Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

关于VPS 一直卡在这里 #121

Open
alroyso opened this issue Jan 5, 2016 · 48 comments
Open

关于VPS 一直卡在这里 #121

alroyso opened this issue Jan 5, 2016 · 48 comments

Comments

@alroyso
Copy link

alroyso commented Jan 5, 2016

[thefinn93.letsencrypt | Attempt to get the certificate using the webroot authenticator] ***

@ftao
Copy link
Owner

ftao commented Jan 5, 2016

请确认这几点是符合的

https://github.com/ftao/vpn-deploy-playbook/wiki/Setup-IKEv2-VPN-Server-with-SSL-Certs-from-Let's-Encrypt

准备工作

一台公开访问到的服务器, 安装 Ubuntu 14.04
将一个域名指向这台服务器
如果服务器上已经运行着 Web 服务器(占用了443 端口), 请先暂时停止该服务。
阅读并接受 Let’s Encrypt Subscriber Agreement,你可以下面的地址找到最新版本的协议 https://letsencrypt.org/repository/ .

并且 ipsec_domain 这个变量和 你指向的域名时一样的。

@alroyso
Copy link
Author

alroyso commented Jan 5, 2016

是一样的哦。
ansible_hosts 域名需要一样吗?

@alroyso
Copy link
Author

alroyso commented Jan 5, 2016

是不是不支持32位的?

@ftao
Copy link
Owner

ftao commented Jan 5, 2016

更大的可能是这一条没有。 你先暂停一下 nginx / apache 或其他占据了443 端口的程序。

如果服务器上已经运行着 Web 服务器(占用了443 端口), 请先暂时停止该服务。

@alroyso
Copy link
Author

alroyso commented Jan 5, 2016

ocserv 这个是不是也会占用 443 端口的

@ftao
Copy link
Owner

ftao commented Jan 5, 2016

有可能, 先暂停一下。

@alroyso
Copy link
Author

alroyso commented Jan 5, 2016

我想在VPN.yml 添加 OPENVPN 跟 Let’s Encrypt Subscriber Agreement 应该怎么写才对?

  • hosts: vpn

    roles:

    • common
    • pptp
    • role: ppp-radiusclient
      device_type: pptp
    • strongswan
    • l2tp
    • role: ppp-radiusclient
      device_type: l2tp

- openvpn

- nat
- role: ocserv

@alroyso
Copy link
Author

alroyso commented Jan 5, 2016

  • hosts: vpn

    roles:

    • common
    • pptp
    • role: ppp-radiusclient
      device_type: pptp
    • role: thefinn93.letsencrypt
      letsencrypt_cert_domains:
      • "{{ ipsec_domain }}"
        tags:
      • letsencrypt
    • role: strongswan
      ipsec_enable_ikev2: true
      ipsec_cert_source: "remote"
      ipsec_ca_cert: "/etc/letsencrypt/live/{{ ipsec_domain }}/chain.pem"
      ipsec_server_cert: "/etc/letsencrypt/live/{{ ipsec_domain }}/cert.pem"
      ipsec_server_key: "/etc/letsencrypt/live/{{ ipsec_domain }}/privkey.pem"
      tags:
      • strongswan
    • role: l2tp
      when: ipsec_enable_l2tp is defined and ipsec_enable_l2tp
    • role: ppp-radiusclient
      when: (ipsec_enable_l2tp is defined) and ipsec_enable_l2tp and (l2tp_use_radius is defined) and l2tp_use_radius
      device_type: l2tp
      radius_servers: "{{ l2tp_radius_servers }}"
    • ftao.certified
    • openvpn-server
    • nat
    • role: ocserv

这样对吗?批量执行的话?

