解决代理脚本证书续期失败问题

问题起因

问题一：Ubuntu 20.04自带的apache2占用80端口导致nginx启动失败

1. 首先考虑了Nginx版本问题。先尝试升级Nginx，但由于未知原因导致卸载Nginx后apt无法正常使用，只能使用系统备份恢复到 Jan 28, 2023 状态。

2. 再次试图手动启动nginx，发现日志提示80端口被占用，搜索了nginx的80端口占用问题。
1. 查看占用80端口的进程，发现是apache2（web服务器软件），搜索后得知是ubuntu20.04自带的。

# 查看占用
netstat -lnp|grep 80
# 返回结果
# tcp6 0 0 :::80 :::* LISTEN 3606/apache2

2. 尝试 kill apache2后发现又会重启，搜索后得知需要修改配置文件的监听端口或者卸载。这里选择修改默认监听端口。

# 找到目录
whereis apache2
cd /etc/apache2
vim ports.conf
# 修改Listen后80端口为其他，例如880
# 再次kill掉 apache2
# 重启nginx
nginx
# 查看占用情况
netstat -lnp|grep 80
# 发现现在是nginx占用80端口
tcp        0      0 0.0.0.0:80             0.0.0.0:*               LISTEN      4323/nginx: master

问题二：acme证书续期失败

[Sun 05 Feb 2023 11:27:02 PM UTC] ===Starting cron===
[Sun 05 Feb 2023 11:27:02 PM UTC] Renew: '*.dariolink.ml'
[Sun 05 Feb 2023 11:27:02 PM UTC] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Sun 05 Feb 2023 11:27:02 PM UTC] It seems that you are using dns manual mode. Read this link first: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode
[Sun 05 Feb 2023 11:27:02 PM UTC] Error renew *.dariolink.ml_ecc.
[Sun 05 Feb 2023 11:27:02 PM UTC] ===End cron===
[Sun 05 Feb 2023 11:27:02 PM UTC] The domain 'proxy.dariolink.ml' is not a cert name. You must use the cert name to specify the cert to install.
[Sun 05 Feb 2023 11:27:02 PM UTC] Can not find path:'/root/.acme.sh/proxy.dariolink.ml_ecc'

root@vultr:~# nginx
nginx: [emerg] bind() to 0.0.0.0:3977 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:3977 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:3977 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:3977 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:3977 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:3977 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:3977 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:3977 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:3977 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:3977 failed (98: Address already in use)
nginx: [emerg] still could not bind()
root@vultr:~# netstat -lnp|grep 80
tcp6       0      0 :::8007                 :::*                    LISTEN      704/filebrowser
root@vultr:~# netstat -lnp|grep 3977
tcp6       0      0 :::3977                 :::*                    LISTEN      8215/xray

dnsapi

If your DNS provider doesn't provide API access, you can use our DNS alias mode: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode Cloudflare Domain API offers two methods to automatically issue certs. First you need to login to your Cloudflare account to get your API key. Each token generated is not stored on cloudflare account and will have expiry if not set correctly.

https://github.com/acmesh-official/acme.sh/wiki/dnsapi

DNS manual mode

You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or window. Reload to refresh your session. Reload to refresh your session.

https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode

[Sun 05 Feb 2023 11:47:11 PM UTC] Please be aware that you prepend _acme-challenge. before your domain
[Sun 05 Feb 2023 11:47:11 PM UTC] so the resulting subdomain will be: _acme-challenge.proxy.dariolink.ml
[Sun 05 Feb 2023 11:47:11 PM UTC] Please add the TXT records to the domains, and re-run with --renew.

说明

You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or window. Reload to refresh your session. Reload to refresh your session.

https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E

acme.sh --issue -d mydomain.com --nginx

[Sun 05 Feb 2023 11:49:15 PM UTC] Reload nginx
[Sun 05 Feb 2023 11:49:17 PM UTC] Processing, The CA is processing your order, please just wait. (1/30)
[Sun 05 Feb 2023 11:49:21 PM UTC] Processing, The CA is processing your order, please just wait. (2/30)
[Sun 05 Feb 2023 11:49:24 PM UTC] Processing, The CA is processing your order, please just wait. (3/30)
[Sun 05 Feb 2023 11:49:28 PM UTC] proxy.dariolink.ml:Verify error:"error":{
[Sun 05 Feb 2023 11:49:28 PM UTC] Restoring from /root/.acme.sh/proxy.dariolink.ml_ecc/backup/proxy.dariolink.ml.nginx.conf to /etc/nginx/conf.d/alone.conf
[Sun 05 Feb 2023 11:49:28 PM UTC] Reload nginx

[Sun 05 Feb 2023 11:49:47 PM UTC] ===Starting cron===
[Sun 05 Feb 2023 11:49:47 PM UTC] Renew: '*.dariolink.ml'
[Sun 05 Feb 2023 11:49:47 PM UTC] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Sun 05 Feb 2023 11:49:47 PM UTC] It seems that you are using dns manual mode. Read this link first: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode
[Sun 05 Feb 2023 11:49:47 PM UTC] Error renew *.dariolink.ml_ecc.
[Sun 05 Feb 2023 11:49:47 PM UTC] Renew: 'example.com'
[Sun 05 Feb 2023 11:49:47 PM UTC] Renew to Le_API=https://acme.zerossl.com/v2/DV90
[Sun 05 Feb 2023 11:49:47 PM UTC] Skip invalid cert for: example.com
[Sun 05 Feb 2023 11:49:47 PM UTC] Skipped example.com_ecc
[Sun 05 Feb 2023 11:49:47 PM UTC] Renew: 'proxy.dariolink.ml'
[Sun 05 Feb 2023 11:49:47 PM UTC] Renew to Le_API=https://acme.zerossl.com/v2/DV90
[Sun 05 Feb 2023 11:49:47 PM UTC] Skip invalid cert for: proxy.dariolink.ml
[Sun 05 Feb 2023 11:49:47 PM UTC] Skipped proxy.dariolink.ml_ecc
[Sun 05 Feb 2023 11:49:47 PM UTC] ===End cron===

---> TLS安装失败，正在检查80、443端口是否开放
/usr/bin/vasma: /usr/sbin/ufw: /usr/bin/python3: bad interpreter: Permission denied
/usr/bin/vasma: /usr/sbin/ufw: /usr/bin/python3: bad interpreter: Permission denied

总结与后续跟进

• Unbuntu自带Apache2默认占用80端口，会和http冲突，这个问题要注意

• vasma证书续期时删除acme目录下所有带有域名的目录，可以重新申请。

• - freedom不支持DNS API, 无法自动续期