validation返回码:21(无法validation第一个证书)让我们用crontabencryptionApache到Nginx的问题

我做了这个https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04


然后从下面的apache切换到nginx *** https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

***一切都很好。 但现在facebookdebugging器给我:curl错误:SSL_CACERT SSL证书问题:无法获得本地发行者证书

***问:如何重新下载证书颁发机构的所有证书,并在我的情况下重新下载?

Alexs-MacBook-Air:~ alex$ openssl s_client -connect goeasysmile.com:443 CONNECTED(00000003) depth=0 /CN=goeasysmile.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=goeasysmile.com verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=goeasysmile.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=goeasysmile.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFFjCCA/6gAwIBAgISBPstpF9NiACN8vtDkMYUsZ/fMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA5MjExMTIwMDBaFw0x NzEyMjAxMTIwMDBaMBoxGDAWBgNVBAMTD2dvZWFzeXNtaWxlLmNvbTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKxogeMt8i4wigwQX8idtb4NsBsjY8Aa huTiGBi+99WVFUU8v6yAIQew+Q2Csd0cxF3Iq6I4pajEzqb/tTYXXVGLL7isdwRG pRbhcrkF4Urxk3BhdP6f/7QCMkp4/H3knvKBa+cugZXQ3lz/73uVQ6F+bC7ZEp2U mSkMGS1NT5bPiPML8KOLhOpIT0rj03e3T2PA8oy+TheI8pZ4E+LVnS4qzbas6PN/ ijgfG/ev/C62zmlwz+Dfe8UbiZ0sAmOQ/Q7/a2iaxZBiX+ZTMHGtv4cEd+2p8knn ZQ+ZM/pmzYyU8o+NlykN2/joY7FlRMDEBJdnstf42OSQGtFWI1CCjv0CAwEAAaOC AiQwggIgMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUFJk9G1tyeWd/7eHnbYuKRLMn 1Z8wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu b3JnLzAvBgNVHREEKDAmgg9nb2Vhc3lzbWlsZS5jb22CE3d3dy5nb2Vhc3lzbWls ZS5jb20wgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1 cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAgHbVMCYk ySK1ivEO2myMfCkwi0GBTqj9/oKW6T7DNJSpcLYYPZgaQai98QgHBT6P3dsiCSI4 FComGitu8M7foip2eHX6JWPBtCAN1QocsgY3UbppGWKY99qIDi3u5DJLheDzsDPo 633B2J1cm5f3quDTpZPRcW7tzx45VQ/YqT7Ydr3kxriAXUf3pedCXHk3SIZ/92qe tJE0MFe7zlwnSDAb5uNohVAeQSVymQG/afSifNGYOWclcDOrLatEJn+JlJ4oPbbA y+en2IeIH5Ez63SJDgzqMHvCSAtmCVUWsI2seGOUMzJikeVAx13jE8JCYdmuvzTN sRb6/GJYbfWcBA== -----END CERTIFICATE----- subject=/CN=goeasysmile.com issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent --- SSL handshake has read 2261 bytes and written 456 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: E8704CF999E67354784246C113DCB93BAB0E0C0BF47942FC44B25B95B8655EB4 Session-ID-ctx: Master-Key: 4E520458361D6EFF58193ECC63A17DAAEC16146D0834D852E7A5284CD114BF02FA9ED939DF97A58B07AB9176A0A72352 Key-Arg : None Start Time: 1506319952 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- closed 

