Nginx

如何將letsencrypt續訂從apache2遷移到nginx

  • March 20, 2021

我從我目前工作的前任員工(離開另一份工作)那裡繼承了一個非常新的 magento 配置。最初的 Magento 是使用 v2.1.8 設置的,但由於項目的需求/要求發生了變化,我不得不多次更新/升級安裝。結果,我不一定擁有所有安裝的原始文件(我備份了一些,但經過多次更改後,我不得不削減我正在備份的內容)並且不一定能問最初的人安裝/配置了他所做的。

最初的設置只是帶有 https 的 apache2 上的獨立 magento-CE。部分問題是我現在使用 Magento 建議並設置 apache 只在後台使用清漆記憶體執行 http,而 nginx 處理實際的 https 內容。

第一個問題發生在 Apache 伺服器在一夜之間神秘地關閉而沒有任何宣傳。只是在錯誤日誌中收到一條 SIGTERM 消息,表明某些東西正在關閉它。我將其追溯到一個執行更新腳本的 cron 作業,該腳本試圖通過 apache2 驗證證書(不再使用 https 或在埠 443 上進行通信)

我現在需要的是有關如何完成遷移設置的資訊,以便更新腳本可以使用 nginx 而不是 apache2。我可以找到的有關設置letsencrypt的所有說明似乎都假設您還沒有做任何事情並且還沒有證書。但是我確實有證書,我只是沒有任何 nginx 和letsencrypt 需要正確執行更新。

我修改了 /etc/letsencrypt/renewal/myhost.conf 以使用 nginx 而不是 apache 作為身份驗證器。(我還修改了“安裝程序”行,但不確定是否需要,因為它安裝在 apache2 下)

我在伺服器根目錄中重新創建了一個 .well-known/acme-challenge/test 文件,並添加了一個目錄和位置問題,並確認它可以從埠 8080 的 http 上的 apache 伺服器和埠 443 上的 nginx 上的記憶體訪問HTTPS。(返回“成功”作為內容)

但是當我執行 certbot 來測試更新時(根據我在各種說明頁面中看到的建議)它失敗了:

# certbot renew --pre-hook "service nginx stop" -
-post-hook "service nginx start"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.mydomain.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Running pre-hook command: service nginx stop
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.mydomain.com
tls-sni-01 challenge for mydomain.com
nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.mydomain.com) from /etc/letsencrypt/renewal/www.mydomain.com.conf produced an unexpected error: Failed authorization procedure. www.mydomain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout. Skipping.
All renewal attempts failed. The following certs could not be renewed:
 /etc/letsencrypt/live/www.mydomain.com/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
 /etc/letsencrypt/live/www.mydomain.com/fullchain.pem (failure)
-------------------------------------------------------------------------------
Running post-hook command: service nginx start
Hook command "service nginx start" returned error code 1
Error output from service:
Job for nginx.service failed because the control process exited with error code$ See "systemctl status nginx.service" and "journalctl -xe" for details.

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
- The following errors were reported by the server:

  Domain: www.mydomain.com
  Type:   connection
  Detail: Timeout

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

我需要知道仍然缺少什麼才能使續訂正常工作

我現在為 3 個域執行了此操作,並且它有效,但請自行承擔風險並在執行任何操作之前備份原始文件。

  • 確保您確實擁有該nginx外掛。您可以使用命令安裝它sudo apt-get install python-certbot-nginx
  • /etc/letsencrypt/renewal/*.conf使用您選擇的編輯器進行

編輯

  • 我做了vim /etc/letsencrypt/renewal/DOMAIN.conf
  • 在每個文件中,有兩行需要替換apache2nginx
    • authenticator: nginx
    • installer: nginx

最後,要測試它是否順利,請嘗試更新您的證書

certbot --dry-run renew

如果您沒有收到任何錯誤,則表示續訂成功。

引用自:https://serverfault.com/questions/900305