验证站点的时候出错:
Cert not yet due for renewal All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/www.xxx.com/fullchain.pem (failure)
解决方法:
使用了CDN的情况在线验证失败需要将CNAME记录删除并添加A记录指向IP地址来实现更新,待证书续期成功后再绑回CDN的CNAME记录即可。
三 Challenge failed for yourdomain.com 错误
今天在添加一个用了阿里CDN的网站部署SSL的时候出现出错:
certbot --nginx -d www.gxxwj.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for www.gxxwj.com Waiting for verification... Challenge failed for domain www.gxxwj.com http-01 challenge for www.gxxwj.com Cleaning up challenges Some challenges have failed.
网站是可以正常访问的,但是在部署SSL的时候就是无法通过验证,由于阿里CDN都是用CNAME转发到xxxx.w.kunlungr.com这个地址了,后来把A记录用IP地址解析后即可正常验证通过了。
四 CentOS+Nginx Certbot无法自动续期证书
这是由于cronjbo在执行certbot命令时遇到Nginx在运行的时候被跳过了,需要加一个hook让nginx服务停止在renew
certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start" --dry-run
最终就是vi /etc/crontab, 添加
10 17 * * 0 certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
Ubuntu系统按照使用crontab操作
crontab -e 0 0,12 * * * certbot renew --post-hook "systemctl reload nginx" #OR 0 0,12 * * * certbot renew --post-hook "systemctl reload apache2"