我花了很长时间才让 Ubuntu 22.04、Nginx 和 Certbot 顺利协同运行。
我是 Ubuntu 的新手,所以我正在通过反复试验来学习,不过目前我似乎已经掌握了很多后者的方法。
在公共虚拟机上全新安装。我已经安装了所有三个应用程序。我的网站指向我的域名并且正常运行,但是当我添加 Certbox 时,所有 $#@& 都失效了。现在我根本无法访问我的网站,无论有没有 https。
好的,我将使用“notmydomain.com”作为示例。
我安装了 Certbot 并按照其网站上的说明尝试启动 Nginx。
systemctl start nginx.service
我收到此消息:
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.
所以,我这样做了,并得到了以下结果:
# systemctl status nginx.service
× nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2023-10-30 09:17:39 CDT; 5s ago
Docs: man:nginx(8)
Process: 535771 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
CPU: 12ms
systemd[1]: Starting A high performance web server and a reverse proxy server...
nginx[535771]: nginx: [emerg] cannot load certificate key "/etc/letsencrypt/live/notmydomain.com/privkey.pem": PEM_read>
systemd[1]: nginx: configuration file /etc/nginx/nginx.conf test failed
systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
systemd[1]: nginx.service: Failed with result 'exit-code'.
systemd[1]: Failed to start A high performance web server and a reverse proxy server.
我检查了 pem 文件所在的目录:
# ls -l
total 4
lrwxrwxrwx 1 root root 44 Oct 28 03:00 cert.pem -> ../../archive/notmydomain.com/cert1.pem
lrwxrwxrwx 1 root root 45 Oct 28 03:00 chain.pem -> ../../archive/notmydomain.com/chain1.pem
lrwxrwxrwx 1 root root 49 Oct 28 03:00 fullchain.pem -> ../../notmydomain.com/fullchain1.pem
lrwxrwxrwx 1 root root 47 Oct 28 03:00 privkey.pem -> ../../archive/notmydomain.com/privkey1.pem
-rw-r--r-- 1 root root 692 Oct 28 03:00 README
我注意到所有这些文件都归 root 所有。那么是否应该由其他用户拥有这些文件,以便 Nginx 可以访问它们?这是我的问题吗?谁应该拥有这些文件,以便可以访问它们?
我检查了防火墙权限以确保我没有把自己封锁起来:
# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Anywhere ALLOW IN xxx.xxx.xxx.xxx
[ 2] 443/tcp ALLOW IN Anywhere
[ 3] 80/tcp ALLOW IN Anywhere
[ 4] Nginx HTTP ALLOW IN Anywhere
[ 5] Nginx HTTPS ALLOW IN Anywhere
[ 6] 443/tcp (v6) ALLOW IN Anywhere (v6)
[ 7] 80/tcp (v6) ALLOW IN Anywhere (v6)
[ 8] Nginx HTTP (v6) ALLOW IN Anywhere (v6)
[ 9] Nginx HTTPS (v6) ALLOW IN Anywhere (v6)
我已经重新颁发了证书以确保它没有任何问题,执行此命令时没有出现任何错误:
# certbot certonly --standalone --domain notmydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for notmydomain.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/notmydomain.com-0001/fullchain.pem
Key is saved at: /etc/letsencrypt/live/notmydomain.com-0001/privkey.pem
This certificate expires on 2024-01-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
如果需要的话我可以提供更多信息,只是不知道下一步该看哪里。任何指导都将不胜感激!