相关文章推荐
宽容的铁链  ·  早发型阿尔茨海默病:65 ...·  2 周前    · 
阳光的充值卡  ·  合肥轨道交通6号线传来最新消息·  6 月前    · 
不羁的围巾  ·  度母为什么是绿色的:故事解析及度母形象探究_ ...·  1 年前    · 
打篮球的鼠标垫  ·  伴有假性病理征的多巴反应性肌张力障碍二例- ...·  1 年前    · 
飞奔的松树  ·  读后感范文_读后感400字大全·  1 年前    · 
小百科  ›  LE fails to verify domain when site has been set up only to listen to port 443 and all requests for
dss domain sha256 nginx
痴情的斑马
2 周前

I’m not sure where you found that confirmation. Nginx would downright refuse to start if the certificates aren’t where they’re supposed to be. However, HTTP is still working, so that’s not the case.

I would suggest taking a look at your nginx error log.

Again, changing your client invocation or Let’s Encrypt’s configuration files won’t change anything. Right now, your web server is not responding to HTTPS requests. You’re redirecting to an URL that doesn’t work. That is what you need to fix.

You confirmed it. But NGINX didn’t die, it only refuses to open the sites that redirect all request to port 443 and that LE failed to update; another site (www.stigharder.com) on the same server that listens only to port 80 is still up. That site failed also, but as it needs to be live, we changed the config not to use TLS until this issue has been resolved.

That’s correct and this is the reason I opened this thread. The site was up until LE tried (but failed) to update the certificate. According to @pfg , it’s because NGINX refuses to open a site “if the certificates aren’t where they’re supposed to be.” We didn’t change anything; all was working perfectly until the failed update by LE. The minute cron started the updates in sequence, all the sites that had LE certificates in place promptly died one after the other.

Hey @pfg – we just ran /opt/letsencrypt/letsencrypt-auto certonly --renew-by-default --config /opt/letsencrypt/webroot.moonloupe.com.ini again and the error log reports:

2016/02/04 17:44:04 [error] 484#0: *5215 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 66.133.109.36, server: 0.0.0.0:443

This server block doesn’t have a ssl_certificate directive (or any of the other directives necessary for SSL to work): 

server {
        listen 443;
        server_name example.com;
        return 301 https://www.example.com$request_uri;

Make sure you include all SSL directives in all server blocks that use SSL.

              
Alright, we added everything to the redirect block, but now NGINX failed to restart:


server {
        listen 80;
        server_name moonloupe.com;
        return 301 https://www.moonloupe.com$request_uri;
server {
        listen 80;
        server_name www.moonloupe.com;
        return 301 https://www.moonloupe.com$request_uri;
server {
        listen 443 ssl;
        server_name moonloupe.com;
        return 301 https://www.moonloupe.com$request_uri;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/moonloupe.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/moonloupe.com/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SH$
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        ssl_dhparam /etc/ssl/private/dhparams.pem;
server {
	listen 443 ssl;
	listen [::]:443 ssl;
	server_name www.moonloupe.com;
	root /var/www/moonloupe.com/html;
	index index.php index.html index.htm;
	location / {
		try_files $uri $uri/ =404;
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/var/run/php5-fpm.sock;
	location '/.well-known/acme-challenge' {
		root /var/www/moonloupe.com/html;
		try_files $uri /$1;
	ssl on;
	ssl_certificate /etc/letsencrypt/live/moonloupe.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/moonloupe.com/privkey.pem;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	ssl_dhparam /etc/ssl/private/dhparams.pem;
$ sudo systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled)
   Active: failed (Result: exit-code) since Thu 2016-02-04 18:49:19 EST; 20s ago
  Process: 28748 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
  Process: 28751 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
 Main PID: 480 (code=exited, status=0/SUCCESS)
Feb 04 18:49:19 newyork nginx[28751]: nginx: [emerg] invalid number of arguments in "ssl_ciphers" directive in /etc/nginx/sites-enabled/moonloupe.com:27
Feb 04 18:49:19 newyork nginx[28751]: nginx: configuration file /etc/nginx/nginx.conf test failed
Feb 04 18:49:19 newyork systemd[1]: nginx.service: control process exited, code=exited status=1
Feb 04 18:49:19 newyork systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Feb 04 18:49:19 newyork systemd[1]: Unit nginx.service entered failed state.

 harder:

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SH$


this line is cut off (see trailing $).

              
Hey @pfg! Wow, that did indeed bring moonloupe.com back up and we were also able to update the certificate with /opt/letsencrypt/letsencrypt-auto certonly --renew-by-default --config /opt/letsencrypt/webroot.moonloupe.com.ini. The odd thing is that the new certificate doesn’t seem to connect with the site. The new certificate we just made expires on May 4th (see the output below), not May 2nd, which was the expiration date of the one we originally made two days ago.


$ /opt/letsencrypt/letsencrypt-auto certonly --renew-by-default --config /opt/letsencrypt/webroot.moonloupe.com.ini
    Updating letsencrypt and virtual environment dependencies......
    Requesting root privileges to run with virtualenv: sudo /home/harder/.local/share/letsencrypt/bin/letsencrypt certonly --renew-by-default --config /opt/letsencrypt/webroot.moonloupe.com.ini
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/moonloupe.com/fullchain.pem. Your cert will
   expire on 2016-05-04. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

        listen 80;
        server_name www.moonloupe.com;
        return 301 https://www.moonloupe.com$request_uri;
server {
        listen 443 ssl;
        server_name moonloupe.com;
        return 301 https://www.moonloupe.com$request_uri;
	ssl on;
	ssl_certificate /etc/letsencrypt/live/moonloupe.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/moonloupe.com/privkey.pem;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	ssl_dhparam /etc/ssl/private/dhparams.pem;
server {
	listen 443 ssl;
	listen [::]:443 ssl;
	server_name www.moonloupe.com;
	root /var/www/moonloupe.com/html;
	index index.php index.html index.htm;
	location / {
		try_files $uri $uri/ =404;
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/var/run/php5-fpm.sock;
	location '/.well-known/acme-challenge' {
		root /var/www/moonloupe.com/html;
		try_files $uri /$1;
	ssl on;
	ssl_certificate /etc/letsencrypt/live/moonloupe.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/moonloupe.com/privkey.pem;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	ssl_dhparam /etc/ssl/private/dhparams.pem;
              
You’ll need to reload your web server, usually with something like service nginx reload (at least on Ubuntu).


Nginx will drain all existing open connections and then reload the configuration and certificates. This works without downtime.

              
Oh, yeah – that did the trick! It’s funny – we now added all the TLS information to the redirect block, but the “.well-known/acme-challenge” part is included only in the final block. This all seems very eccentric to us, something unique to LE (not that we don’t love eccentric – we do!); the other sites we run, including fashion.net, do not have anything TLS related in the 443 redirect. In any case, as this works now, well just update all the configuration files and all will be good again. Thank you, @pfg – absolutely amazing!
 
推荐文章
宽容的铁链  ·  早发型阿尔茨海默病:65 岁之前开始出现症状- 妙佑医疗国际
2 周前
阳光的充值卡  ·  合肥轨道交通6号线传来最新消息
6 月前
不羁的围巾  ·  度母为什么是绿色的:故事解析及度母形象探究_翡翠资讯_翡翠频道
1 年前
打篮球的鼠标垫  ·  伴有假性病理征的多巴反应性肌张力障碍二例- 中华神经科杂志
1 年前
飞奔的松树  ·  读后感范文_读后感400字大全
1 年前
Link管理   ·   51好读   ·   Sov5搜索   ·   小百科
小百科 - 百科知识指南