我正在尝试将我的 HTTP Web 应用程序转换为使用 HTTPS。我已经使用这个site使用certbot linux snap请求证书。我在路由器上打开了端口 80,以转发到端口 80 上的家庭服务器。
>sudo certbot certonly --standalone -d footeware.ca
Certificate is saved at: /etc/letsencrypt/live/footeware.ca/fullchain.pem
Key is saved at: /etc/letsencrypt/live/footeware.ca/privkey.pem
This certificate expires on 2025-01-18.
这似乎有效,所以我想让 certbot 自动快照来刷新证书。我认为这是一个 cron 作业,激活快照以使用端口 80 更新上述文件夹中的证书。
我的 Angular 应用程序位于带有 nginx 的 Docker 容器中。现在我需要使证书可供该 nginx 使用并让它在 443 上监听。
# nginx.conf
http {
server {
listen 443 default_server ssl http2;
listen [::]:443 ssl http2;
server_name footeware.ca;
ssl_certificate /etc/letsencrypt/live/footeware.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/footeware.ca/privkey.pem;
location / {
EDIT # proxy_pass http://footeware.ca; # would forward to http & error
try_files $uri $uri/ =404;
}
}
}
# dockerfile
FROM nginx:latest
# use my conf
COPY ./nginx.conf /etc/nginx/nginx.conf
# copy angular app to container
COPY ./dist/ca.footeware.ng.web/browser /usr/share/nginx/html/browser
# not sure this is needed
RUN mkdir -p /etc/letsencrypt/live/footeware.ca
EXPOSE 443
我正在使用 docker-compose 将映像作为容器启动:
# compose.yaml
services:
ng_web:
image: craigfoote/ng.web:latest
container_name: ng.web
restart: unless-stopped
ports:
- 443:443
volumes:
- /etc/letsencrypt/live/footeware.ca:/etc/letsencrypt/live/footeware.ca
但是
docker-compose upCannot load certificate "/etc/letsencrypt/live/footeware.ca/fullchain.pem" - no such file
由于容器无法启动,我无法附加到它并检查任何内容。我被困住了。
在意识到 nginx.conf 是转发到另一个 http 服务器的代理类型指令后,我编辑了 nginx.conf。我改变了:
location / {
# proxy_pass http://footeware.ca; # would forward to http & error
try_files $uri $uri/ =404;
}
但我遇到了同样的错误:
2024/10/21 14:32:38 [emerg] 1#1: cannot load certificate "/etc/letsencrypt/live/footeware.ca/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/footeware.ca/fullchain.pem, r) error:10000080:BIO routines::no such file)
ng.web | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/footeware.ca/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/footeware.ca/fullchain.pem, r) error:10000080:BIO routines::no such file)
我删除并使用 CertBot 重新请求证书。再次表明成功。我无法列出
/etc/letsencryptcraig@server:/etc/letsencrypt$ ls -Ahl
total 20K
drwx------ 4 root root 4.0K Oct 20 19:38 accounts
drwx------ 3 root root 4.0K Oct 20 16:37 archive
drwx------ 3 root root 4.0K Oct 20 16:37 live
drwxr-xr-x 2 root root 4.0K Oct 20 16:37 renewal
drwxr-xr-x 5 root root 4.0K Oct 20 16:37 renewal-hooks
craig@server:/etc/letsencrypt$ tree
. [error opening dir]
0 directories, 1 file
我仍然不知道为什么 nginx 看不到我的证书,但我想这与权限有关。 🤔
(大部分)可以正常工作!使用
volumecompose.yaml# compose.yaml
services:
ng_web:
image: craigfoote/ng.web:latest
container_name: ng.web
restart: unless-stopped
ports:
- 443:443
volumes:
- /etc/letsencrypt/live/footeware.ca:/etc/letsencrypt/live/footeware.ca
我把它改为:
# compose.yaml
services:
ng_web:
image: craigfoote/ng.web:latest
container_name: ng.web
restart: unless-stopped
ports:
- 443:443
depends_on:
- rest_galleries
volumes:
- /etc/letsencrypt/live/footeware.ca/fullchain.pem:/etc/letsencrypt/live/footeware.ca/fullchain.pem
- /etc/letsencrypt/live/footeware.ca/privkey.pem:/etc/letsencrypt/live/footeware.ca/privkey.pem
现在有两卷,证书和密钥各一卷。
一路上我也对
nginx.confevents {
}
http {
server {
listen 80;
server_name footeware.ca www.footeware.ca;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name footeware.ca www.footeware.ca;
ssl_certificate /etc/letsencrypt/live/footeware.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/footeware.ca/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
include mime.types;
gzip_static on;
location / {
root /usr/share/nginx/html/browser;
index index.html;
try_files $uri $uri/ =404;
}
}
}
这使得大部分网站都能正常工作,但我现在有了一些“混合内容”、对其他 http 服务和图像的请求等。他们的 http 方案以某种方式更改为 https 并且无法解析。现在让它们全部 https...