Nginx 上配置 HTTPS 环境 about blog HOT 8 OPEN

更新证书时，如果 crontab 脚本不生效，或者执行 certbot renew 等出现如下错误时：

The manual plugin is not working; there may be problems with your existing configuration ......
.....
PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',

则需要运行下列命令手动更新

certbot certonly -d *.xxx.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

// 或者
path/to/certbot-auto certonly -d *.xxx.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

链接：Failed authorization procedure via DNS

So, certbot renew is a non-interactive command. The reason it will not run without passing the auth-hook scripts is that Certbot needs to be able to update your TXT records automatically with new challenge values. That is what the hooks are for.

The initial TXT records you created are most likely no longer valid. In the best case, they only authorize you to issue certificates for the domain for 30 days. After that time (or earlier), the value of the challenge changes, and the TXT records must be updated to a new challenge value.

The way you are calling certbot renew does not do this, because your empty scripts are meant to be updating the TXT records, but they do nothing.

If you wish to do the manual DNS challenge again (interactively, rather than non-interactively), then you need to run certbot certonly using the same parameters that you used the first time. certbot renew doesn’t do what you want.

更新完毕之后重新启动服务器

from blog.

1. 升级到通配符证书可能出现的问题：https://community.letsencrypt.org/t/certbot-the-currently-selected-acme-ca-endpoint-does-not-support-issuing-wildcard-certificates/55667

2. certbot-auto 升级到 0.22.x，进行 certbot-auto renew --dry-run 可能出现类似如下错误：

An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively

修复方案是运行 certbot-auto renew

3. certbot renew 的时间问题: https://community.letsencrypt.org/t/renew-says-cert-not-yet-due-for-renewal-though-it-is-more-than-30-days-old/21182/7

from blog.

@dwqs 我阿里云配置certbot后可以上https，但是要翻墙才能上，这是什么原因？之前是不用翻墙的，今天发现网站打不开，log里面也没有错，翻墙后就能正常访问了。请问这是什么原因？谢谢

from blog.

@Fabriceli 这个我也不是很清楚了 之前我在阿里云上配置的时候 没有出现你的这种情况

from blog.

你好，我用-d参数配置多个域名合在一个证书中时，浏览器检查是ok的，myssl检查不匹配，我不知道是不是因为我负载均衡的问题，请问你有测试过这样吗

from blog.

@Victorkangsh 这个我没测试过

from blog.

@dwqs 我弄明白了，阿里云slb分默认证书和多域名证书，当把san证书加为多域名证书时，也就是默认证书不是san证书,san证书的非主域名检测会指向默认证书，只有san的主域名是正确指向san证书的。至于普通nginx没有测试，不知道情况

from blog.

@Victorkangsh 多谢分享

from blog.