使用DNS验证来更新Let’s Encrypt证书!

压着截止日期更新Let’s Encrypt证书,意外失败,之后HTTP验证怎么都无法通过。
去社区一看,有点懵逼,原来人家启用了Failed Validation limit失败验证限制,失败验证绑定IP、域名等。失败的验证一个小时后过期,需要在一个小时内继续验证,否则会被锁定,七天后才能重新验证,且无法解锁。
去翻文档,发现了DNS验证,这玩意简单,给TXT记录指定的字符串即可。

先在服务器上执行

certbot certonly --manual --preferred-challenges dns -d clowlido.com -d www.clowlido.com

按Y确认后。会生成一个域名_acme-challenge.clowlido.com,记录值XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX。
在DNS服务器或域名管理网站的域名解析设置里,新建一条TXT记录【_acme-challenge】,将指定的记录值【XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX】填入即可。

毕竟DNS不需要在服务器上新建文件,不需要搞权限,也不需要访问控制。
缺点是,这种手动更新不支持certbot renew。

附,更新Let’s Encrypt证书失败,导致各种错误。例如:
Attempting to renew cert (clowlido.com) from /etc/letsencrypt/renewal/clowlido.com.conf produced an unexpected error: Failed authorization procedure. clowlido.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.clowlido.com: Connection reset by peer, www.clowlido.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.clowlido.com: Connection reset by peer. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/clowlido.com/fullchain.pem (failure)

An unexpected error occurred:
There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently.

发表评论

电子邮件地址不会被公开。 必填项已用*标注