V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
Laynooor
V2EX  ›  问与答

SSL 证书签了半天没签下来……崩溃

  •  
  •   Laynooor · 2016-11-04 13:54:41 +08:00 · 5299 次点击
    这是一个创建于 2943 天前的主题,其中的信息可能已经有所发展或是发生改变。

    教程参考此篇文章 https://imququ.com/post/letsencrypt-certificate.html 之前签发过好几次,都很顺畅,这次不知道为什么老是出错。

    环境是 Centos 6.5 、 nginx 1.11.5 、 php 5.6.22 ; 10M 电信独服

    签了一上午+中午,不是卡在 Registering account ,就是卡在 Verifying example.com 。不卡的话还出各种错误信息……

    • 检查过权限,网站目录 owner 都是 www ;

    • 检查过验证目录,可以通过浏览器访问到;

    • 尝试过 Google ,不知道是不是搜索姿势不对,找不到相关解决方案。

    下列错误中涉及到网站和 IP 都用 example.com 和 1.2.3.4 代替了

    错误一

    [root@play ssl]# python3 acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/wwwroot/example.com/challenges/ > ./signed.crt
    Parsing account key...
    Parsing CSR...
    Registering account...
    Traceback (most recent call last):
      File "/usr/local/lib/python3.5/urllib/request.py", line 1254, in do_open
        h.request(req.get_method(), req.selector, req.data, headers)
      File "/usr/local/lib/python3.5/http/client.py", line 1106, in request
        self._send_request(method, url, body, headers)
      File "/usr/local/lib/python3.5/http/client.py", line 1151, in _send_request
        self.endheaders(body)
      File "/usr/local/lib/python3.5/http/client.py", line 1102, in endheaders
        self._send_output(message_body)
      File "/usr/local/lib/python3.5/http/client.py", line 934, in _send_output
        self.send(msg)
      File "/usr/local/lib/python3.5/http/client.py", line 877, in send
        self.connect()
      File "/usr/local/lib/python3.5/http/client.py", line 1260, in connect
        server_hostname=server_hostname)
      File "/usr/local/lib/python3.5/ssl.py", line 377, in wrap_socket
        _context=self)
      File "/usr/local/lib/python3.5/ssl.py", line 752, in __init__
        self.do_handshake()
      File "/usr/local/lib/python3.5/ssl.py", line 988, in do_handshake
        self._sslobj.do_handshake()
      File "/usr/local/lib/python3.5/ssl.py", line 633, in do_handshake
        self._sslobj.do_handshake()
    ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:645)
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "acme_tiny.py", line 198, in <module>
        main(sys.argv[1:])
      File "acme_tiny.py", line 194, in main
        signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
      File "acme_tiny.py", line 85, in get_crt
        "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
      File "acme_tiny.py", line 47, in _send_signed_request
        protected["nonce"] = urlopen(CA + "/directory").headers['Replay-Nonce']
      File "/usr/local/lib/python3.5/urllib/request.py", line 163, in urlopen
        return opener.open(url, data, timeout)
      File "/usr/local/lib/python3.5/urllib/request.py", line 466, in open
        response = self._open(req, data)
      File "/usr/local/lib/python3.5/urllib/request.py", line 484, in _open
        '_open', req)
      File "/usr/local/lib/python3.5/urllib/request.py", line 444, in _call_chain
        result = func(*args)
      File "/usr/local/lib/python3.5/urllib/request.py", line 1297, in https_open
        context=self._context, check_hostname=self._check_hostname)
      File "/usr/local/lib/python3.5/urllib/request.py", line 1256, in do_open
        raise URLError(err)
    urllib.error.URLError: <urlopen error EOF occurred in violation of protocol (_ssl.c:645)>
    

    错误二

    [root@play ssl]# python3 acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/wwwroot/example.com/challenges/ > ./signed.crt
    Parsing account key...
    Parsing CSR...
    Registering account...
    Already registered!
    Verifying example.com...
    Traceback (most recent call last):
      File "acme_tiny.py", line 198, in <module>
        main(sys.argv[1:])
      File "acme_tiny.py", line 194, in main
        signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
      File "acme_tiny.py", line 149, in get_crt
        domain, challenge_status))
    ValueError: example.com challenge did not pass: {'uri': 'https://acme-v01.api.letsencrypt.org/acme/challenge/Ilf8ybQprBkc3Tpde6y74k-_ZYQHmZtUspNqSm-Pmf8/324821556', 'validationRecord': [{'port': '80', 'hostname': 'example.com', 'addressUsed': '1.2.3.4', 'url': 'http://example.com/.well-known/acme-challenge/me2UMm_5-ex0XLsMRyHPN1jLMusGK_CjzED9eQ332pM', 'addressesResolved': ['1.2.3.4']}], 'status': 'invalid', 'token': 'me2UMm_5-ex0XLsMRyHPN1jLMusGK_CjzED9eQ332pM', 'error': {'type': 'urn:acme:error:connection', 'status': 400, 'detail': 'DNS problem: query timed out looking up CAA for example.com'}, 'keyAuthorization': 'me2UMm_5-ex0XLsMRyHPN1jLMusGK_CjzED9eQ332pM.yToImuHAOUC9MTwjHh1ZrQ4TWVMjIcGoZki5fC63-kI', 'type': 'http-01'}
    
    

    错误三

    [root@play ssl]# python3 acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/wwwroot/example.com/challenges/ > ./signed.crt
    Parsing account key...
    Parsing CSR...
    Registering account...
    Traceback (most recent call last):
      File "acme_tiny.py", line 198, in <module>
        main(sys.argv[1:])
      File "acme_tiny.py", line 194, in main
        signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
      File "acme_tiny.py", line 92, in get_crt
        raise ValueError("Error registering: {0} {1}".format(code, result))
    ValueError: Error registering: None Remote end closed connection without response
    
    

    错误四

    [root@play ssl]# python3 acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/wwwroot/example.com/challenges/ > ./signed.crt
    Parsing account key...
    Parsing CSR...
    Registering account...
    Traceback (most recent call last):
      File "acme_tiny.py", line 198, in <module>
        main(sys.argv[1:])
      File "acme_tiny.py", line 194, in main
        signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
      File "acme_tiny.py", line 85, in get_crt
        "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
      File "acme_tiny.py", line 47, in _send_signed_request
        protected["nonce"] = urlopen(CA + "/directory").headers['Replay-Nonce']
      File "/usr/local/lib/python3.5/urllib/request.py", line 163, in urlopen
        return opener.open(url, data, timeout)
      File "/usr/local/lib/python3.5/urllib/request.py", line 466, in open
        response = self._open(req, data)
      File "/usr/local/lib/python3.5/urllib/request.py", line 484, in _open
        '_open', req)
      File "/usr/local/lib/python3.5/urllib/request.py", line 444, in _call_chain
        result = func(*args)
      File "/usr/local/lib/python3.5/urllib/request.py", line 1297, in https_open
        context=self._context, check_hostname=self._check_hostname)
      File "/usr/local/lib/python3.5/urllib/request.py", line 1257, in do_open
        r = h.getresponse()
      File "/usr/local/lib/python3.5/http/client.py", line 1197, in getresponse
        response.begin()
      File "/usr/local/lib/python3.5/http/client.py", line 297, in begin
        version, status, reason = self._read_status()
      File "/usr/local/lib/python3.5/http/client.py", line 266, in _read_status
        raise RemoteDisconnected("Remote end closed connection without"
    http.client.RemoteDisconnected: Remote end closed connection without response
    
    第 1 条附言  ·  2016-11-04 15:14:16 +08:00
    已经签下来了……
    1. 把服务器 DNS 从 114.114.114.114 改成阿里的 DNS ,解决了卡 Registering account 的问题;
    2. 生成 CSR 文件我是用教程中第一种方式生成的,我尝试删掉 CSR 文件然后用第二种,也就是交互方式生成 CSR 文件,再次进行申请,结果成功了。

    希望对后来者有所帮助……
    8 条回复    2016-12-08 10:58:37 +08:00
    qingxin
        1
    qingxin  
       2016-11-04 14:29:37 +08:00   ❤️ 1
    腾讯云 阿里都提供免费的。。不明白为什么非要折腾这个
    xsn
        2
    xsn  
       2016-11-04 14:35:20 +08:00   ❤️ 1
    用这个 acme.sh 试试 /t/309878
    miyuki
        3
    miyuki  
       2016-11-04 14:39:06 +08:00 via Android   ❤️ 1
    听说申请太多会被 Block …

    https://www.v2ex.com/t/241819#reply62 我用的这个
    abelyao
        4
    abelyao  
       2016-11-04 14:43:35 +08:00 via iPhone   ❤️ 1
    试试 certbot
    Laynooor
        5
    Laynooor  
    OP
       2016-11-04 15:15:24 +08:00
    @xsn
    @miyuki
    @abelyao 谢谢,已经解决了…… 心力交瘁
    Havee
        6
    Havee  
       2016-11-04 15:54:18 +08:00
    https://certbot.eff.org/docs/using.html#webroot
    感觉 certbot 最简单,要复杂的话,参数都提供...

    也提供 docker 镜像...
    Aduang
        7
    Aduang  
       2016-12-08 00:54:11 +08:00
    Traceback (most recent call last):
    File "/tmp/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
    File "/tmp/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
    File "/tmp/acme_tiny.py", line 123, in get_crt
    wellknown_path, wellknown_url))
    centos7 求救
    已经去掉 www 的跳转。 URL 也能正常访问。就是最后的 crt 一直生成不出来。文件大小一直是 0 。验证文件夹也不生成任何文件
    Laynooor
        8
    Laynooor  
    OP
       2016-12-08 10:58:37 +08:00
    @Aduang 验证文件夹拥有者改成 www 试试
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   3323 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 34ms · UTC 12:21 · PVG 20:21 · LAX 04:21 · JFK 07:21
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.