@ftao
Copy link
Owner

ftao commented Jan 5, 2016

应该可以吧。
建议你仔细看一下 ansible 的文档, 理解 关于 role / variables 等等。

@alroyso
Copy link
Author

alroyso commented Jan 5, 2016

TASK: [thefinn93.letsencrypt | Attempt to get the certificate using the webroot authenticator] ***
failed: [saiweivpn] => {"changed": true, "cmd": ["/usr/local/share/letsencrypt/env/bin/letsencrypt", "--agree-tos", "--text", "-d", "v.1xiaoshivpn.org", "--email", "webmaster@", "-a", "webroot", "--webroot-path", "/var/www", "certonly"], "delta": "0:00:00.821009", "end": "2016-01-04 23:04:57.927229", "rc": 1, "start": "2016-01-04 23:04:57.106220", "warnings": []}
stderr: The webroot plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('/var/www does not exist or is not a directory',)

@alroyso
Copy link
Author

alroyso commented Jan 5, 2016

这是什么意思呀

@ftao
Copy link
Owner

ftao commented Jan 5, 2016

letsencryt 有两个模式 一个 webroot , 另外一个是 standalone , 一个失败了, 就尝试第二个。
这个错误应该是可以忽略的啊, 应该往下面跑 standalone 模式来获得证书。
playbook 没有继续往下跑吗?

@alroyso
Copy link
Author

alroyso commented Jan 5, 2016

ASK: [thefinn93.letsencrypt | Attempt to get the certificate using the standalone authenticator (in case eg the webserver isn't running yet)] *** 一直卡着

@ftao
Copy link
Owner

ftao commented Jan 5, 2016

你确认域名 已经指向这台服务器的IP了吗?

nslookup  your.domain.com    

应该是显示你服务器的IP 。

另外如果的你的主机名没有设成正确的domain , 你可能需要需要设置 letsencrypt_email 为你的email.

letsencrypt_email:   "your-email-address"

@alroyso
Copy link
Author

alroyso commented Jan 5, 2016

都是设置好了的。

@alroyso
Copy link
Author

alroyso commented Jan 5, 2016

letsencryt_email: "[email protected]"
ipsec_domain: "v.1xiaoshivpn.org"
ipsec_enable_ikev2: true
ipsec_use_radius: true
ipsec_radius_servers: $

  • host: **** $
    secret: ***

@ftao
Copy link
Owner

ftao commented Jan 5, 2016

ansible-playbook 命令行加入 -vvv 参数看看卡住的时候执行的命令是什么。

然后你可以尝试手工改去服务器执行对应的命令看看。

@alroyso
Copy link
Author

alroyso commented Jan 5, 2016

<50.117.73.250> EXEC sshpass -d8 ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/nokidc/.ansible/cp/ansible-ssh-%h-%p-%r" -o Port=22 -o IdentityFile="/home/nokidc/.ssh/some_key" -o GSSAPIAuthentication=no -o PubkeyAuthentication=no -o User=root -o ConnectTimeout=10 50.117.73.250 /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1451985794.72-196916789198052 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1451985794.72-196916789198052 && echo $HOME/.ansible/tmp/ansible-tmp-1451985794.72-196916789198052'
<50.117.73.250> PUT /tmp/tmpQrOABe TO /root/.ansible/tmp/ansible-tmp-1451985794.72-196916789198052/command
<50.117.73.250> EXEC sshpass -d8 ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/nokidc/.ansible/cp/ansible-ssh-%h-%p-%r" -o Port=22 -o IdentityFile="/home/nokidc/.ssh/some_key" -o GSSAPIAuthentication=no -o PubkeyAuthentication=no -o User=root -o ConnectTimeout=10 50.117.73.250 /bin/sh -c 'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1451985794.72-196916789198052/command; rm -rf /root/.ansible/tmp/ansible-tmp-1451985794.72-196916789198052/ >/dev/null 2>&1'

@ftao
Copy link
Owner

ftao commented Jan 5, 2016

有没有完整一点的日志, 你的命令是怎么敲的?

@alroyso
Copy link
Author

alroyso commented Jan 5, 2016

host_vars/saiweivpn.yml
letsencryt_email: "[email protected]"
ipsec_domain: "v.1xiaoshivpn.org"
ipsec_enable_ikev2: true
ipsec_use_radius: true

ansible-playbook ipsec-lte.yml -l saiweivpn -vvvv 执行的。

@ftao
Copy link
Owner

ftao commented Jan 5, 2016

应该是你
letsencryt_email: "[email protected]"

这个拼错了。

应该是 letsencrypt_email , 少了一个 p, 所以 程序在让你输入 email, 然后就卡住了。

@ftao
Copy link
Owner

ftao commented Jan 5, 2016

似乎我的教程里面也写错了。去改一下。

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

: [saiweivpn] => {'msg': 'AnsibleError: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}: Failed to template {{ radius_servers }}: Failed to template {{ l2tp_radius_servers }}:

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

最后一步,报错了。

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

你好,我想问下,这个域名是不是跟机器是绑定的,比如我复制了这个机器到换了一个IP,在用别的域名,是不是可以一样的连接?

