如何允许 certbot 能够通过 nginx 访问 http://myapi.com/.well-known/acme-challenge/2d8dvxv8x9dvxd9v?

如何允许 certbot 能够通过 nginx 访问 http://myapi.com/.well-known/acme-challenge/2d8dvxv8x9dvxd9v?

我的nginx.conf文件如下:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf; 
#the above include brings in the following default files:
#50-mod-http-image-filter.conf  
#50-mod-http-xslt-filter.conf  
#50-mod-mail.conf  
#50-mod-stream.conf

events {
        worker_connections 500;
}

http {
    include        /etc/nginx/proxy.conf;
    limit_req_zone $binary_remote_addr zone=one:10m rate=100r/m;
    server_tokens  off;

    sendfile on;
    keepalive_timeout   30;
    client_body_timeout 10; client_header_timeout 10; send_timeout 10;

    upstream myapp{
        server 127.0.0.1:5000;
    }

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name myapi.com;
        ssl_certificate /etc/letsencrypt/live/myapi.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/myapi.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;


        #Redirects all traffic
        location / {
            proxy_pass http://myapi;
            limit_req  zone=one burst=10;
        }
    }
}

我安装了certbotcertbot-nginx(Ubuntu)。

SSL 工作正常。防火墙仅允许端口 443。

我正在尝试使用以下命令更新 certbot 证书:sudo certbot renew --dry-run

这将尝试通过向以下地址发出请求来验证我是否拥有该域名:http://myapi.com/.well-known/acme-challenge/2d8dvxv8x9dvxd9v(注意:我已经混淆了键值 2d8dvxv8x9dvxd9v,因为这是私密信息)

但这次不行。所以我启用了端口 80,并添加了以下附加服务器项:

   server {
         listen 80;
         server_name myapi.com;
         return 301 https://$host$request_uri;
      }

现在 certbot renew 命令 ( sudo certbot renew --dry-run) 能够更新证书。奇怪的是,即使我删除了这个服务器块,certbot 更新仍然正常工作。

  1. .well-known/acme-challenge 路径在哪里?它是动态生成/删除的吗?

  2. 当我删除端口 80 的服务器块时,nginx 如何能够更新证书(因为它需要端口 80 进行 certbot 挑战)?

答案1

您需要一个允许访问端口 80(http)的防火墙,certbot 将启动一个网络服务器来从您的域提供 acme-challenge 文件。

相关内容