小贝子编程

无法为 AWS Route 53 域颁发 Let's Encrypt 证书



我有一个运行着 Dokku 的 DigitalOcean 液滴。我还有一个 AWS Route 53 托管区域(该域已在其他地方注册,我将名称服务器更改为 Route 53(。在该托管区域中,我创建了一个指向我的液滴的 A 记录。

A 记录似乎工作正常(我可以按域从邮递员访问我的 Dokku 容器(: 图像。

我现在正在尝试为我的域颁发 Let's Encrypt 证书。我为此使用了dokku-letsencrypt但是,我收到以下错误:

CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5705758732
Challenge validation has failed, see error log.

错误提供的链接包含以下内容:

DNS problem: SERVFAIL looking up A for gmail-bot.bloberenober.dev - the domain's nameservers may be malfunctioning

我对 unboundtest.com 执行了一个查询,响应对我来说有点神秘,但这是最后几行:

Jul 06 18:40:21 unbound[5640:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Jul 06 18:40:21 unbound[5640:0] info: Could not establish a chain of trust to keys for bloberenober.dev. DNSKEY IN
Jul 06 18:40:21 unbound[5640:0] info: 127.0.0.1 gmail-bot.bloberenober.dev. A IN SERVFAIL 6.743746 0 44

完整报告

我做了一些研究,发现 DNSKEY 记录是 DNSSEC 的一部分,显然 Route 53 不支持现有域:

Amazon Route 53 支持 DNSSEC 进行域注册。但是,Route 53 不支持 DNS 服务的 DNSSEC,无论域是否已在 Route 53 中注册。如果要为向 Route 53 注册的域配置 DNSSEC,则必须使用其他 DNS 服务提供商或设置自己的 DNS 服务器。

我还尝试手动运行 certbot 并将 TXT 记录添加到我的托管区域,但收到类似的错误:

Failed authorization procedure. gmail-bot.bloberenober.dev (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up TXT for _acme-challenge.gmail-bot.bloberenober.dev - the domain's nameservers may be malfunctioning

有问题的域是 gmail-bot.bloberenober.dev

我做错了什么?我甚至可以为这种情况颁发让我们加密的证书吗?

我通过将我的DNS服务提供商更改为CloudFlare而不是Route 53来解决此问题。他们提供 DNSSEC 支持和开箱即用的通用 SSL 证书,足以满足我的需求,所以最终我根本不需要颁发 Let's Encrypt 证书。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium