精选留言(38)

• 
  Casper

  2018-11-09

  视频中在配置的时候没有说明前期的准备，比如nginx编译时需要启用ssl模块，域名需要注册以及域名指向这些问题。希望在以后的视频中可以稍微提一下前置的准备工作。谢谢陶老师~

  作者回复: 很好的建议, 后面录制时我会加上的!

  

   9
• 
  风竹

  2018-11-20

  执行certbot --nginx命令生成秘钥时, 报错如下：
  Saving debug log to /var/log/letsencrypt/letsencrypt.log
  The nginx plugin is not working; there may be problems with your existing configuration.
  The error was: NoInstallationError()
  查看debug日志内容如下：
  DEBUG:certbot.plugins.disco:No installation (PluginEntryPoint#nginx):
  Traceback (most recent call last):
    File "/usr/lib/python2.7/site-packages/certbot/plugins/disco.py", line 126, in prepare
      self._initialized.prepare()
    File "/usr/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 131, in prepare
      raise errors.NoInstallationError
  经过google，看了几篇帖子发现：
  certbot生成证书时，需要读取默认nginx，需要将openresty/nginx/sbin/nginx加入到PATH里 or ln -s /usr/local/openresty/nginx/sbin/nginx /usr/local/sbin/nginx
  然后就能才正确安装证书了；希望能帮到同样错误的同学

  展开

  作者回复: 谢谢你的分享！

   1

   4
• 
  米雄雄

  2018-11-16

  老师，这个域名得是真实存在的麽？

  作者回复: 是的，必须CA机构也能访问这个域名，如果你自建域名服务，CA机构访问不了，DV证书是不会颁发的。

  

   2
• 
  kevenxi

  2018-11-09

  cenos6.8不能安装python2-certbot-nginx?

  作者回复: 直接把certbot代码拖下来用也行。请参考这个页面：https://certbot.eff.org/docs/install.html

  

   2
• 
  Lpz

  2019-05-26

  老师，您好，学完这节我有两个问题，项目是跑的8081（a项目）和8082（b项目）端口的情况下：
  第一个问题：nginx配置多域名，https多证书，能不能实现两个域名访问80端口展示不同项目（证书来源于阿里云ssl免费证书，下载后传上去，域名也是购买了的备案域名）
  第二个问题：http协议下，能否实现a域名访问a项目，b域名访问b项目，我现在实现了，a、b域名同时访问a项目、a/xxx或者b/xxx访问b项目，如果a、b域名分开配置，a的location /指向a项目，b的location /指向b项目，那么，b域名任然指向a项目。希望老师百忙之中，指点一下，谢谢了。

  展开

  作者回复: 1、可以，详见第47课。
  2、你是想说，http://b/指向b项目，http://b/otherurl指向a项目吗？可以，使用rewrite指令合适，详见第52课

  

   1
• 
  Robert小七

  2019-01-17

  [root@iz2zea99qngm2wop0tah5fz nginx-1.15.8]# certbot --nginx --nginx-server-root=/usr/local/nginx/conf/ -d www.hwenip.com
  Saving debug log to /var/log/letsencrypt/letsencrypt.log
  Plugins selected: Authenticator nginx, Installer nginx
  Enter email address (used for urgent renewal and security notices) (Enter 'c' to
  cancel): 1648855816@qq.com
  Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
  certbot --nginx --nginx-server-root=/usr/local/nginx/conf/ -d www.hwenip.com
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Please read the Terms of Service at
  https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
  agree in order to register with the ACME server at
  https://acme-v02.api.letsencrypt.org/directory
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  (A)gree/(C)ancel: A
  Unable to register an account with ACME server
  
  老师为什么我的和您的不同
  

  展开

  作者回复: 看一下日志/var/log/letsencrypt/letsencrypt.log，这样直接判断不出来

  

   1
• 
  马里奥的马里奥

  2018-11-25

  目前有2个问题
  1.Openresty是通过yum install方式安装的，并不是自己编译的，所以在进行ssl证书配置的时候，提示 Nginx build is missing SSL module，这个比较尴尬，是不是需要我自己编译一个with ssl module的nginx，然后替换Openresty下nignx呢
  2.视频中，总是会跳过一些步骤，导致在练习的时候发现这个没有，那个没有，比较费时。

  作者回复: 1、是的，要自己编译，否则后续课程中会加载许多默认没有添加进的模块，yum安装的没有办法跟着演示一起做。2、第3部分中考虑了这个问题，已经把完整的过程录入了。

  

   1
• 
  Douglas

  2018-11-08

  老师，这个https和付费的https有什么差异呢

  作者回复: 付费的https也分DV证书、OV证书和EV证书。从安全传输这个角度来说，这三种证书效果一样。从浏览器对证书的认可上来，DV证书最差。如果你买的是付费的DV证书，跟这里的例子都一样，因为主流的浏览器都认Lets encrypt。

  

   1
• 
  k

  2019-11-26

  老师，我这里已经重新安装编译了nginx，
  [root@iZ2ze841dceuaqkayzbyk2Z sbin]# ./nginx -V
  nginx version: nginx/1.16.1
  built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
  built with OpenSSL 1.0.2k-fips 26 Jan 2017
  TLS SNI support enabled
  configure arguments: --prefix=/opt --with-http_stub_status_module --with-http_ssl_module --with-file-aio --with-http_realip_module
  但是一直提示我Nginx build is missing SSL module (--with-http_ssl_module).
  这个
  
  
  
  
  [root@iZ2ze841dceuaqkayzbyk2Z opt]# cat -n /var/log/letsencrypt/letsencrypt.log
       
       6 2019-11-26 11:03:27,175:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
       7 2019-11-26 11:03:27,278:DEBUG:certbot.plugins.disco:Other error:(PluginEntryPoint#nginx): Nginx build is missing SSL module (--with-http_ssl_module).
       8 Traceback (most recent call last):
       9 File "/usr/lib/python2.7/site-packages/certbot/plugins/disco.py", line 130, in prepare
      10 self._initialized.prepare()
      11 File "/usr/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 199, in prepare
      12 self.version = self.get_version()
      13 File "/usr/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 993, in get_version
      14 "Nginx build is missing SSL module (--with-http_ssl_module).")
      15 PluginError: Nginx build is missing SSL module (--with-http_ssl_module).
      16 2019-11-26 11:03:27,279:DEBUG:certbot.plugins.selection:No candidate plugin
      17 2019-11-26 11:03:27,279:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
  

  展开

  作者回复: 你是说configure就没有成功吗？如果你在CentOS上，你需要安装：yum install openssl-devel。其他系统类似。

  

  
• 
  涛涛

  2019-11-21

  老师 有个问题搞不懂
  一个机器上配置了两个主机 m.abc.com(配置了ssl 可以使用https访问) 和n.abc.com(没有配置ssl 只能使用http访问)
  现在如果使用https://n.abc.com/a/v 为什么也能访问通 而且请求的内容是m.abc.com
  望老师解答

  作者回复: 我猜，是你的server {server_name m.bac.com;}配置块在处理这个https请求。
  因为：https访问的是443端口，而你在n.abc.com配的肯定是80端口。现在你访问443端口时，server_name没有拒绝域名不是m.abc.com的HTTP请求。你可以再看下server_name的配置方法，具体在第47课。

  

  
• 
  不能如期而至

  2019-08-30

  配好ssl证书，启动nginx时，提示443占用，查看端口，如下：是什么意思？
  #lsof -i：443
  COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
  nps 11498 root 5u IPv6 18329035 0t0 TCP VM_0_13_centos:https->123.14.255.18:37836 (ESTABLISHED)
  nps 11498 root 7u IPv6 18329054 0t0 TCP VM_0_13_centos:https->123.14.255.18:37838 (ESTABLISHED)
  nps 11498 root 13u IPv6 15220026 0t0 TCP *:https (LISTEN)
  

