使用 certbot 更新证书以添加子域

Question

我有一个安装了 LetsEncrypt 证书的域，并设置了 apache conf 以将 www 转发到非 www 并将非 ssl 转发到 ssl。一切都很好，直到我决定添加一个子域并尝试生成一个新证书来涵盖两者。

现在我在运行 certbot 时得到以下输出：

root@arthas:~# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: domain.com
2: playground.domain.com
3: www.playground.domain.com
4: www.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2,3,4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/domain.com.conf)

It contains these names: domain.com, www.domain.com

You requested these names for the new certificate: domain.com,
playground.domain.com, www.playground.domain.com, www.domain.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for playground.domain.com
http-01 challenge for www.domain.com
http-01 challenge for www.playground.domain.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Created an SSL vhost at /etc/apache2/sites-enabled/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
An unexpected error occurred:
ValueError: Unable to set value to path!
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/domain.com/fullchain.pem
   Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem
   Your cert will expire on 2019-07-19.
   To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option.
   To non-interactively renew *all* of your certificates, run "certbot renew"
 - Some rewrite rules copied from /etc/apache2/sites-enabled/000-default.conf were disabled in the vhost for your HTTPS site located at /etc/apache2/sites-enabled/000-default-le-ssl.conf because they have the potential to create redirection loops.

另外，我已将 000-default.conf 文件的内容复制到以下：

# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On

<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        ServerName domain.com
        ServerAlias www.domain.com

        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =www.domain.com [OR]
        RewriteCond %{SERVER_NAME} =domain.com [OR]
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        ServerName playground.domain.com
        ServerAlias www.playground.domain.com

        DocumentRoot /var/www/html/playground

        <Directory /var/www/html/playground>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =www.playground.domain.com [OR]
        RewriteCond %{SERVER_NAME} =playground.domain.com [OR]
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Answer 1

您似乎有多个可能导致冲突的 .conf 文件。

• 方法一：将<VirtualHost *:80>和<VirtualHost *:443>全部放置 同一个配置文件中的规则
• 方法 2：将它们分开并 在末尾添加Include /path/to/httpd-le-ssl.conf 000-default.conf

运行$ sudo certbot renew --dry-run 以检查您修改后的配置是成功还是失败。

在您对配置进行故障排除和修复时，使用 --dry-run 不会影响您的限制。成功完成后，您可以通过各种方式运行 certbot 并期望一切正常。

Answer 2

尝试一次性为多个域安装证书时出现同样的错误消息。如果您将所有 VirtualHost 都放在同一个配置文件中并且不想将它们分开，请尝试分别为域安装证书。

例子：

当您需要为以下域安装证书时

1. domain01.com
2. www.domain01.com
3. domain02.com
4. www.domain02.com

在步骤

Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1,2,3,4

输入 1, 2 而不是 1,2,3,4，然后重复安装 3, 4

Answer 3

我也遇到过同样的问题。下面的步骤已经解决了我的问题。

1. 如果您已尝试设置 SSL，请删除所有现有的 certbot 文件。 按照此链接如何从系统中删除现有的 Certbot 文件 https://askubuntu.com/a/1195603/871518

2. 将所有单独的域从单个 vhost.conf 文件中分离出来。 示例：

          domain1.conf
          domain2.conf

Enable vhost in your created two new file by typing : 

   a2ensite domain1.conf
   a2esnite domain2.conf

1. 运行 certbot 命令：

    sudo certbot --apache

4. 如果“serverAlias”包含在您的虚拟列表中，您可能会看到 4 个域列表：

     1. domain1.com
     2. domain2.com
     3. www.domain1.com
     4. www.domain2.com
   

第一次旅程只选择 1 和 3

5. 是的，您已成功完成 domain1.com SSL 支持，并再次为 SSL 支持执行相同操作domain2.com：

sudo certbot --apache

Answer 4

当您运行此命令时，请确保您的顺序也正确。例如：example.org 应该在请求中的 mail.example.org 之前。否则，尤其是在使用 Route 53 选项时，会收到奇怪的区域错误消息。