我的nginx.conf文件如下:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
#the above include brings in the following default files:
#50-mod-http-image-filter.conf
#50-mod-http-xslt-filter.conf
#50-mod-mail.conf
#50-mod-stream.conf
events {
worker_connections 500;
}
http {
include /etc/nginx/proxy.conf;
limit_req_zone $binary_remote_addr zone=one:10m rate=100r/m;
server_tokens off;
sendfile on;
keepalive_timeout 30;
client_body_timeout 10; client_header_timeout 10; send_timeout 10;
upstream myapp{
server 127.0.0.1:5000;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name myapi.com;
ssl_certificate /etc/letsencrypt/live/myapi.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/myapi.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
#Redirects all traffic
location / {
proxy_pass http://myapi;
limit_req zone=one burst=10;
}
}
}
我安装了certbot和certbot-nginx(Ubuntu)。
SSL 工作正常。防火墙仅允许端口 443。
我正在尝试使用以下命令更新 certbot 证书:sudo certbot renew --dry-run
这将尝试通过向以下地址发出请求来验证我是否拥有该域名:http://myapi.com/.well-known/acme-challenge/2d8dvxv8x9dvxd9v(注意:我已经混淆了键值 2d8dvxv8x9dvxd9v,因为这是私密信息)
但这次不行。所以我启用了端口 80,并添加了以下附加服务器项:
server {
listen 80;
server_name myapi.com;
return 301 https://$host$request_uri;
}
现在 certbot renew 命令 ( sudo certbot renew --dry-run) 能够更新证书。奇怪的是,即使我删除了这个服务器块,certbot 更新仍然正常工作。
.well-known/acme-challenge 路径在哪里?它是动态生成/删除的吗?
当我删除端口 80 的服务器块时,nginx 如何能够更新证书(因为它需要端口 80 进行 certbot 挑战)?
答案1
您需要一个允许访问端口 80(http)的防火墙,certbot 将启动一个网络服务器来从您的域提供 acme-challenge 文件。