  展开

  作者回复: 有正在运行的进程占用了443端口，你是要确认到底是哪个进程占用吗？可以用netstat -anp | grep 443来查找

  

  
• 
  不能如期而至

  2019-08-30

  老师，按您的配置，在腾讯云上配置后，提示：建立安全连接失败
  
  连接到 www.iotserver.vip 时发生错误。PR_END_OF_FILE_ERROR
  
      由于不能验证所收到的数据是否可信，无法显示您想要查看的页面。
      建议向此网站的管理员反馈这个问题。
  配置文件如下：
  #keepalive_timeout 0;
      keepalive_timeout 65;
  
      gzip on;
      gzip_comp_level 2;
      gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
      server {
          listen 80;
          server_name iotserver.vip;
  
          #charset koi8-r;
  
          #access_log logs/host.access.log main;
  
          location / {
              alias /home/zx/soft/dist/;
              index index.html index.htm;
          }
  
          #error_page 404 /404.html;
  
          # redirect server error pages to the static page /50x.html
          #
          error_page 500 502 503 504 /50x.html;
          location = /50x.html {
              root html;
          }
  
          # proxy the PHP scripts to Apache listening on 127.0.0.1:80
          #
          #location ~ \.php$ {
          # proxy_pass http://127.0.0.1;
          #}
  
          # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
          #
          #location ~ \.php$ {
          # root html;
          # fastcgi_pass 127.0.0.1:9000;
          # fastcgi_index index.php;
          # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
          # include fastcgi_params;
          #}
  
          # deny access to .htaccess files, if Apache's document root
          # concurs with nginx's one
          #
          #location ~ /\.ht {
          # deny all;
          #}
  
      listen 443 ssl; # managed by Certbot
      ssl_certificate /etc/letsencrypt/live/iotserver.vip/fullchain.pem; # managed by Certbot
      ssl_certificate_key /etc/letsencrypt/live/iotserver.vip/privkey.pem; # managed by Certbot
      include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
      ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  
  }
  
  

  展开

  作者回复: 先看看nginx本身有没有出错，error.log上有打印错误吗？
  其次，用wireshark抓个包看下。TLS有client hello和server hello的握手过程，中间有几个协商点，看看是不是网络安全套件出问题了，还是证书读取出问题了。参见《Web协议详解与抓包实战》第79、80课

  

  
• 
  七星瓢虫

  2019-05-21

  选择了不进行重定向后报这个错误：
  An unexpected error occurred:
  UnicodeDecodeError: 'ascii' codec can't decode byte 0xe6 in position 1: ordinal not in range(128)
  Please see the logfiles in /var/log/letsencrypt for more details.
  
  IMPORTANT NOTES:
   - Your account credentials have been saved in your Certbot
     configuration directory at /etc/letsencrypt. You should make a
     secure backup of this folder now. This configuration directory will
     also contain certificates and private keys obtained by Certbot so
     making regular backups of this folder is ideal.
  

  展开

  作者回复: UnicodeDecodeError是python库的编码问题，可能是安装的库不匹配，在这个方向上继续定位看看。比如重新安装

  

  
• 
  七星瓢虫

  2019-05-21

  (A)gree/(C)ancel: A
  
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Would you be willing to share your email address with the Electronic Frontier
  Foundation, a founding partner of the Let's Encrypt project and the non-profit
  organization that develops Certbot? We'd like to send you email about our work
  encrypting the web, EFF news, campaigns, and ways to support digital freedom.
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  (Y)es/(N)o: y
  Starting new HTTPS connection (1): supporters.eff.org
  Obtaining a new certificate
  Performing the following challenges:
  http-01 challenge for lovedb.cn
  Cleaning up challenges
  An unexpected error occurred:
  UnicodeDecodeError: 'ascii' codec can't decode byte 0xe6 in position 1: ordinal not in range(128)
  Please see the logfiles in /var/log/letsencrypt for more details.
  
