近期因为对服务器的平台进行切换和升级,在数据备份恢复的时候出现了不少问题,因此就进行了不少次数的重复安装。
在后面几次重复安装后,发现界面无法访问,通过使用命令 ./launcher logs app 查看安装的日志后发现 Let’s Encrypt 已经不再签发密钥了。原因是这个域名申请的密钥次数太多了。
这个对Discourse 的初级或者试验用户来说不是非常友好,因为你会有签发密钥安装的限制。
日志内容如下:
[Sun 04 Oct 2020 04:52:57 AM UTC] Please check log file for more details: /shared/letsencrypt/acme.sh.log
Error loading file ca.cer
[Sun 04 Oct 2020 04:52:58 AM UTC] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun 04 Oct 2020 04:52:58 AM UTC] Single domain='www.ossez.com'
[Sun 04 Oct 2020 04:52:58 AM UTC] Getting domain auth token for each domain
[Sun 04 Oct 2020 04:52:58 AM UTC] Create new order error. Le_OrderFinalize not found. {
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many certificates already issued for exact set of domains: www.ossez.com: see https://letsencrypt.org/docs/rate-limits/",
"status": 429
}
[Sun 04 Oct 2020 04:52:58 AM UTC] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Sun 04 Oct 2020 04:52:59 AM UTC] Installing key to:/shared/ssl/www.ossez.com_ecc.key
[Sun 04 Oct 2020 04:52:59 AM UTC] Installing full chain to:/shared/ssl/www.ossez.com_ecc.cer
cat: /shared/letsencrypt/www.ossez.com_ecc/fullchain.cer: No such file or directory
Error loading file ca.cer
Error loading file ca.cer
Started runsvdir, PID is 2115
ok: run: redis: (pid 2123) 0s
nginx: [emerg] cannot load certificate "/shared/ssl/www.ossez.com.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
ok: run: postgres: (pid 2129) 0s
chgrp: invalid group: ‘syslog’
rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted.
rsyslogd: activation of module imklog failed [v8.1901.0 try https://www.rsyslog.com/e/2145 ]
supervisor pid: 2124 unicorn pid: 2150
nginx: [emerg] cannot load certificate "/shared/ssl/www.ossez.com.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [emerg] cannot load certificate "/shared/ssl/www.ossez.com.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [emerg] cannot load certificate "/shared/ssl/www.ossez.com.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [emerg] cannot load certificate "/shared/ssl/www.ossez.com.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
通过访问密钥签发机构上面提供的信息了解到:Let’s Encrypt 针对一个域名只会在一定时间内签发 5 次,如果你超过了签发的次数,你需要 5 天后才能再次申请。
解决办法
如果你也遇到了上面的问题的话,解决办法有 2 个。
第一就是等 5 天后再去安装或者进行迁移测试。
第二就是购买使用其他机构对你域名的签名证书,一般来说如果你加密 www 和根域名的话还是非常便宜的。
如果你是打算比较正式运营你的网站和注重交互和安全的话,推荐使用购买 CA 机构签发的域名,这样你可以进行多次安装测试,也不会有任何的密钥限制问题。
我们就是通过修改使用 CA 机构签发的域名而完美的解决了这个问题。
针对上面的问题,请参考下面提供的安装方法和使用:
https://www.ossez.com/t/discourse-lets-encrypt-ca/552
如果你使用 CA 签名的域名进行安装的话,请参考官方的说明:https://meta.discourse.org/t/advanced-setup-only-allowing-ssl-https-for-your-discourse-docker-setup/13847
Comments