ubuntu – letsencrypt certbot超时错误

尝试运行命令时,我得到了这个奇怪的letsencrypt错误

$certbot certonly --standalone --email example@gmail.com --agree-tos -n -d trumporate.com,www.trumporate.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for trumporate.com
tls-sni-01 challenge for www.trumporate.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. trumporate.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, www.trumporate.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: trumporate.com
   Type:   connection
   Detail: Timeout

   Domain: www.trumporate.com
   Type:   connection
   Detail: Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

现在我使用了生成文件dhparam

$sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

这是我目前的nginx conf文件

$cat /etc/nginx/sites-available/trumporate 
server {
    listen 80;
    server_name trumporate.com www.trumporate.com; 

    location / {
        include proxy_params;
        proxy_redirect off;
        proxy_pass http://127.0.0.1:5000;
    }
}

不知道我哪里错了. trumporate.com应该可以在我运行certbot的这个虚拟机上解析吗？

停止了nginx并再次运行它,给出了同样的错误

我已通过route53注册域名.
它有2个A型记录,指向连接到ec2盒子的弹性IP.
一个用于www版本,一个没有它,并且有4个NS记录和一个SOA记录,我认为在创建托管区域时默认存在

解决方法:

Should trumporate.com be resolvable on this vm where I am running certbot?

听起来你没有在你试图获得证书的ec2盒子上运行命令.这将是一个问题,因为独立旋转网络服务器,然后尝试使用您提供的域外部命中它.这可以说“证明”你拥有这个域名.您需要从ec2框运行命令,并且需要通过安全组打开它运行到世界的端口.您可以使用–tls-sni-01-port指定tls-sni端口(失败的端口),但默认情况下它在443上,因此您可能只需要打开端口443.

您还提到您正在使用route53,因此您可以使用route53验证程序.这具有在任何地方工作的优点,您只需要在运行它的计算机上设置访问密钥/密钥.

certbot certonly --dns-route53 --domains trumporate.com,www.trumporate.com

标签：lets-encrypt,nginx,amazon-ec2,ubuntu,ssl-certificate
来源： https://codeday.me/bug/20190823/1699827.html