今天发现有个网站使用 LNMP 的 Let’s Encrypt 一键 SSL 证书(其实是通过 acme.sh 安装的)的自动续期有问题,没有续上。登录上去之后查看了一下还是不行,于是搜索了一下解决方法。最后发现是因为 acme.sh 的版本太低导致了自动续期失败,所以本文分享一下这个自动续期失败的原因和解决方法。
一、Acme.sh 自动续期失败的症状
问题描述如下,续期的时候,提示如下错误:
root@dc:~# "/usr/local/acme.sh"/acme.sh --cron --home "/usr/local/acme.sh" > /dev/null [Sun Nov 10 23:52:17 CST 2019] Error, can not get domain token entry example.com [Sun Nov 10 23:52:17 CST 2019] Please check log file for more details: /usr/local/acme.sh/acme.sh.log [Sun Nov 10 23:52:17 CST 2019] Error renew example.com.
经过查看 log,错误日志如下:
[Sun Nov 10 23:52:14 CST 2019] GET [Sun Nov 10 23:52:14 CST 2019] url='https://acme-v01.api.letsencrypt.org/directory' [Sun Nov 10 23:52:14 CST 2019] timeout= [Sun Nov 10 23:52:15 CST 2019] _CURL='curl -L --silent --dump-header /usr/local/acme.sh/http.header -g ' [Sun Nov 10 23:52:15 CST 2019] ret='0' [Sun Nov 10 23:52:15 CST 2019] Could not get nonce, let's try again. [Sun Nov 10 23:52:17 CST 2019] The new-authz request is ok. [Sun Nov 10 23:52:17 CST 2019] entry [Sun Nov 10 23:52:17 CST 2019] Error, can not get domain token entry example.com [Sun Nov 10 23:52:17 CST 2019] pid [Sun Nov 10 23:52:17 CST 2019] No need to restore nginx, skip. [Sun Nov 10 23:52:17 CST 2019] _clearupdns [Sun Nov 10 23:52:17 CST 2019] skip dns. [Sun Nov 10 23:52:17 CST 2019] _on_issue_err [Sun Nov 10 23:52:17 CST 2019] Please check log file for more details: /usr/local/acme.sh/acme.sh.log [Sun Nov 10 23:52:17 CST 2019] Return code: 1 [Sun Nov 10 23:52:17 CST 2019] Error renew example.com. [Sun Nov 10 23:52:17 CST 2019] ===End cron===
二、Acme.sh 自动续期失败的解决方法
网上搜了一堆文章之后,都没解决问题,最后在这篇文章中找到了问题所在:
https://community.letsencrypt.org/t/unable-to-issue-or-renew-certificates/102948
Your server is able to connect Letsencrypt, so that isn’t the problem.
But you use acme.sh. There are changes. First step: Update your acme.sh.
Yep, the nonce-problem:
Could not get nonce, let's try again.An update is required.
所以,问题原因就是 acme.sh 版本太低,解决方法很简单,升级 acme.sh 即可:
升级 acme.sh 到最新版 :
acme.sh --upgrade
如果你不想手动升级, 可以开启自动升级:
acme.sh --upgrade --auto-upgrade
之后, acme.sh 就会自动保持更新了.
你也可以随时关闭自动更新:
acme.sh --upgrade --auto-upgrade 0
参考:https://github.com/Neilpang/acme.sh
至此,问题得到解决。