基本身份验证的 nginx 配置允许让加密自动更新
nginx configuration for basic auth that allows lets encrypt to auto renew
目前,我可以通过在我的 nginx 配置中保留以下行来成功安装 Let's Encrypt SSL 证书:
location / {
try_files $uri $uri/ /index.php?$query_string;
}
我想在我的网站上启用基本身份验证。以下方法可以很好地做到这一点:
location / {
try_files $uri $uri/ /index.php?$query_string;
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
}
但是,Let's Encrypt SSL 证书必须每月更新一次。我可以使用 curl 自动执行此更新。但是,Let's Encrypt 沿着包含前缀为
的路由的路由进行回调
/.well-known/acme-challenge/
但是现在,我需要为上面的路由前缀添加一个例外:
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
}
我已经尝试了上述的许多变体,但 none 似乎有效。我无法获得使用上述配置安装的 Let's Encrypt SSL 证书。我什至确定,如果我取消基本身份验证(通过删除以 auth_basic 开头的两行),如果我只有以下内容,则 Let's Encrypt SSL 证书将不会安装:
location ^~ /.well-known/acme-challenge/ {
try_files $uri $uri/ /index.php?$query_string;
}
location / {
try_files $uri $uri/ /index.php?$query_string;
}
我将不胜感激任何建议,以便在启用基本身份验证时回调路由将 运行。我也有兴趣了解为什么我无法使用上面显示的配置安装 Let's Encrypt,其中甚至没有启用基本身份验证。提前致谢。
其他错误日志:
/var/log/nginx# cat cert.dev.farm-error.log.1
2016/03/18 13:12:26 [error] 12336#12336: *1 open() "/home/forge/cert.dev.farm/public/.well-known/acme-challenge/jGhldzH8cV3d666a44nRy-Gzf98m1u2qUbkWnNv0aMI" failed (2: No such file or directory), client: 66.133.109.36, server: cert.dev.farm, request: "GET /.well-known/acme-challenge/jGhldzH8cV3d666a44nRy-Gzf98m1u2qUbkWnNv0aMI HTTP/1.1", host: "cert.dev.farm"
2016/03/18 13:17:09 [error] 13202#13202: *1 open() "/home/forge/cert.dev.farm/.well-known/acme-challenge/k9jsDB_mkvU5UzvL-B7hd3iA90ZTq61OaDNixoeRQuQ" failed (2: No such file or directory), client: 66.133.109.36, server: cert.dev.farm, request: "GET /.well-known/acme-challenge/k9jsDB_mkvU5UzvL-B7hd3iA90ZTq61OaDNixoeRQuQ HTTP/1.1", host: "cert.dev.farm"
2016/03/18 13:17:09 [error] 13202#13202: *1 FastCGI sent in stderr: "Unable to open primary script: /home/forge/cert.dev.farm/index.php (No such file or directory)" while reading response header from upstream, client: 66.133.109.36, server: cert.dev.farm, request: "GET /.well-known/acme-challenge/k9jsDB_mkvU5UzvL-B7hd3iA90ZTq61OaDNixoeRQuQ HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "cert.dev.farm"
2016/03/18 13:23:48 [error] 14522#14522: *1 open() "/home/forge/cert.dev.farm/public/.well-known/acme-challenge/5ZBXFn23tOUPcQFNrI3DqUE-l9x3rmdiOkYwabDl-jk" failed (2: No such file or directory), client: 66.133.109.36, server: cert.dev.farm, request: "GET /.well-known/acme-challenge/5ZBXFn23tOUPcQFNrI3DqUE-l9x3rmdiOkYwabDl-jk HTTP/1.1", host: "cert.dev.farm"
您可能错过了为 /.well-known/acme-challenge
位置块设置的文档根目录。
location ^~ /.well-known/acme-challenge/ {
root /path/to/your/public/directory;
try_files $uri;
auth_basic off;
}
location / {
...
}
你说你可以使用 CURL 自动化它,你看过 list of available clients 了吗?
您可以直接使用cli客户端的更新命令:
➜ sudo letsencrypt renew
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/domain.com.conf
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
/etc/letsencrypt/live/domain.com/fullchain.pem (skipped)
No renewals were attempted.
目前,我可以通过在我的 nginx 配置中保留以下行来成功安装 Let's Encrypt SSL 证书:
location / {
try_files $uri $uri/ /index.php?$query_string;
}
我想在我的网站上启用基本身份验证。以下方法可以很好地做到这一点:
location / {
try_files $uri $uri/ /index.php?$query_string;
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
}
但是,Let's Encrypt SSL 证书必须每月更新一次。我可以使用 curl 自动执行此更新。但是,Let's Encrypt 沿着包含前缀为
的路由的路由进行回调/.well-known/acme-challenge/
但是现在,我需要为上面的路由前缀添加一个例外:
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
}
我已经尝试了上述的许多变体,但 none 似乎有效。我无法获得使用上述配置安装的 Let's Encrypt SSL 证书。我什至确定,如果我取消基本身份验证(通过删除以 auth_basic 开头的两行),如果我只有以下内容,则 Let's Encrypt SSL 证书将不会安装:
location ^~ /.well-known/acme-challenge/ {
try_files $uri $uri/ /index.php?$query_string;
}
location / {
try_files $uri $uri/ /index.php?$query_string;
}
我将不胜感激任何建议,以便在启用基本身份验证时回调路由将 运行。我也有兴趣了解为什么我无法使用上面显示的配置安装 Let's Encrypt,其中甚至没有启用基本身份验证。提前致谢。
其他错误日志:
/var/log/nginx# cat cert.dev.farm-error.log.1
2016/03/18 13:12:26 [error] 12336#12336: *1 open() "/home/forge/cert.dev.farm/public/.well-known/acme-challenge/jGhldzH8cV3d666a44nRy-Gzf98m1u2qUbkWnNv0aMI" failed (2: No such file or directory), client: 66.133.109.36, server: cert.dev.farm, request: "GET /.well-known/acme-challenge/jGhldzH8cV3d666a44nRy-Gzf98m1u2qUbkWnNv0aMI HTTP/1.1", host: "cert.dev.farm"
2016/03/18 13:17:09 [error] 13202#13202: *1 open() "/home/forge/cert.dev.farm/.well-known/acme-challenge/k9jsDB_mkvU5UzvL-B7hd3iA90ZTq61OaDNixoeRQuQ" failed (2: No such file or directory), client: 66.133.109.36, server: cert.dev.farm, request: "GET /.well-known/acme-challenge/k9jsDB_mkvU5UzvL-B7hd3iA90ZTq61OaDNixoeRQuQ HTTP/1.1", host: "cert.dev.farm"
2016/03/18 13:17:09 [error] 13202#13202: *1 FastCGI sent in stderr: "Unable to open primary script: /home/forge/cert.dev.farm/index.php (No such file or directory)" while reading response header from upstream, client: 66.133.109.36, server: cert.dev.farm, request: "GET /.well-known/acme-challenge/k9jsDB_mkvU5UzvL-B7hd3iA90ZTq61OaDNixoeRQuQ HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "cert.dev.farm"
2016/03/18 13:23:48 [error] 14522#14522: *1 open() "/home/forge/cert.dev.farm/public/.well-known/acme-challenge/5ZBXFn23tOUPcQFNrI3DqUE-l9x3rmdiOkYwabDl-jk" failed (2: No such file or directory), client: 66.133.109.36, server: cert.dev.farm, request: "GET /.well-known/acme-challenge/5ZBXFn23tOUPcQFNrI3DqUE-l9x3rmdiOkYwabDl-jk HTTP/1.1", host: "cert.dev.farm"
您可能错过了为 /.well-known/acme-challenge
位置块设置的文档根目录。
location ^~ /.well-known/acme-challenge/ {
root /path/to/your/public/directory;
try_files $uri;
auth_basic off;
}
location / {
...
}
你说你可以使用 CURL 自动化它,你看过 list of available clients 了吗?
您可以直接使用cli客户端的更新命令:
➜ sudo letsencrypt renew
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/domain.com.conf
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
/etc/letsencrypt/live/domain.com/fullchain.pem (skipped)
No renewals were attempted.