让我们在 nginx 上使用 mongod 加密 ssl 更新的 cron 作业
cron jobs for let's encrypt ssl renewal with mongod on nginx
在 this guide 之后,我已经启动了解析服务器并在数字海洋上 运行。
当为迁移配置 mongo 数据库时,你执行这个命令:
sudo cat /etc/letsencrypt/archive/domain_name/{fullchain1.pem,privkey1.pem} | sudo tee /etc/ssl/mongo.pem
之后教程说:
You will have to repeat the above command after renewing your Let's Encrypt certificate. If you configure auto-renewal of the Let's Encrypt certificate, remember to include this operation.
为了做到这一点,我在我的 let's encrypt cronjobs 中添加了一个 cronjob,如下所示:
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
33 2 * * 1 cat /etc/letsencrypt/archive/DOMAIN/{fullchain1.pem,privkey1.pem} | tee /etc/ssl/mongo.pem
35 2 * * 1 /etc/init.d/nginx reload
但是在星期一重新启动服务器后,mongod 无法启动,因为它无法 find/read /etc/ssl/mongo.pem。
如何正确设置?我需要 chown/chmod 另一个 cronjob 中的文件吗?
感谢您的帮助!
好的,这就是我最后的结果。
我写了一个小脚本:
#!/bin/bash
# combine letsencrypt files for mongo
cat /etc/letsencrypt/archive/DOMAIN/{fullchain1.pem,privkey1.pem} | tee /etc/ssl/mongo.pem
# set rights for mongo.pem
chmod 600 /etc/ssl/mongo.pem
chown mongodb:mongodb /etc/ssl/mongo.pem
# restart mongo
/sbin/restart mongod
并使用 cron 作业启动它:
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
33 2 * * 1 cat /root/myScript
35 2 * * 1 /etc/init.d/nginx reload
我运行上面的脚本有问题。不幸的是,let's encrypt 不会覆盖 fullchain 和 privkey,而是在证书到期时添加新版本:
fullchain2.pem
privkey2.pem
所以我不得不相应地修改脚本。我还将更新和 nginx 部分放在里面,所以我们只需要一个 cronjob:
#!/bin/bash
# stop nginx
/etc/init.d/nginx stop
# check for new cert
/opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
# combine latest letsencrypt files for mongo
# find latest fullchain*.pem
newestFull=$(ls -v /etc/letsencrypt/live/DOMAIN/fullchain*.pem | tail -n 1)
echo "$newestFull"
# find latest privkey*.pem
newestPriv=$(ls -v /etc/letsencrypt/live/DOMAIN/privkey*.pem | tail -n 1)
echo "$newestPriv"
# combine to mongo.pem
cat {$newestFull,$newestPriv} | tee /etc/ssl/mongo.pem
# set rights for mongo.pem
chmod 600 /etc/ssl/mongo.pem
chown mongodb:mongodb /etc/ssl/mongo.pem
# restart mongo
/sbin/restart mongod
# start nginx
/etc/init.d/nginx start
在 this guide 之后,我已经启动了解析服务器并在数字海洋上 运行。 当为迁移配置 mongo 数据库时,你执行这个命令:
sudo cat /etc/letsencrypt/archive/domain_name/{fullchain1.pem,privkey1.pem} | sudo tee /etc/ssl/mongo.pem
之后教程说:
You will have to repeat the above command after renewing your Let's Encrypt certificate. If you configure auto-renewal of the Let's Encrypt certificate, remember to include this operation.
为了做到这一点,我在我的 let's encrypt cronjobs 中添加了一个 cronjob,如下所示:
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
33 2 * * 1 cat /etc/letsencrypt/archive/DOMAIN/{fullchain1.pem,privkey1.pem} | tee /etc/ssl/mongo.pem
35 2 * * 1 /etc/init.d/nginx reload
但是在星期一重新启动服务器后,mongod 无法启动,因为它无法 find/read /etc/ssl/mongo.pem。
如何正确设置?我需要 chown/chmod 另一个 cronjob 中的文件吗?
感谢您的帮助!
好的,这就是我最后的结果。 我写了一个小脚本:
#!/bin/bash
# combine letsencrypt files for mongo
cat /etc/letsencrypt/archive/DOMAIN/{fullchain1.pem,privkey1.pem} | tee /etc/ssl/mongo.pem
# set rights for mongo.pem
chmod 600 /etc/ssl/mongo.pem
chown mongodb:mongodb /etc/ssl/mongo.pem
# restart mongo
/sbin/restart mongod
并使用 cron 作业启动它:
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
33 2 * * 1 cat /root/myScript
35 2 * * 1 /etc/init.d/nginx reload
我运行上面的脚本有问题。不幸的是,let's encrypt 不会覆盖 fullchain 和 privkey,而是在证书到期时添加新版本:
fullchain2.pem
privkey2.pem
所以我不得不相应地修改脚本。我还将更新和 nginx 部分放在里面,所以我们只需要一个 cronjob:
#!/bin/bash
# stop nginx
/etc/init.d/nginx stop
# check for new cert
/opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
# combine latest letsencrypt files for mongo
# find latest fullchain*.pem
newestFull=$(ls -v /etc/letsencrypt/live/DOMAIN/fullchain*.pem | tail -n 1)
echo "$newestFull"
# find latest privkey*.pem
newestPriv=$(ls -v /etc/letsencrypt/live/DOMAIN/privkey*.pem | tail -n 1)
echo "$newestPriv"
# combine to mongo.pem
cat {$newestFull,$newestPriv} | tee /etc/ssl/mongo.pem
# set rights for mongo.pem
chmod 600 /etc/ssl/mongo.pem
chown mongodb:mongodb /etc/ssl/mongo.pem
# restart mongo
/sbin/restart mongod
# start nginx
/etc/init.d/nginx start