我有一个运行nginx和托管个人网站的raspberry pi。我的pi显示nginx正在端口80上运行,但拒绝连接。这是一个问题,因为这意味着我不能使用certbot续订我的SSL证书。
我知道nginx和我的网站都在工作,因为如果我在家庭网络上去https://<IP address of PI>,我就会到我的网站。
是,我已检查DNS设定是否正确。如果我ping getty.nz,我会得到响应。
我的配置应该没问题,因为nginx -t没有显示任何问题。
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful字符串
我已将ufw设置为阻止除端口22、80和443之外的所有端口。下面是状态的输出。
$ sudo ufw status
Status: active
To Action From
-- ------ ----
443 ALLOW Anywhere
80 ALLOW Anywhere
22 ALLOW Anywhere
443 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)型
下面是ss的输出,显示我的端口正在被监听:
$ sudo ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 244 127.0.0.1:5432 0.0.0.0:* users:(("postgres",pid=502,fd=6))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=399,fd=3))
LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=1932,fd=10),("nginx",pid=415,fd=10))
LISTEN 0 511 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=1932,fd=9),("nginx",pid=415,fd=9))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=399,fd=4))
LISTEN 0 511 [::]:80 [::]:* users:(("nginx",pid=1932,fd=11),("nginx",pid=415,fd=11))
LISTEN 0 511 [::]:443 [::]:* users:(("nginx",pid=1932,fd=8),("nginx",pid=415,fd=8))
LISTEN 0 244 [::1]:5432 [::]:* users:(("postgres",pid=502,fd=5))型
以下是certbot对我的域(getty.nz和rss.getty.nz)的输出:
$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: getty.nz
2: rss.getty.nz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/getty.nz.conf)
It contains these names: getty.nz
You requested these names for the new certificate: getty.nz, rss.getty.nz.
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate for getty.nz and rss.getty.nz
Performing the following challenges:
http-01 challenge for getty.nz
http-01 challenge for rss.getty.nz
Waiting for verification...
Challenge failed for domain getty.nz
Challenge failed for domain rss.getty.nz
http-01 challenge for getty.nz
http-01 challenge for rss.getty.nz
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: getty.nz
Type: connection
Detail: 122.61.157.36: Fetching
http://getty.nz/.well-known/acme-challenge/7KasvsA5z6yvpzXlOv5hzmT_u7lOgtzlaoEY6DAMmic:
Timeout during connect (likely firewall problem)
Domain: rss.getty.nz
Type: connection
Detail: 122.61.157.36: Fetching
http://rss.getty.nz/.well-known/acme-challenge/cqhf7anWcw1_you9q90y18UVdCfjAJeEg88tNeDoWig:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.型
2条答案
按热度按时间2q5ifsrm1#
在发送证书续订请求之前,路由器上的端口80,443是否已打开并转发到您的raspberry pi IP?
camsedfj2#
Certbot尝试访问安装SSL证书所需的验证文件,该文件位于“. wellknown”文件夹下。但是,当尝试浏览URL“http:getty.nz”时,会出现错误,指出“无法访问此站点”。此外,ping域名“getty.nz”会导致超时。
此问题似乎源于无法访问Certbot所需的URL,从而导致更新SSL证书时出现问题。为了解决这个问题,我提出了两种可能的解决方案:
请重新启动服务器或与您的主机提供商联系以解决“无法访问此网站”问题。一旦解决了根本问题,请尝试使用Certbot续订SSL证书。
或者,您可以尝试直接重新启动服务器,然后尝试使用Certbot续订SSL证书。
这两个选项都可能有助于解决当前的SSL续订问题。如果问题仍然存在,您可能需要向您的主机提供商或系统管理员寻求进一步的帮助。