@ftao
Copy link
Owner

ftao commented Jan 6, 2016

你设置一下 l2tp_radius_servers 这个变量呗。
你可以参考一下 https://github.com/ftao/vpn-deploy-playbook/blob/master/group_vars/vpn.yml.example 这个文件的写法。

@ftao
Copy link
Owner

ftao commented Jan 6, 2016

生成的证书是和域名绑定的。
换了IP , 用同样的域名, 把域名的DNS 记录改一下,指向新的IP , 这样是可以的。

用别的域名, 要重新申请新的域名的证书。

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

openconnect 关于这个我应该怎么停止服务,在/etc/init.d 并没有找到这个。

@ftao
Copy link
Owner

ftao commented Jan 6, 2016

这个是用 supervisor 跑的

supervisorctl   stop ocserv

重新启动

supervisorctl   start ocserv

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

Setup IKEv2 VPN Server with SSL Certs from Let's Encrypt 这个你貌似有个地方写错误。 ipsec-lte.yml 这个里面有一个 radius_servers: "{{ l2tp_radius_servers }}" 导致错误

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

Setup IKEv2 VPN Server with SSL Certs from Let's Encrypt 这个安装好后,需要把证书在下载吗?

@ftao
Copy link
Owner

ftao commented Jan 6, 2016

可以下载, 作为一个备份。 可以把 /etc/letsencrypt 整个目录备份。

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

我的意思是windows 是不是必须导入证书才能连接。

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

现在直接用域名连接也是无法 连接上,提示身份验证凭证不可接受

@ftao
Copy link
Owner

ftao commented Jan 6, 2016

我测试过是不需要的。 不过我是 window 7 , 你是window 什么版本?
服务器的日志显示什么? /var/log/syslog

@ftao
Copy link
Owner

ftao commented Jan 6, 2016

另外服务器端

ipsec  listcerts 

显示的是什么?

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

altNames: v.1xiaoshivpn.org
subject: "CN=v.1xiaoshivpn.org"
issuer: "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1"
serial: 01:50:c6:87:ba:c5:5d:ee:27:cb:46:80:ec:09:49:e4:34:f2
validity: not before Jan 05 20:49:00 2016, ok
not after Apr 04 21:49:00 2016, ok
pubkey: RSA 2048 bits, has private key
keyid: 1b:d7:3f:e7:15:8d:a6:b1:8a:04:c7:14:83:4d:7b:0e:1d:c7:68:a0
subjkey: 71:de:48:79:23:19:57:78:3f:d6:3b:8e:6d:d2:5d:9c:ca:fe:5b:8a
authkey: a8:4a:6a:63:04:7d:dd:ba:e6:d1:39:b7:a6:45:65:ef:f3:a8:ec:a1

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

我换个win7的机器测试也是这样的

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

v.1xiaoshivpn.org faa2143 faa2143 您可以测试下看看的

@ftao
Copy link
Owner

ftao commented Jan 6, 2016

你是radius 还是非radius 模式?
如果是非 radius 模式,检查一下 /etc/ipsec.secrets 文件中是否有你的用户名和密码。
我尝试连了一次, 确实失败了, 但是具体问题, 要看服务器端的日志了?
/var/log/syslog 中显示的是什么?

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

radius 的, 会不会跟系统的关系,因为我用的debian7.0

@ftao
Copy link
Owner

ftao commented Jan 6, 2016

我去测试一下 debian 7.0

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

xauth-radius 会不会跟这个有关系? 我的认证貌似必须这个才能认证上,如果改成默认的就是691错误貌似可以过证书

@ftao
Copy link
Owner

ftao commented Jan 6, 2016

这个我就没办法验证, 我使用的 freeradius 的模式是 eap-radius .
你是用什么东西搭的 radiius 服务器, 一定需要 xauth-radius ?

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

一个别人写的RADIUS

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

windos 系统上用的

@alroyso
Copy link
Author

alroyso commented Jan 6, 2016

请问证书是生成在哪个地方的? 我直接下载证书导入测试下

@ftao
Copy link
Owner

ftao commented Jan 6, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants