§2024-09-03
試作機器: n2Jitsi.yushei.net, 192.168.16.249
- install
$ sudo apt update
$ sudo apt install certbot python3-certbot-nginx
- backup /etc/nginx/sites-available
alexlai@n2Jitsi:~$ ls /etc/nginx/sites-available
default yushei.net.conf
alexlai@n2Jitsi:~$ ls -l /etc/nginx/sites-enabled/
total 0
lrwxrwxrwx 1 root root 34 Sep 2 21:36 default -> /etc/nginx/sites-available/default
lrwxrwxrwx 1 root root 42 Sep 2 21:37 yushei.net.conf -> /etc/nginx/sites-available/yushei.net.conf
alexlai@n2Jitsi:~$ sudo cp -v //etc/nginx/sites-available/default /etc/nginx/sites-available.backup
'//etc/nginx/sites-available/default' -> '/etc/nginx/sites-available.backup'
alexlai@n2Jitsi:~$ sudo cp -v //etc/nginx/sites-available/yushei.net.conf /etc/nginx/sites-available/yushei.net.conf.backup
'//etc/nginx/sites-available/yushei.net.conf' -> '/etc/nginx/sites-available/yushei.net.conf.backup'
alexlai@n2Jitsi:~$ ls -l /etc/nginx/sites-enabled/
total 0
lrwxrwxrwx 1 root root 34 Sep 2 21:36 default -> /etc/nginx/sites-available/default
lrwxrwxrwx 1 root root 42 Sep 2 21:37 yushei.net.conf -> /etc/nginx/sites-available/yushei.net.conf
- use cerbot
erro
sudo certbot --nginx -d default -d yushei.net--> see next section chatGPT -> It looks like there was an issue with using default as a domain name. The default identifier isn't a valid domain name, which is why Let's Encrypt rejected it.
run it again
alexlai@n2Jitsi:~$ sudo certbot --nginx -d yushei.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for yushei.net
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yushei.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/yushei.net/privkey.pem
This certificate expires on 2024-12-02.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for yushei.net to /etc/nginx/sites-enabled/yushei.net.conf
Congratulations! You have successfully enabled HTTPS on https://yushei.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
alexlai@n2Jitsi:~$ diff /etc/nginx/sites-available/yushei.net.conf /etc/nginx/sites-available/yushei.net.conf.backup
30,34d29
< if ($host = yushei.net) {
< return 301 https://$host$request_uri;
< } # managed by Certbot
<
<
49,50d43
<
<
70,71c63,65
< ssl_certificate /etc/letsencrypt/live/yushei.net/fullchain.pem; # managed by Certbot
< ssl_certificate_key /etc/letsencrypt/live/yushei.net/privkey.pem; # managed by Certbot
---
>
> ssl_certificate /etc/jitsi/meet/yushei.net.crt;
> ssl_certificate_key /etc/jitsi/meet/yushei.net.key;
224d217
<
- test
alexlai@n2Jitsi:~$ sudo nginx -t
2024/09/03 11:04:23 [warn] 7484#7484: duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/sites-enabled/yushei.net.conf:5
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
---
alexlai@n2Jitsi:~$ sudo certbot --nginx -d default -d yushei.net Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): rai.sousuke@mac.com
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in order to register with the ACME server. Do you agree?
(Y)es/(N)o: Yes
Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: No Account registered. Requesting a certificate for default and yushei.net An unexpected error occurred: AttributeError: can't set attribute Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
alexlai@n2Jitsi:$ sudo cp -v //etc/nginx/sites-available/default /etc/nginx/sites-available.backup
'//etc/nginx/sites-available/default' -> '/etc/nginx/sites-available.backup'
alexlai@n2Jitsi:$ sudo cp -v //etc/nginx/sites-available/yushei.net.conf /etc/nginx/sites-available/yushei.net.conf.backup
'//etc/nginx/sites-available/yushei.net.conf' -> '/etc/nginx/sites-available/yushei.net.conf.backup'
alexlai@n2Jitsi:$ ls -l /etc/nginx/sites-enabled/
total 0
lrwxrwxrwx 1 root root 34 Sep 2 21:36 default -> /etc/nginx/sites-available/default
lrwxrwxrwx 1 root root 42 Sep 2 21:37 yushei.net.conf -> /etc/nginx/sites-available/yushei.net.conf
alexlai@n2Jitsi:$ sudo certbot --nginx -d default -d yushei.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): rai.sousuke@mac.com
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in order to register with the ACME server. Do you agree?
(Y)es/(N)o: Yes
Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: No
Account registered.
Requesting a certificate for default and yushei.net
An unexpected error occurred:
AttributeError: can't set attribute
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
alexlai@n2Jitsi:$ cat /var/log/letsencrypt/letsencrypt.log
cat: /var/log/letsencrypt/letsencrypt.log: Permission denied
alexlai@n2Jitsi:$ sudo cat /var/log/letsencrypt/letsencrypt.log
2024-09-03 10:51:15,004:DEBUG:certbot._internal.main:certbot version: 2.1.0
2024-09-03 10:51:15,005:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-09-03 10:51:15,005:DEBUG:certbot._internal.main:Arguments: ['--nginx', '-d', 'default', '-d', 'yushei.net']
2024-09-03 10:51:15,005:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-09-03 10:51:15,020:DEBUG:certbot._internal.log:Root logging level set at 30
2024-09-03 10:51:15,022:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2024-09-03 10:51:15,440:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0xffff970b9950>
Prep: True
2024-09-03 10:51:15,441:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0xffff970b9950> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0xffff970b9950>
2024-09-03 10:51:15,441:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2024-09-03 10:51:37,146:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-09-03 10:51:37,150:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2024-09-03 10:51:37,726:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 746
2024-09-03 10:51:37,727:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 03 Sep 2024 02:51:37 GMT
Content-Type: application/json
Content-Length: 746
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{ "bz_1s7q8PNQ": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf", "website": "https://letsencrypt.org" }, "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order", "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo", "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert" } 2024-09-03 10:51:48,880:DEBUG:acme.client:Requesting fresh nonce 2024-09-03 10:51:48,880:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce. 2024-09-03 10:51:49,050:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0 2024-09-03 10:51:49,051:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Tue, 03 Sep 2024 02:51:48 GMT Connection: keep-alive Cache-Control: public, max-age=0, no-cache Link: https://acme-v02.api.letsencrypt.org/directory;rel="index" Replay-Nonce: JgybCyl7LxaWwONaaCEIrNPchk7wPaflzNg5RaXAEaSAu3WBKT4 X-Frame-Options: DENY Strict-Transport-Security: max-age=604800
2024-09-03 10:51:49,051:DEBUG:acme.client:Storing nonce: JgybCyl7LxaWwONaaCEIrNPchk7wPaflzNg5RaXAEaSAu3WBKT4 2024-09-03 10:51:49,051:DEBUG:acme.client:JWS payload: b'{\n "contact": [\n "mailto:rai.sousuke@mac.com"\n ],\n "termsOfServiceAgreed": true\n}' 2024-09-03 10:51:49,061:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-acct: { "protected": "eyJhbGciOiAiUlMyNTYiLCAiandrIjogeyJuIjogInRxYXlrTDdnVWRoUm1UWlprVXRUU0JNTl9SV3Q2eEJsN1VockZHUFhwdmltZjdSS3VpbHUwMlZONG1EYjJzbXdHU3UtWVdseVV3Nzc3dnpLaVNNY2ZadklRQnZEWkwzOU1taGZhUjFzdDJTcWREMjJFUC1sSTloWGhQdl9XcmVrNERlNWUxWWZSdnVudGEtLUtJRVpjd2p0NDdZNXlFaTVyaUR4WHRvbWE2LXdScFhWMzNneVpfbHU4NVJlMzhnSDFYMFZZUzhKbnBiTkxpakxZSEE2R3phUzNZalRTdThvOG1zbXdSdGNtSWpOaW1DWnEtaUctakdrbVcwQXpIYXpqQllrWUtZOHU5VDFPLVhWNUdQelg0SmVkcGwzR2VCem93emoxeVg1emRLeDhLazVZRVk2TmxBdTI2aUxwZzlIQkxPTmFwTzZrWGNObi1VYXJtUnA2dyIsICJlIjogIkFRQUIiLCAia3R5IjogIlJTQSJ9LCAibm9uY2UiOiAiSmd5YkN5bDdMeGFXd09OYWFDRUlyTlBjaGs3d1BhZmx6Tmc1UmFYQUVhU0F1M1dCS1Q0IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctYWNjdCJ9", "signature": "F-mhZy4Vn0Cib_eKVXzuyd_6NeNBl9i5OUeoNvE5GEZCNsSdNprutCHrXs96srXaFa7oCNrQqmXuuRqbCoUcl3PEE1Kzz4PkFbOjRsCiIFjSD92_rZB73fdXLOb2fLByynhBl9-9TUsg6YNIGQxTfnrdwLjSSb-LV9SXoXiGMZHo95azr7kGyzYvKfVUr_BCfpFOWUlEe8ldY6HlItECuNw81_QVKckWzsiR-Cddi2_L9CKe_h_qB2lwA0mU2lk1EOqm0x00wlFQImdzfFZatdvmzdJYgRQ0KwbqAtS0uEa3nV7CZh-hcM2MerWzRhPNhU0d8PPHWsxPgWgjCAbzQw", "payload": "ewogICJjb250YWN0IjogWwogICAgIm1haWx0bzpyYWkuc291c3VrZUBtYWMuY29tIgogIF0sCiAgInRlcm1zT2ZTZXJ2aWNlQWdyZWVkIjogdHJ1ZQp9" } 2024-09-03 