求助,架设 tls+cloudflare cdn+v2, caddy 工作不正常...

2020-03-03 11:19:22 +08:00
 qazwsxkevin

按照这个攻略来做的,
https://www.bandwh.com/kxsw/30.html

以前试着成功过一台服务器,今天用新的域名,在新的另外一台服务器(另外一个 vps 提供商)上操作,结果一直是不成功,看日志提示如下,提示说是连不上 8.8.8.8 ? 但应该不是的,搞不清楚,还请各位高手帮我看看问题所在? 谢谢!!(部分内容做了处理)

[root@testServer /tmp]$cat /etc/caddy/caddy.conf
test.test.com
    {
     tls mytestmail@163.com
     log /var/log/caddy.log
     proxy / localhost:10000 {
      websocket
      header_upstream -Origin
      }
    }
[root@testServer /tmp]$


[root@testServer /tmp]$cat /usr/local/caddy/Caddyfile     
test.test.com
   {
    log /var/log/caddy.log
    proxy /localhost:10000 {
     websocket
     header_upstream -Origin
     }
   }
[root@testServer /tmp]$cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 8.8.8.8
[root@testServer /tmp]$
[root@testServer /tmp]$
[root@testServer /tmp]$
[root@testServer /tmp]$cat /etc/sysconfig/network-scripts/ifcfg-eth0 
# XenSystem Ethernet
DEVICE=eth0
BOOTPROTO=static
IPADDR=x.x.x.x
NETMASK=255.255.255.192
GATEWAY=x.x.x.129
onboot=YES
DNS1=8.8.8.8
[root@testServer /tmp]$
[root@testServer /tmp]$
[root@testServer /tmp]$service caddy start
[root@testServer /root]$service caddy start           
[信息] Caddy 启动成功 !
[root@testServer /tmp]$
[root@testServer /tmp]$cat ./caddy.log 
Activating privacy features... 2020/03/03 09:34:41 get Agreement URL: Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org on 8.8.8.8:53: dial udp 8.8.8.8:53: connect: network is unreachable
Activating privacy features... 

Your sites will be served over HTTPS automatically using Let's Encrypt.
By continuing, you agree to the Let's Encrypt Subscriber Agreement at:
  https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Please enter your email address to signify agreement and to be notified
in case of issues. You can leave it blank, but we don't recommend it.
  Email address: 2020/03/03 10:38:44 [INFO] [test.test.com] acme: Obtaining bundled SAN certificate
2020/03/03 10:38:45 [INFO] [test.test.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8888888888
2020/03/03 10:38:45 [INFO] [test.test.com] acme: use tls-alpn-01 solver
2020/03/03 10:38:45 [INFO] [test.test.com] acme: Trying to solve TLS-ALPN-01
2020/03/03 10:38:54 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8888888888
2020/03/03 10:38:54 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8888888888
2020/03/03 10:38:55 [INFO] [test.test.com] acme: Obtaining bundled SAN certificate
2020/03/03 10:38:56 [INFO] [test.test.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/7777777777
2020/03/03 10:38:56 [INFO] [test.test.com] acme: use tls-alpn-01 solver
2020/03/03 10:38:56 [INFO] [test.test.com] acme: Trying to solve TLS-ALPN-01
2020/03/03 10:38:57 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/7777777777
2020/03/03 10:38:57 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/7777777777
2020/03/03 10:38:58 [INFO] [test.test.com] acme: Obtaining bundled SAN certificate
2020/03/03 10:38:59 [INFO] [test.test.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3121973774
2020/03/03 10:38:59 [INFO] [test.test.com] acme: use tls-alpn-01 solver
2020/03/03 10:38:59 [INFO] [test.test.com] acme: Trying to solve TLS-ALPN-01
2020/03/03 10:39:00 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3121977777
2020/03/03 10:39:00 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3121973774
2020/03/03 10:39:01 [INFO] [test.test.com] acme: Obtaining bundled SAN certificate
2020/03/03 10:39:02 [INFO] [test.test.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3121974306
2020/03/03 10:39:02 [INFO] [test.test.com] acme: Could not find solver for: tls-alpn-01
2020/03/03 10:39:02 [INFO] [test.test.com] acme: use http-01 solver
2020/03/03 10:39:02 [INFO] [test.test.com] acme: Trying to solve HTTP-01
2020/03/03 10:39:07 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3121974777
2020/03/03 10:39:07 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3121977777
2020/03/03 10:39:08 [INFO] [test.test.com] acme: Obtaining bundled SAN certificate
2020/03/03 10:39:08 [INFO] [test.test.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/312777777
2020/03/03 10:39:08 [INFO] [test.test.com] acme: Could not find solver for: tls-alpn-01
2020/03/03 10:39:08 [INFO] [test.test.com] acme: use http-01 solver
2020/03/03 10:39:08 [INFO] [test.test.com] acme: Trying to solve HTTP-01
2020/03/03 10:39:09 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/31666666
2020/03/03 10:39:09 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3177777777
2020/03/03 10:39:10 [INFO] [test.test.com] acme: Obtaining bundled SAN certificate
2020/03/03 10:39:12 failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url: 


3350 次点击
所在节点    问与答
8 条回复
fzinfz
2020-03-03 12:48:08 +08:00
too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
jy02201949
2020-03-03 13:04:35 +08:00
用 caddy 自动申请证书就容易出这个问题
11dad
2020-03-03 13:10:08 +08:00
手动配置吧 配 v2 的时候选不自动
qazwsxkevin
2020-03-03 15:50:05 +08:00
@fzinfz 明白了,只能把服务器搁起来,一个星期后再试试 service caddy restart 了

@jy02201949,不知道有什么好的办法弄其它证书了。。。。
Yourshell
2020-03-03 17:11:44 +08:00
套 cf 用它提供的证书就好了
qazwsxkevin
2020-03-03 17:25:25 +08:00
@Yourshell 噢,根据你线索找到了,cf 的确是有这个自带的 ssl 操作,请教个问题,在 caddy 本身的配置,应该如何使用这个 SSL 证书?
Yourshell
2020-03-03 17:33:02 +08:00
jim9606
2020-03-03 17:44:42 +08:00
建议你测试时用另一个二级域名或者换用 staging CA 测试,确认工作正常再换用正式 CA ( https://letsencrypt.org/docs/staging-environment/),caddy 配置有一个选项可以改 CA ( https://caddyserver.com/v1/docs/tls
caddy 的自动重试确实很容易触发 limit,所以一发现 error 就马上 stop 检查日志
我很奇怪的是为啥你的 vps 是在系统里手动设置 ip 和 dns 的,通常不是都用 dhcp 的吗?

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/649342

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX