我在 CentOS 7 上使用内核 3.10。我已使用以下方法成功安装了 CertBot 1.10.1备选安装说明我certbot-auto
有通过手动添加certbot-auto
到自动运行systemd
作为:
/etc/systemd/system/certbot-renewal.service
:
[Unit]
Description=Certbot Renewal
[Service]
ExecStart=/usr/local/bin/certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start" --quiet --agree-tos
/etc/systemd/system/certbot-renewal.timer
:
[Unit]
Description=Timer for Certbot Renewal
[Timer]
OnBootSec=1h
OnUnitActiveSec=1d
[Install]
WantedBy=multi-user.target
现在,certbot-auto
在需要时成功刷新 SSL 证书。但是,问题是certbot-auto
无法启动nginx
。
例如,如果certbot-auto
更新证书 - 我的网站已关闭。如果我通过 SSH 连接,我会看到以下内容:
[root@somedomain ~]# sudo systemctl status nginx
● nginx.service - SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server
Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)
Active: inactive (dead) since Wed 2021-04-14 16:40:56 UTC; 3min 14s ago
Docs: man:systemd-sysv-generator(8)
Process: 5745 ExecStop=/etc/rc.d/init.d/nginx stop (code=exited, status=0/SUCCESS)
Process: 5737 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=0/SUCCESS)
Main PID: 5708 (code=exited, status=0/SUCCESS)
Apr 14 16:40:56 somedomain.com systemd[1]: Starting SYSV: Nginx is an HTTP(S)....
Apr 14 16:40:56 somedomain.com systemd[1]: Started SYSV: Nginx is an HTTP(S) ....
Hint: Some lines were ellipsized, use -l to show in full.
[root@somedomain ~]# sudo systemctl start nginx
[root@somedomain ~]# sudo systemctl status nginx
● nginx.service - SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server
Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)
Active: active (running) since Wed 2021-04-14 16:44:45 UTC; 3s ago
Docs: man:systemd-sysv-generator(8)
Process: 5745 ExecStop=/etc/rc.d/init.d/nginx stop (code=exited, status=0/SUCCESS)
Process: 5809 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=0/SUCCESS)
Main PID: 5822 (nginx)
CGroup: /system.slice/nginx.service
├─5822 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.c...
├─5823 nginx: worker process
├─5824 nginx: worker process
├─5826 nginx: cache manager process
└─5827 nginx: cache loader process
Apr 14 16:44:45 somedomain.com systemd[1]: Starting SYSV: Nginx is an HTTP(S)....
Apr 14 16:44:45 somedomain.com nginx[5809]: Starting nginx: [ OK ]
Apr 14 16:44:45 somedomain.com systemd[1]: Started SYSV: Nginx is an HTTP(S) ....
Hint: Some lines were ellipsized, use -l to show in full.
查看 certbot 日志没有发现任何可疑内容:
...
2021-04-14 16:40:46,329:INFO:certbot.compat.misc:Running pre-hook command: service nginx stop
2021-04-14 16:40:46,488:INFO:certbot.compat.misc:Output from pre-hook command service:
Stopping nginx (via systemctl): [ OK ]
2021-04-14 16:40:46,492:DEBUG:certbot.display.util:Notifying user: Renewing an existing certificate for somedomain.com and 4 more domains
...
2021-04-14 16:40:48,149:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/conf.d/somefile.conf:
...
2021-04-14 16:40:48,221:DEBUG:certbot_nginx._internal.configurator:nginx reload failed:
nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)
...
2021-04-14 16:40:52,071:DEBUG:acme.client:Storing nonce: ...
2021-04-14 16:40:52,072:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-04-14 16:40:52,072:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-04-14 16:40:55,267:DEBUG:certbot._internal.storage:Writing new config /etc/letsencrypt/renewal/somedomain.com.conf.new.
2021-04-14 16:40:56,316:DEBUG:certbot.display.util:Notifying user: new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/somedomain.com/fullchain.pem
2021-04-14 16:40:56,322:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2021-04-14 16:40:56,324:DEBUG:certbot._internal.plugins.selection:Selecting plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f75ee7ab250>
Prep: True
2021-04-14 16:40:56,325:DEBUG:certbot.display.util:Notifying user:
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/somedomain.com/fullchain.pem (success)
2021-04-14 16:40:56,326:DEBUG:certbot._internal.renewal:no renewal failures
2021-04-14 16:40:56,326:INFO:certbot.compat.misc:Running post-hook command: service nginx start
2021-04-14 16:40:56,455:INFO:certbot.compat.misc:Output from post-hook command service:
Starting nginx (via systemctl): [ OK ]
如您所见 - 日志表明 certbot 能够运行 nginx。
查看 nginx 日志:
... unrelated old entries
2021/04/14 16:40:46 [alert] 5188#0: *1395650 open socket #18 left in connection 10
2021/04/14 16:40:46 [alert] 5188#0: *1395649 open socket #13 left in connection 17
2021/04/14 16:40:46 [alert] 5188#0: aborting
2021/04/14 16:40:48 [notice] 5706#0: signal process started
2021/04/14 16:40:48 [error] 5706#0: open() "/run/nginx.pid" failed (2: No such file or directory)
2021/04/14 16:40:52 [notice] 5715#0: signal process started
2021/04/14 16:40:55 [notice] 5720#0: signal process started
对我来说也没有什么可疑的。nginx 似乎已经启动了。
知道哪里出了问题吗?或者我应该检查什么?
答案1
似乎文档仅在使用独立插件时提及--pre-hook "service nginx stop"
。但是,我的日志似乎表明未使用独立插件;而是使用 nginx 插件。所以我认为这意味着在我的情况下不需要服务器停止/启动/重新启动。也许 nginx 插件可以在执行停止/启动命令时保留对 nginx 的一些引用?这可能是问题所在。
总结一下:不需要重启nginx。
我已经通过以下方式修复了这个问题:
- 删除
pre_hook
/post_hook
并添加deploy_hook = sudo nginx -s reload
内部/etc/letsencrypt/renewal/somedomain.com.conf
。 /etc/systemd/system/certbot-renewal.service
用以下 代码替换命令行ExecStart=/usr/local/bin/certbot-auto renew --quiet
好吧,我至少sudo /usr/local/bin/certbot-auto renew --force-renewal
执行成功了,并且服务器确实开始使用新的证书(在此过程中没有死机)。