10:51:49,356:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-acct HTTP/1.1" 201 563 2024-09-03 10:51:49,357:DEBUG:acme.client:Received response: HTTP 201 Server: nginx Date: Tue, 03 Sep 2024 02:51:49 GMT Content-Type: application/json Content-Length: 563 Connection: keep-alive Boulder-Requester: 1925521206 Cache-Control: public, max-age=0, no-cache Link: https://acme-v02.api.letsencrypt.org/directory;rel="index", https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf;rel="terms-of-service" Location: https://acme-v02.api.letsencrypt.org/acme/acct/1925521206 Replay-Nonce: LTxuIrHNHN7EXq_9KNRE6SzZYX6rk413xOj_RZ77gE6D7rkrlkM X-Frame-Options: DENY Strict-Transport-Security: max-age=604800
{
"key": {
"kty": "RSA",
"n": "tqaykL7gUdhRmTZZkUtTSBMN_RWt6xBl7UhrFGPXpvimf7RKuilu02VN4mDb2smwGSu-YWlyUw777vzKiSMcfZvIQBvDZL39MmhfaR1st2SqdD22EP-lI9hXhPv_Wrek4De5e1YfRvunta--KIEZcwjt47Y5yEi5riDxXtoma6-wRpXV33gyZ_lu85Re38gH1X0VYS8JnpbNLijLYHA6GzaS3YjTSu8o8msmwRtcmIjNimCZq-iG-jGkmW0AzHazjBYkYKY8u9T1O-XV5GPzX4Jedpl3GeBzowzj1yX5zdKx8Kk5YEY6NlAu26iLpg9HBLONapO6kXcNn-UarmRp6w",
"e": "AQAB"
},
"contact": [
"mailto:rai.sousuke@mac.com"
],
"initialIp": "59.126.118.193",
"createdAt": "2024-09-03T02:51:49.234167334Z",
"status": "valid"
}
2024-09-03 10:51:49,357:DEBUG:acme.client:Storing nonce: LTxuIrHNHN7EXq_9KNRE6SzZYX6rk413xOj_RZ77gE6D7rkrlkM
2024-09-03 10:52:21,459:DEBUG:certbot._internal.display.obj:Notifying user: Account registered.
2024-09-03 10:52:21,460:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0xffff971c7810>)>), contact=('mailto:rai.sousuke@mac.com',), agreement=None, status='valid', terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1925521206', new_authzr_uri=None, terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf'), fb7156877471839506c5ffc6d4d7a4e0, Meta(creation_dt=datetime.datetime(2024, 9, 3, 2, 51, 49, tzinfo=
{ "type": "urn:ietf:params:acme:error:rejectedIdentifier", "detail": "Invalid identifiers requested :: Cannot issue for "default": Domain name needs at least one dot", "status": 400 } 2024-09-03 10:52:21,656:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/usr/lib/python3.11/contextlib.py", line 155, in exit self.gen.throw(typ, value, traceback) File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1683, in make_displayer yield displayer File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1736, in main return config.func(config, plugins) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1440, in run new_lineage = _get_and_save_cert(le_client, config, domains, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 138, in _get_and_save_cert lineage = le_client.obtain_and_enroll_certificate(domains, certname) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate cert, chain, key, _ = self.obtain_certificate(domains) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 428, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 478, in _get_order_and_authorizations orderr = self.acme.new_order(csr_pem) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/acme/client.py", line 138, in new_order response = self._post(self.directory['newOrder'], order) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/acme/client.py", line 338, in _post return self.net.post(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/acme/client.py", line 711, in post return self._post_once(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/acme/client.py", line 724, in _post_once response = self._check_response(response, content_type=content_type) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/acme/client.py", line 575, in _check_response raise messages.Error.from_json(jobj) acme.messages.Error: urn:ietf:params:acme:error:rejectedIdentifier :: The server will not issue certificates for the identifier :: Invalid identifiers requested :: Cannot issue for "default": Domain name needs at least one dot
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
> It looks like there was an issue with using default as a domain name. `The default` identifier isn't a valid domain name, which is why Let's Encrypt rejected it.
---