certbot 獲取數字證書失效問題

數字證書

數字證書就是一個網站域名在通信時使用了安全加密的證明

數字證書為網站數據交互提供加密，用於保障通信保密安全，數字證書不是隨意創建的，一般需要比較有公信力的組織或團隊提供數字證書才會被認可。
個人創建一個證書，即使技術厲害別人也要花較多時間成本去了解一個團隊，類似谷歌微軟BAT確認可靠的數字證書，還是會有比較多的人容易信任認可的。

certbot

certbot是一個網站https免費證書工具，可以申請獲取自己域名的證書，保證客戶端與網站的通信安全

certbot 獲取數字證書失效

certbot --nginx 獲取證書失敗

[root@ip-172-31-36-22 ~]# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2: narule.net
3: www.narule.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Requesting a certificate for narule.net
Performing the following challenges:
http-01 challenge for narule.net
Waiting for verification...
Challenge failed for domain narule.net
http-01 challenge for narule.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: narule.net
   Type:   connection
   Detail: Fetching
   http://narule.net/.well-known/acme-challenge/ghMvWhw-3tOEmI7d5zNZGuQ:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

這個問題很棘手，一開始還以為是nginx需要關閉，以前數字證書自動續簽沒有成功是因為nginx沒有關閉，關閉就能成功，但是這次怎么都不行，最后通過日志發現，80端口從外網根本不能進去，只能內網訪問，是80端口出了問題。

原因

最后思考，近期學習使用docker容器的時候，停止過nginx，使用docker占用了nginx的80端口。雖然docker我已經沒運行了，80端口也被閑置，但是linux-centos7的環境沒什么變化，推測很有可能與安裝了docker有關，也許是安裝docker占用了什么資源

解決方法

卸載docker

sudo yum remove docker-ce docker-ce-cli containerd.io

sudo rm -rf /var/lib/docker

certbot --nginx

按照上面兩步卸載完docker后，在嘗試運行certbot --nginx 獲取數字證書成功！

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://narule.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/narule.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/narule.net/privkey.pem
   Your certificate will expire on 2021-05-19. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le