给出这个设置:一个 Nginx 正在提供一个 .well-known 文件夹,监听服务器上的端口 80/443,以将 chellange 交换为 Letsencrypt。证书创建正确,可以在提到的 Nginx 中使用。
尝试通过 coturn 使用证书时:
listening-port=3478
tls-listening-port=5349
alt-listening-port=3479
alt-tls-listening-port=5350
…
cert=/path/to/fullchain.pem
pkey=/path/to/privkey.pem
现在尝试启动 coturn 时,它似乎没有找到/无法从日志加载证书:
WARNING: cannot start TLS and DTLS listeners because private key file is not set properly
WARNING: cannot find private key file: /path/to/privkey.pem
WARNING: cannot start TLS and DTLS listeners because certificate file is not set properly
WARNING: cannot find certificate file: /path/to/fullchain.pem
现在我想知道使用 letencrypt SSL 链设置 coturn 的正确方法是什么。
小智 16
谢谢你的提问。Letsencrypt 支持部署后钩子。我将它与以下一起使用。
我正在使用带有 coturn 4.5.1.1-1.1 和 letencrypt certbot 0.31.0 的 Debian 10 buster。假设:
turnserverturnserver/etc/letsencrypt/example.comservice coturn restart/etc/turnserver.conf如果您的配置与上述假设不同,请相应地进行调整。
mkdir -p /etc/coturn/certs
chown -R turnserver:turnserver /etc/coturn/
chmod -R 700 /etc/coturn/
nano /etc/letsencrypt/renewal-hooks/deploy/coturn-certbot-deploy.sh
chmod 700 /etc/letsencrypt/renewal-hooks/deploy/coturn-certbot-deploy.sh
为来自链接的letsencrypt 页面示例的 coturn 改编了 coturn-certbot-deploy.sh:
#!/bin/sh
set -e
for domain in $RENEWED_DOMAINS; do
case $domain in
example.com)
daemon_cert_root=/etc/coturn/certs
# Make sure the certificate and private key files are
# never world readable, even just for an instant while
# we're copying them into daemon_cert_root.
umask 077
cp "$RENEWED_LINEAGE/fullchain.pem" "$daemon_cert_root/$domain.cert"
cp "$RENEWED_LINEAGE/privkey.pem" "$daemon_cert_root/$domain.key"
# Apply the proper file ownership and permissions for
# the daemon to read its certificate and key.
chown turnserver "$daemon_cert_root/$domain.cert" \
"$daemon_cert_root/$domain.key"
chmod 400 "$daemon_cert_root/$domain.cert" \
"$daemon_cert_root/$domain.key"
service coturn restart >/dev/null
;;
esac
done
您需要example.com在上述文件中更改为您的域名。
编辑 coturn 配置文件中的证书文件位置:
nano /etc/turnserver.conf
使用example.com域的这些行:
...
cert=/etc/coturn/certs/example.com.cert
...
pkey=/etc/coturn/certs/example.com.key
...
我能够通过此命令测试所有证书的续订:
certbot renew --force-renewal
或者此命令仅适用于给定域:
certbot certonly --force-renewal -d example.com
我的 coturn 日志不再显示以下几行:
0: WARNING: cannot find certificate file: /etc/letsencrypt/live/example.com/fullchain.pem (1)
0: WARNING: cannot start TLS and DTLS listeners because certificate file is not set properly
0: WARNING: cannot find private key file: /etc/letsencrypt/live/example.com/privkey.pem (1)
0: WARNING: cannot start TLS and DTLS listeners because private key file is not set properly
相反,我得到了以下不错的:
...
0: ...: Certificate file found: /etc/coturn/certs/example.com.cert
0: ...: Private key file found: /etc/coturn/certs/example.com.key
...
| 归档时间: |
|
| 查看次数: |
6497 次 |
| 最近记录: |