我有这个dockerfile:
FROM nginx
COPY .docker/certificates/fullchain.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem
COPY .docker/certificates/privkey.pem /etc/letsencrypt/live/mydomain.com/privkey.pem
COPY .docker/config/options-ssl-nginx.conf /etc/nginx/options-ssl-nginx.conf
COPY .docker/config/ssl-dhparams.pem /etc/nginx/ssl-dhparams.pem
COPY .docker/config/nginx.conf /etc/nginx/conf.d/default.conf
RUN chmod +r /etc/letsencrypt/live/mydomain.com/fullchain.pem
我的 nginx 配置中有这个:
server {
listen 443 ssl default_server;
server_name _;
# Why can't this file be found?
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
# ssl_certificate /etc/nginx/fullchain.pem;
# ssl_certificate_key /etc/nginx/privkey.pem;
include /etc/nginx/options-ssl-nginx.conf;
ssl_dhparam /etc/nginx/ssl-dhparams.pem;
...
}
Nginx 崩溃时:
[emerg] 7#7: cannot load certificate "/etc/letsencrypt/live/mydomain.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/mydomain.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
但是,如果我将
fullchain.pem
和 privkey.pem
的位置更改为 /etc/nginx/fullchaim.pem
和 /etc/nginx/privkey.pem
并更新 nginx 配置,它会 找到文件并按预期工作。
这是
docker-compose.yml
中的服务定义:
nginx-server:
container_name: "nginx-server"
build:
context: ../../
dockerfile: .docker/dockerfiles/NginxDockerfile
restart: on-failure
ports:
- "80:80"
- "443:443"
volumes:
- static-content:/home/docker/code/static
- letsencrypt-data:/etc/letsencrypt
- certbot-data:/var/www/certbot
depends_on:
- api
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
networks:
- api-network
- main
# Commented out to verify that the files aren't being deleted by certbot
# certbot:
# image: certbot/certbot
# container_name: "certbot"
# depends_on:
# - nginx-server
# restart: unless-stopped
# volumes:
# - letsencrypt-data:/etc/letsencrypt
# - certbot-data:/var/www/certbot
# entrypoint: "/bin/sh -c 'sleep 30s && trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
目的是使用
fullchain.pem
作为初始证书,直到可以向 let's crypt 请求该证书为止。请注意,此时还没有 certbot
服务,并且 /etc/letsencrypt/live/mydomain.com
目录根本没有在其他任何地方被引用(仅在 NginxDockerfile
和 nginx.conf
中),所以它 不应该 是一个问题另一个服务删除文件。使用 --no-cache
重建没有帮助。
为什么nginx找不到该特定位置的文件,但复制到其他位置却可以找到它们?
编辑: 正如建议的那样,我最终使用了主机卷。当主机卷位于存储库内时,这不起作用(
root_of_context/path/to/gitignored/directory/letsencrypt:/etc/letsencrypt
,但与 /etc/letsencrypt:/etc/letsencrypt
一起工作,我个人觉得很难看,但是哦,好吧。
编辑2:回想起来,这可能只是我的.dockeringore(包括存储库路径)的问题。使用相对路径与绝对路径对 Docker 来说并不重要。
卷在运行时安装,因此在构建容器之后。
由于您在
letsencrypt-data
上安装了 /etc/letsencrypt
,Nginx 将在 letsencrypt-data
中查找您的文件。- letsencrypt-data:/etc/letsencrypt
中删除 volumes
,您的容器将会成功运行。