NGINX调用页面将下载奇怪的文件+ Certbot无法安装证书

Question

问题： Certbot在试图为子域urn:ietf:params:acme:error:connection rainloop.example.com安装证书时返回一个D1。编辑：下面的“编辑”段中有一个更重要的问题，可能是Certbot失败的原因。

What我试图解决这个问题：我一直在对其他有同样问题的人进行大量的研究，但似乎找不到任何有用的信息。我已经查看了我的域名DNS记录，但自从为我的另外两个子域设置证书以来，我并不怀疑这一点。我还检查了该子域的根文件夹上的权限，并多次检查了vhost配置。最后，我甚至重新启动了我的服务器，但没有任何帮助。

All配置：我将在这里粘贴所有配置文件和certbot日志来结束这个问题。(谢谢你事先给出的答案:)

VHOST配置pfa.example.com (例如，此子域工作)

server {
    listen 80 http2;
    listen [::]:80 http2;
    server_name pfa.example.com;
    return 301 https://pfa.example.com$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name pfa.example.com;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/pfa.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pfa.example.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_dhparam /etc/letsencrypt/live/pfa.example.com/dh.pem;

    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/pfa.example.com/chain.pem;
    resolver 8.8.8.8;

    root /var/www/pfa/;
    index index.php index.html index.htm;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header x-xss-protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    }
}

rainloop.example.com (带有失败的ssl证书的子域)：

server {
    listen 80;
    listen [::]:80;
    server_name rainloop.example.com;
    root /var/www/rainloop;
    index index.php index.html index.htm;
    location / {
            try_files $uri $uri/ =404;
    }
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
    }
}

我认为S指出我默认的vhost配置也很重要，因为我稍微修改了它：

server {
    server_name _;
    listen 80 default_server;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    location / {
            try_files $uri $uri/ =404;
    }
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
    }
    location ~ /\.ht {
            deny all;
    }
}

安装过程中Certbot的输出：

 > certbot --nginx -d rainloop.example.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for rainloop.example.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. rainloop.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://rainloop.example.com/.well-known/acme-challenge/9ivMyI4q3M98EDzr6Fco71Ih8_mZl1epApasB6nNa14: Error getting validation data

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: rainloop.example.com
   Type:   connection
   Detail: Fetching
   http://rainloop.example.com/.well-known/acme-challenge/9ivMyI4q3M98EDzr6Fco71Ih8_mZl1epApasB6nNa14:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Certbot log (位于/var/log/letsencrypt/letsencrypt.log)：太长而无法粘贴到这里，请查看我的备份页。

/var/www/ Permissions /：(根据filezilla)：

775               www-data:www-data

我使用Debian9(拉伸)和Nginx1.10.3，MariaDB 10.1.37和PHP7.2-FPM。

THANKS用于任何建议 :)

编辑：当在我的计算机缓存301重定向到https的其他客户机上调用页面(example.com)时，它将下载一个带有奇怪但内容相同的随机命名文件，而不是执行预期的重定向。即使在调用www.example.com或https://www.example.com时，它也会下载文档，只有在调用https://www.example.com时，它才会按预期显示/var/www/www.example.com/的内容。pfa.example.com子域也是如此，它的vhost配置与www.example.com几乎相同。

Answer 1

应该在站点主目录/var/www/rainloop/.知名/acme-质询目录中有一个目录，这是放置文本文件的地方，然后由我们加密。您可以通过将测试文本文件或html文件放入其中并通过web浏览器访问它来验证这一点。通常这是因为让我们加密无法读取生成的验证文件certbot。