Lets-Encrypt

如何防止需要停止程序才能讓letsencrypt執行成功?

  • June 29, 2017

當嘗試使用 certbot 創建新證書時,假設是80或者443需要可用,但情況似乎並非如此:

-------------------------------------------------------------------------------
The program nginx (process ID 123454) is already listening on TCP port 443. This
will prevent us from binding to that port. Please stop the nginx program
temporarily and then try again.
-------------------------------------------------------------------------------
At least one of the (possibly) required ports is already taken.

發生。

如何在不停止服務(例如 nginx)的情況下更新證書?

嘗試解決問題

版本?

root@hostname:~# letsencrypt --version
letsencrypt 0.4.1

選項?

root@hostname:~# letsencrypt --help

 letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

 (default) run        Obtain & install a cert in your current webserver
 certonly             Obtain cert, but do not install it (aka "auth")
 install              Install a previously obtained cert in a server
 renew                Renew previously obtained certs that are near expiry
 revoke               Revoke a previously obtained certificate
 rollback             Rollback server configuration changes made during install
 config_changes       Show changes made to server config during installation
 plugins              Display information about installed plugins

Choice of server plugins for obtaining and installing cert:

 (the apache plugin is not installed)
 --standalone      Run a standalone webserver for authentication
 (nginx support is experimental, buggy, and not installed by default)
 --webroot         Place files in a server's webroot folder for authentication

OR use different plugins to obtain (authenticate) the cert and then install it:

 --authenticator standalone --installer apache

More detailed help:

 -h, --help [topic]    print this message, or detailed help on a topic;
                       the available topics are:

  all, automation, paths, security, testing, or any of the subcommands or
  plugins (certonly, install, nginx, apache, standalone, webroot, etc)

使用以下選項是否安全?

  (nginx support is experimental, buggy, and not installed by default)
  --webroot         Place files in a server's webroot folder for authentication

如果您嘗試以獨立方式使用 certbot(與任何其他 Web 伺服器分開),那麼是的,您的 Web 伺服器將需要停止,以便 certbot 可以使用這些埠。

但是,您可以將 certbot 需要的目錄直接集成到您的網路伺服器配置中,然後 certbot 本身就不需要綁定到這些埠。

我從來沒有這樣做過nginx,但你可能不得不certbot使用dns-01ACME 協議選項。這樣,證書更新所需的域控制探測就會發生,而不必綁定實際服務流量的埠。

為此,您當然需要控制您的 DNS,並且可能必須nginx在成功更新證書後發出信號以重新載入其配置,但這可以在不停機的情況下完成。

引用自:https://serverfault.com/questions/858551