我正在使用以下 nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
server {
listen 80;
server_name mydomain.org;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/mydomain.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.org/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/certs/dhparam.pem;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/mydomain.org/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=86400;
root /var/www/html;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off; log_not_found off; expires max;
}
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
root /var/www/html;
fastcgi_pass wp_db:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
include fastcgi_params;
}
}
}
但是 nginx 容器提示:
nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/mydomain.org/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/mydomain.org/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
我拥有该路径上的所有证书,让我们加密。 我找到了这个线程 https://serverfault.com/questions/537343/nginx-startup-fails-ssl-no-such-file-or-directory
做了
chown -R root:root /etc/letsencrypt/live/mydomain.org/fullchain.pem
chmod -R 600 /etc/letsencrypt/live/mydomain.org/fullchain.pem
nginx 容器抛出了同样的错误。我已将证书放在 /docker-compose/etc/nginx/certs 上,给予相同的权限并更改 nging.conf 上的链接,但没有任何改变。
我错过了什么?
最佳答案
我在使用卷映射/etc/letsencrypt:/etc/letsencrypt 部署 harbor(docker 注册表 + 访问控制 UI)时遇到了同样的问题
nginx 在加载证书文件时报告“没有这样的文件”,即使我可以进入该容器(docker exec bash ..)并使用完全相同的路径对文件进行 cat。
我怀疑问题是由 letsencrypt 使用符号链接(symbolic link)引起的,所以我的解决方案是使用 cp -rL(取消引用符号链接(symbolic link))将实时证书复制到另一个文件夹
root@registry:/etc/letsencrypt# mkdir copy
root@registry:/etc/letsencrypt# cp -rL live/* copy/
然后我将 nginx.conf 更改为引用“复制”而不是“实时”
现在 nginx 在 docker 中正确启动。
这不是一个长期的解决方案,因为当更新证书时,副本不会自动更新。但由于我将从 cronjob 运行 letsencrypt renew,该任务可以再次运行复制过程。
此外,我还了解到如果证书更改,则必须重新启动 nginx,因此这是我需要面对的另一个问题。但至少 nginx 现在可以正确启动了。
关于ssl - Docker Nginx 提示 : SSL: error:02001002,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/37601151/