Lets-Encrypt
如何防止需要停止程序才能讓letsencrypt執行成功?
當嘗試使用 certbot 創建新證書時,假設是
80
或者443
需要可用,但情況似乎並非如此:------------------------------------------------------------------------------- The program nginx (process ID 123454) is already listening on TCP port 443. This will prevent us from binding to that port. Please stop the nginx program temporarily and then try again. ------------------------------------------------------------------------------- At least one of the (possibly) required ports is already taken.
發生。
如何在不停止服務(例如 nginx)的情況下更新證書?
嘗試解決問題
版本?
root@hostname:~# letsencrypt --version letsencrypt 0.4.1
選項?
root@hostname:~# letsencrypt --help letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ... The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the cert. Major SUBCOMMANDS are: (default) run Obtain & install a cert in your current webserver certonly Obtain cert, but do not install it (aka "auth") install Install a previously obtained cert in a server renew Renew previously obtained certs that are near expiry revoke Revoke a previously obtained certificate rollback Rollback server configuration changes made during install config_changes Show changes made to server config during installation plugins Display information about installed plugins Choice of server plugins for obtaining and installing cert: (the apache plugin is not installed) --standalone Run a standalone webserver for authentication (nginx support is experimental, buggy, and not installed by default) --webroot Place files in a server's webroot folder for authentication OR use different plugins to obtain (authenticate) the cert and then install it: --authenticator standalone --installer apache More detailed help: -h, --help [topic] print this message, or detailed help on a topic; the available topics are: all, automation, paths, security, testing, or any of the subcommands or plugins (certonly, install, nginx, apache, standalone, webroot, etc)
使用以下選項是否安全?
(nginx support is experimental, buggy, and not installed by default) --webroot Place files in a server's webroot folder for authentication
如果您嘗試以獨立方式使用 certbot(與任何其他 Web 伺服器分開),那麼是的,您的 Web 伺服器將需要停止,以便 certbot 可以使用這些埠。
但是,您可以將 certbot 需要的目錄直接集成到您的網路伺服器配置中,然後 certbot 本身就不需要綁定到這些埠。
我從來沒有這樣做過
nginx
,但你可能不得不certbot
使用dns-01
ACME 協議選項。這樣,證書更新所需的域控制探測就會發生,而不必綁定實際服務流量的埠。為此,您當然需要控制您的 DNS,並且可能必須
nginx
在成功更新證書後發出信號以重新載入其配置,但這可以在不停機的情況下完成。