  IMPORTANT NOTES:
   - Your account credentials have been saved in your Certbot
     configuration directory at /etc/letsencrypt. You should make a
     secure backup of this folder now. This configuration directory will
     also contain certificates and private keys obtained by Certbot so
     making regular backups of this folder is ideal.
  

  展开

  

  
• 
  特特

  2019-03-27

  lamp环境 有自动脚本可以升级成https嘛？急！！！

  

  
• 
  Jee

  2019-01-30

  老师 你教的方式让人易懂 受教了 想问个问题 在做SSL的时候 一直提示这个错误 一般是什么原因呢The nginx plugin is not working; there may be problems with your existing configuration.
  The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.",

  展开

  作者回复: 没有找到nginx这个文件。你可以在/usr/bin等PATH路径下用ln -s建个软链接，链接到你实际安装的sbin/nginx文件上，即可

  

  
• 
  _Sea

  2019-01-29

  陶老师您好，在这章我想跟着使用SSL证书配置的时候，用 pythons-certbot-nginx这个命令一直出现[root@37d8c2847125 sbin]# yum install python2-certbot-nginx
  Loaded plugins: fastestmirror, ovl
  Loading mirror speeds from cached hostfile
  ....
  No package python2-certbot-nginx available.
  Error: Nothing to do
  这样的错误，yum 也update过了，也根据您在留言中解答时说的下载了epel-realse;但是还是一直不行。网上找了一些办法试了也都不行，我使用的是centOS6；yum源下载的是阿里云的，请问有什么办法可以解决么？现在我不知道问题出在哪里，烦请您有空的时候解答一下如何配置，感谢。

  展开

  作者回复: 试试这个：wget https://dl.eff.org/certbot-auto
  chmod a+x certbot-auto
  或者再仔细看下这个页面：https://certbot.eff.org/lets-encrypt/centos6-nginx

  

  
• 
  Riley

  2019-01-22

  老师，为什么我在centos7.3里面用 yum install python2-certbot-nginx 命令装 certbot，执行certbot之后报了以下的错误：
  Traceback (most recent call last):
    File "/usr/bin/certbot", line 9, in <module>
      load_entry_point('certbot==0.29.1', 'console_scripts', 'certbot')()
    File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 487, in load_entry_point
      return get_distribution(dist).load_entry_point(group, name)
    File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2728, in load_entry_point
      return ep.load()
    File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2346, in load
      return self.resolve()
    File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2352, in resolve
      module = __import__(self.module_name, fromlist=['__name__'], level=0)
    File "/usr/lib/python2.7/site-packages/certbot/main.py", line 23, in <module>
      from certbot import client
    File "/usr/lib/python2.7/site-packages/certbot/client.py", line 16, in <module>
      from acme import client as acme_client
    File "/usr/lib/python2.7/site-packages/acme/client.py", line 40, in <module>
      urllib3.contrib.pyopenssl.inject_into_urllib3()
  AttributeError: 'module' object has no attribute 'pyopenssl'
    
  应当如何解决呢？

  展开

  作者回复: 参考https://github.com/certbot/certbot/issues/6328

  

  
• 
  上邪忘川

  2019-01-16

  请问下老师使用Certbot配置HTTPS，一定要注册真实域名吗？
  1.我自己NGINX服务器随便配置一个域名
  2.接着内网搭建一个DNS服务器，添加A记录，内网机器解析成功
  3.certbot --nginx报错
  To fix these errors, please make sure that your domain name was
     entered correctly and the DNS A/AAAA record(s) for that domain
     contain(s) the right IP address.

  展开

  作者回复: 一定要真实域名，参见第16课，对于CA机构来说，DV证书是需要验证域名的真实性的。

  

  
• 
  Robert小七

  2019-01-16

  前面有章节讲过openresty部署nginx吗？怎么这一节看的老师用的是openresty啊这一节课完全不能跟着操作啊

  作者回复: nginx和openresty没有区别的，用nginx也是一样的步骤。

  

  