Ody*_*see 1 ssl nginx vhosts lets-encrypt
我想知道是否可以对 nginx ssl 证书(或配置的任何其他部分)执行 if 语句
if ( -f /etc/letsencrypt/live/{domain}/cert.pem ) {
ssl_certificate /etc/letsencrypt/live/{domain}/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/{domain}/privkey.pem;
}
这给出了以下错误:
nginx: [emerg] "ssl_certificate" directive is not allowed here in /etc/nginx/sites-enabled/app.phase.be.conf:7
我查看了文档和谷歌,得出的结论是这是不可能的。它仅用于重写。
在 Letsencrypt 颁发证书之前,是否有另一种方法可以完全忽略 ssl 证书或将其替换为自签名证书。这是一个自动化的过程,Nginx 可以随时重新加载,如果它被另一个进程触发(例如修改的服务器块)
编辑:
感谢@Chris 指出正确的方向!
我最终做的看起来像这样,但这是精简和简化的。
config = Config().read()
logging.basicConfig(filename=config['settings']['log_file'],
filemode='a',
format='%(asctime)s [ %(levelname)s ] - %(message)s',
datefmt='%m/%d/%Y %H:%M:%S',
level=config['settings']['log_level'])
class NginxHandler(PatternMatchingEventHandler):
patterns = ["*.conf", "*.cnf"]
def process(self, event):
logging.info('PROXY-LISTENER: Vhost configuration has changed reloading Nginx')
time.sleep(1)
subprocess.call(['nginx', '-s', 'reload'])
def on_modified(self, event):
self.process(event)
# def on_created(self, event):
# self.process(event)
def on_deleted(self,event):
self.process(event)
class SslHandler(PatternMatchingEventHandler):
patterns = ["*.pem", "*.key", "*.crt"]
def process(self, event):
logging.info('PROXY-LISTENER: SSL certificate updated, reloading nginx')
subprocess.call(['nginx', '-s', 'reload'])
def on_modified(self, event):
self.process(event)
# def on_created(self, event):
# self.process(event)
def on_deleted(self,event):
self.process(event)
logging.info('PROXY-LISTENER: Starting Proxy Listener')
observer = Observer()
observer.schedule(NginxHandler(), path='/etc/nginx/sites-enabled/')
observer.schedule(SslHandler(), path='/etc/nginx/ssl/', recursive=True)
observer.start()
logging.info('PROXY-LISTENER: Nginx vhost watcher started')
logging.info('PROXY-LISTENER: Nginx certificate watcher started')
这会监视两个更改的目录并相应地执行操作。创建新的虚拟主机时Ssl().add_temp_cert()会被调用并创建所需的符号链接。
def add_temp_cert(self, vhost):
'''
Create a symbolic link to provide a temporary ssl certificate
for the new vhost untill a valid one has been installed
'''
subprocess.call(['mkdir', '-p', '/etc/nginx/ssl/' + self.domain])
subprocess.call(['ln', '-s', '/etc/nginx/ssl/nginx.crt', '/etc/nginx/ssl/' + domain + '/cert.pem'])
subprocess.call(['ln', '-s', '/etc/nginx/ssl/nginx.key', '/etc/nginx/ssl/' + domain + '/privkey.pem'])
else:
self.add_cert(vhost)
def add__letsencrypt_cert(self, vhost):
'''
Create a symbolic link to /etc/nginx/ssl for the obtained ssl certificate
'''
subprocess.call(['rm', '-f', '/etc/nginx/ssl/' + self.domain + '/'])
subprocess.call(['ln', '-s', '/etc/letsencrypt/live/' + self.domain + '/', '/etc/nginx/ssl/' + self.domain + '/'])
如果您已经有触发 nginx 重新加载的现有进程/脚本,请使用 linux 符号链接
server {
...
ssl_certificate /etc/nginx/ssl/link-cert.pem;
ssl_certificate_key /etc/nginx/ssl/link-privkey.pem;
...
}
#!/bin/bash
# exit on errors
set -e
# remove existing links
rm /etc/nginx/ssl/link-cert.pem
rm /etc/nginx/ssl/link-privkey.pem
DOMAIN="anthum.com"
# link files specified in nginx.conf to real cert files
if [ -f "/etc/letsencrypt/live/$DOMAIN/cert.pem" ]; then
ln -s "/etc/letsencrypt/live/$DOMAIN/cert.pem" /etc/nginx/ssl/link-cert.pem
ln -s "/etc/letsencrypt/live/$DOMAIN/privkey.pem" /etc/nginx/ssl/link-privkey.pem
else
ln -s /etc/nginx/ssl/self-signed.crt /etc/nginx/ssl/link-cert.pem
ln -s /etc/nginx/ssl/self-signed.key /etc/nginx/ssl/link-privkey.pem
fi
# Reload nginx
nginx -s reload
| 归档时间: |
|
| 查看次数: |
2905 次 |
| 最近记录: |