Seb*_*Seb 3 cron ssl nginx mongodb lets-encrypt
根据本指南,我已经在数字海洋上启动并运行了解析服务器.配置mongo db进行迁移时,执行以下命令:
sudo cat /etc/letsencrypt/archive/domain_name/{fullchain1.pem,privkey1.pem} | sudo tee /etc/ssl/mongo.pem
之后教程说:
续订Let's Encrypt证书后,您将不得不重复上述命令.如果您配置Let的加密证书的自动续订,请记住包括此操作.
为了做到这一点,我在我的let的加密cronjobs中添加了一个cronjob,如下所示:
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
33 2 * * 1 cat /etc/letsencrypt/archive/DOMAIN/{fullchain1.pem,privkey1.pem} | tee /etc/ssl/mongo.pem
35 2 * * 1 /etc/init.d/nginx reload
但是,在星期一重新启动服务器后,mongod将无法启动,因为它无法找到/读取/etc/ssl/mongo.pem.
如何正确设置?我是否需要在另一个cronjob中chown/chmod该文件?
谢谢你的帮助!
我遇到了上面脚本的问题.不幸的是,让我们加密dons不会覆盖fullchain和privkey,但在证书更新时会添加新版本:
fullchain2.pem
privkey2.pem
所以我不得不相应地改变脚本.我还将更新和nginx部分放在里面,所以我们只需要一个cronjob:
#!/bin/bash
# stop nginx
/etc/init.d/nginx stop
# check for new cert
/opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
# combine latest letsencrypt files for mongo
# find latest fullchain*.pem
newestFull=$(ls -v /etc/letsencrypt/live/DOMAIN/fullchain*.pem | tail -n 1)
echo "$newestFull"
# find latest privkey*.pem
newestPriv=$(ls -v /etc/letsencrypt/live/DOMAIN/privkey*.pem | tail -n 1)
echo "$newestPriv"
# combine to mongo.pem
cat {$newestFull,$newestPriv} | tee /etc/ssl/mongo.pem
# set rights for mongo.pem
chmod 600 /etc/ssl/mongo.pem
chown mongodb:mongodb /etc/ssl/mongo.pem
# restart mongo
/sbin/restart mongod
# start nginx
/etc/init.d/nginx start