可能与我的越野车/var/log/le-renew.log contab有关

 All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/www.goeasysmile.com/fullchain.pem (failure) Upgrading certbot-auto 0.14.0 to 0.14.1... Replacing certbot-auto... Creating virtual environment... Installing Python packages... Had a problem while installing Python packages. pip prints the following errors: ===================================================== Collecting argparse==1.4.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line $ /root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/u$ SNIMissingWarning /root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/u$ InsecurePlatformWarning Downloading argparse-1.4.0-py2.py3-none-any.whl Collecting pycparser==2.14 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line $ Downloading pycparser-2.14.tar.gz (223kB) Collecting cffi==1.4.2 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 21)) Downloading cffi-1.4.2.tar.gz (365kB) Collecting ConfigArgParse==0.10.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt$ Downloading ConfigArgParse-0.10.0.tar.gz Collecting configobj==5.0.6 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line$ Downloading configobj-5.0.6.tar.gz Collecting cryptography==1.5.3 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (l$ Downloading cryptography-1.5.3.tar.gz (400kB) Collecting enum34==1.1.2 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 65$ Downloading enum34-1.1.2.tar.gz (46kB) Collecting funcsigs==0.4 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 68$ Downloading funcsigs-0.4-py2.py3-none-any.whl Collecting idna==2.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 71)) Downloading idna-2.0-py2.py3-none-any.whl (61kB) Collecting ipaddress==1.0.16 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (lin$ Downloading ipaddress-1.0.16-py27-none-any.whl Collecting linecache2==1.0.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (lin$ Downloading linecache2-1.0.0-py2.py3-none-any.whl Collecting ordereddict==1.1 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line$ Downloading ordereddict-1.1.tar.gz Collecting parsedatetime==2.1 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (li$ Downloading parsedatetime-2.1-py2-none-any.whl Collecting pbr==1.8.1 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 85)) Downloading pbr-1.8.1-py2.py3-none-any.whl (89kB) Collecting pyasn1==0.1.9 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 88$ Downloading pyasn1-0.1.9-py2.py3-none-any.whl Collecting pyOpenSSL==16.2.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (lin$ Downloading pyOpenSSL-16.2.0-py2.py3-none-any.whl (43kB) Collecting pyparsing==2.1.8 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line$ Downloading pyparsing-2.1.8-py2.py3-none-any.whl (54kB) Collecting pyRFC3339==1.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 1$ Downloading pyRFC3339-1.0-py2.py3-none-any.whl Collecting python-augeas==0.5.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt ($ Downloading python-augeas-0.5.0.tar.gz (90kB) Collecting pytz==2015.7 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 117$ Downloading pytz-2015.7-py2.py3-none-any.whl (476kB) Collecting requests==2.12.1 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line$ Downloading requests-2.12.1-py2.py3-none-any.whl (574kB) Collecting six==1.10.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 134)) Downloading six-1.10.0-py2.py3-none-any.whl Collecting traceback2==1.4.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (lin$ Downloading traceback2-1.4.0-py2.py3-none-any.whl Collecting unittest2==1.1.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line$ ... running build_ext generating cffi module 'build/temp.linux-x86_64-2.7/_padding.c' creating build/temp.linux-x86_64-2.7 generating cffi module 'build/temp.linux-x86_64-2.7/_constant_time.c' generating cffi module 'build/temp.linux-x86_64-2.7/_openssl.c' building '_openssl' extension creating build/temp.linux-x86_64-2.7/build creating build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7 x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-pr$ x86_64-linux-gnu-gcc: internal compiler error: Killed (program cc1) Please submit a full bug report, with preprocessed source if appropriate. See <file:///usr/share/doc/gcc-4.8/README.Bugs> for instructions. error: command 'x86_64-linux-gnu-gcc' failed with exit status 4 ---------------------------------------- Command "/root/.local/share/letsencrypt/bin/python2.7 -u -c "import setuptools, tokenize;__file_$ ', ' '), __file__, 'exec'))" install --record /tmp/pip-SvFhes-record/install-record.txt --single-vers$ /root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/u$ InsecurePlatformWarning You are using pip version 8.0.3, however version 9.0.1 is available. You should consider upgrading via the 'pip install --upgrade pip' command. ===================================================== Certbot has problem setting up the virtual environment. Based on your pip output, the problem can likely be fixed by increasing the available memory. Consult https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment for possible solutions. You may also find some support resources at https://certbot.eff.org/support/ . 

在这里find答案: https : //community.letsencrypt.org/t/cannot-verify-domain-with-openssl/11545

您必须在您的Web服务器configuration中引用fullchain.pem,而不是cert.pem。

获取到nginx虚拟服务器configuration

 sudo nano /etc/nginx/sites-enabled/default 

我改变了这一行

 ssl_certificate /etc/letsencrypt/live/www.goeasysmile.com/cert.pem; 

 ssl_certificate /etc/letsencrypt/live/www.goeasysmile.com/fullchain.pem; 

这阻止了我通过Facebook metatag信息如og:image分享漂亮的链接。 现在可以了!