Sco*_*ott 7 nginx apache2 certbot
我从我目前工作的前任员工(他离开去另一份工作)那里继承了一个非常新的 magento 配置。最初的 Magento 是使用 v2.1.8 设置的,但由于项目的需求/要求发生了变化,我不得不多次更新/升级安装。因此,我不一定拥有安装时的所有原始文件(我备份了一些,但在多次更改后,我不得不削减我备份的内容)并且不一定可以询问最初的人安装/配置了他所做的。
最初的设置只是 apache2 上带有 https 的独立 magento-CE。部分问题是我现在使用 Magento 建议并设置 apache 在后台使用 varnish 缓存执行 http,而 nginx 处理实际的 https 内容。
第一个问题发生在 apache 服务器一夜之间神秘关闭时,没有任何粉丝关注。错误日志中仅收到一条 SIGTERM 消息,表明某些东西正在将其关闭。我追踪到一个 cron 作业,它运行了 letencrypt 的续订脚本,该脚本试图通过 apache2 验证证书(不再执行 https 或在端口 443 上进行通信)
我现在需要的是有关如何完成迁移设置的信息,以便更新脚本将与 nginx 而不是 apache2 一起使用。我能找到的所有关于设置 LetEncrypt 的说明似乎都假设您尚未执行任何操作并且还没有证书。但我确实有证书,只是没有 nginx 和 LetsEncrypt 正确运行更新所需的任何东西。
我修改了 /etc/letsencrypt/renewal/myhost.conf 以使用 nginx 而不是 apache 作为身份验证器。(我还修改了“安装程序”行,但不确定是否需要它,因为它是安装在 apache2 下的)
我在服务器根目录中重新创建了一个 .well-known/acme-challenge/test 文件,并添加了目录和位置问题,并确认可以从端口 8080 上的 http 上的 apache 服务器以及通过端口 443 上的 nginx 上的缓存访问它https。(返回“成功”作为内容)
但是当我运行 certbot 来测试续订时(根据我在各个说明页面中看到的建议),它失败了:
# certbot renew --pre-hook "service nginx stop" -
-post-hook "service nginx start"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.mydomain.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Running pre-hook command: service nginx stop
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.mydomain.com
tls-sni-01 challenge for mydomain.com
nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.mydomain.com) from /etc/letsencrypt/renewal/www.mydomain.com.conf produced an unexpected error: Failed authorization procedure. www.mydomain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.mydomain.com/fullchain.pem (failure)
-------------------------------------------------------------------------------
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.mydomain.com/fullchain.pem (failure)
-------------------------------------------------------------------------------
Running post-hook command: service nginx start
Hook command "service nginx start" returned error code 1
Error output from service:
Job for nginx.service failed because the control process exited with error code$ See "systemctl status nginx.service" and "journalctl -xe" for details.
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.mydomain.com
Type: connection
Detail: Timeout
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
我需要知道还缺少什么才能让续订正常进行
小智 10
我现在对 3 个域执行了此操作,并且有效,但请自行承担风险,并在执行任何操作之前备份原始文件。
nginx插件。您可以使用命令安装它sudo apt-get install python-certbot-nginx/etc/letsencrypt/renewal/*.conf使用您选择的编辑器进行
编辑vim /etc/letsencrypt/renewal/DOMAIN.confapache2为nginx
authenticator: nginxinstaller: nginx最后,要测试它是否顺利,请尝试使用以下命令更新您的证书
certbot --dry-run renew
如果没有出现任何错误,则说明更新成功。
| 归档时间: |
|
| 查看次数: |
5461 次 |
| 最近记录: |