Warm tip: This article is reproduced from serverfault.com, please click

其他-如何将Letscrypt更新续订从apache2迁移到nginx

(How to migrate letsencrypt renewal from apache2 to nginx)

发布于 2021-03-19 08:29:46

我从我目前工作的前一位员工(他去了另一份工作)那里继承了一个非常新的magento配置。最初的Magento是使用v2.1.8设置的,但是随着项目需求的变化,我不得不多次更新/升级安装。结果,我安装时并不一定要拥有所有原始文件(我备份了一些文件,但是在多次更改后,我不得不减少备份的内容),并且不一定要问原始人安装/配置了他所做的。

最初的设置只是在带有https的apache2上的独立magento-CE。问题的一部分是,我现在正在使用Magento建议,并设置apache以便仅在后台使用清漆缓存和nginx处理实际https内容的情况下执行http。

第一个问题发生在apache服务器神秘地在一夜之间关门大吉的情况下。错误日志中仅收到一条SIGTERM消息,提示已将其关闭。我追溯到一个cron作业,它为letsencrypt运行更新脚本,该脚本想通过apache2验证证书(不再执行https或在端口443上进行通信)

我现在需要的是有关如何完成设置迁移的信息,以便续订脚本将与nginx而不是apache2一起使用。在设置letencrypt时,我能找到的所有说明似乎都假设你尚未执行任何操作且还没有证书。但是我确实有证书,我只是没有任何nginx,而letencrypt需要正确运行续订。

我将/etc/letsencrypt/renewal/myhost.conf修改为使用nginx代替apache作为身份验证器。(我还修改了“安装程序”行,但不确定是否需要安装,因为它是在apache2下安装的。)

我在服务器根目录中重新创建了一个.well-known / acme-challenge / test文件,并添加了目录和位置问题,并确认可以从http的8080端口的apache服务器以及端口443的nginx的缓存访问该文件。 https。(返回“成功”作为内容)

但是,当我运行certbot来测试续订时(按照我在各个说明页中看到的建议),它失败了:

# certbot renew --pre-hook "service nginx stop" -
-post-hook "service nginx start"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.mydomain.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Running pre-hook command: service nginx stop
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.mydomain.com
tls-sni-01 challenge for mydomain.com
nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.mydomain.com) from /etc/letsencrypt/renewal/www.mydomain.com.conf produced an unexpected error: Failed authorization procedure. www.mydomain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.mydomain.com/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.mydomain.com/fullchain.pem (failure)
-------------------------------------------------------------------------------
Running post-hook command: service nginx start
Hook command "service nginx start" returned error code 1
Error output from service:
Job for nginx.service failed because the control process exited with error code$ See "systemctl status nginx.service" and "journalctl -xe" for details.

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.mydomain.com
   Type:   connection
   Detail: Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

我需要知道仍然缺少什么才能使续约工作正常

Questioner
Scott
Viewed
0
Jigarius 2019-05-19 00:15:50

我现在对3个域进行了此操作,并且可以正常工作,但是在尝试执行任何操作之前,请你自担风险并备份原始文件。

  • 确保你确实有该nginx插件。你可以使用以下命令安装sudo apt-get install python-certbot-nginx
  • 编辑/etc/letsencrypt/renewal/*.conf与你选择的编辑器
    • 我做了 vim /etc/letsencrypt/renewal/DOMAIN.conf
  • 在每个文件中,有两行需要替换apache2nginx
    • authenticator: nginx
    • installer: nginx

最后,要测试运行是否顺利,请尝试使用

certbot --dry-run renew

如果没有任何错误,则表示续订成功。

最新帖子

最新文章