nginx docker 容器无法读取 certbot 证书
nginx docker container cannot read certbot certificates
我已经在本地安装了 certbot,并成功地为 mydomain.blah 和 site1.mydomain.blah 创建了证书,它们位于 /etc/letsencrypt/live/mydomain.blah 和 /etc/letsencrypt/live/site1.mydomain.blah
现在我正尝试在 nginx 容器中使用它们,所以在我的 docker-compose 中我映射了这样一个卷:
version '3.4'
services:
webserver:
image: nginx
volumes:
- ./conf:/etc/nginx/conf.d
- /etc/letsencrypt/live:/cert
ports:
- "80:80"
- "443:443"
我的 nginx conf 就是这样:
server {
listen 443 ssl;
server_name mydomain.blah;
ssl_certificate /cert/mydomain.blah/fullchain.pem;
ssl_certificate_key /cert/mydomain.blah/privkey.pem;
location / {
proxy_pass http://1.2.3.4:8080;
}
}
server {
listen 443 ssl;
server_name site1.mydomain.blah;
ssl_certificate /cert/site1.mydomain.blah/fullchain.pem;
ssl_certificate_key /cert/site1.mydomain.blah/privkey.pem;
location / {
proxy_pass http://4.3.2.1:8080;
}
}
但是当我启动 docker-compose 时,nginx 退出并显示错误 cannot load certificate "/cert/mydomain.blah/fullchain.pem" 因为有 No such file or directory.
我已经尝试 docker 执行到容器中,文件夹和它们的证书都按预期在那里,所以我不明白可能是什么问题
我发现了问题:docker-compose 与符号链接不兼容,/etc/letsencrypt/live 文件夹被符号链接到 /etc/letsencrypt/archive 文件夹:
root@VM-CAMPI:~# ls -la /etc/letsencrypt/live/mydomain.blah/
total 12
drwxr-xr-x 2 root root 4096 Feb 12 11:04 .
drwx------ 3 root root 4096 Feb 12 11:04 ..
-rw-r--r-- 1 root root 692 Feb 12 11:04 README
lrwxrwxrwx 1 root root 38 Feb 12 11:04 cert.pem -> ../../archive/mydomain.blah/cert1.pem
lrwxrwxrwx 1 root root 39 Feb 12 11:04 chain.pem -> ../../archive/mydomain.blah/chain1.pem
lrwxrwxrwx 1 root root 43 Feb 12 11:04 fullchain.pem -> ../../archive/mydomain.blah/fullchain1.pem
lrwxrwxrwx 1 root root 41 Feb 12 11:04 privkey.pem -> ../../archive/mydomain.blah/privkey1.pem
所以解决方案只是将卷挂载到一个文件夹中:
version '3.4'
services:
webserver:
image: nginx
volumes:
- ./conf:/etc/nginx/conf.d
- /etc/letsencrypt:/cert # <-- here
ports:
- "80:80"
- "443:443"
并像那样设置 che nginx conf
server {
listen 443 ssl;
server_name mydomain.blah;
ssl_certificate /cert/live/mydomain.blah/fullchain.pem; # <-- here
ssl_certificate_key /cert/live/mydomain.blah/privkey.pem; # <-- here
location / {
proxy_pass http://1.2.3.4:8080;
}
}
server {
listen 443 ssl;
server_name site1.mydomain.blah;
ssl_certificate /cert/live/site1.mydomain.blah/fullchain.pem; # <-- here
ssl_certificate_key /cert/live/site1.mydomain.blah/privkey.pem; # <-- here
location / {
proxy_pass http://4.3.2.1:8080;
}
}
我已经在本地安装了 certbot,并成功地为 mydomain.blah 和 site1.mydomain.blah 创建了证书,它们位于 /etc/letsencrypt/live/mydomain.blah 和 /etc/letsencrypt/live/site1.mydomain.blah
现在我正尝试在 nginx 容器中使用它们,所以在我的 docker-compose 中我映射了这样一个卷:
version '3.4'
services:
webserver:
image: nginx
volumes:
- ./conf:/etc/nginx/conf.d
- /etc/letsencrypt/live:/cert
ports:
- "80:80"
- "443:443"
我的 nginx conf 就是这样:
server {
listen 443 ssl;
server_name mydomain.blah;
ssl_certificate /cert/mydomain.blah/fullchain.pem;
ssl_certificate_key /cert/mydomain.blah/privkey.pem;
location / {
proxy_pass http://1.2.3.4:8080;
}
}
server {
listen 443 ssl;
server_name site1.mydomain.blah;
ssl_certificate /cert/site1.mydomain.blah/fullchain.pem;
ssl_certificate_key /cert/site1.mydomain.blah/privkey.pem;
location / {
proxy_pass http://4.3.2.1:8080;
}
}
但是当我启动 docker-compose 时,nginx 退出并显示错误 cannot load certificate "/cert/mydomain.blah/fullchain.pem" 因为有 No such file or directory.
我已经尝试 docker 执行到容器中,文件夹和它们的证书都按预期在那里,所以我不明白可能是什么问题
我发现了问题:docker-compose 与符号链接不兼容,/etc/letsencrypt/live 文件夹被符号链接到 /etc/letsencrypt/archive 文件夹:
root@VM-CAMPI:~# ls -la /etc/letsencrypt/live/mydomain.blah/
total 12
drwxr-xr-x 2 root root 4096 Feb 12 11:04 .
drwx------ 3 root root 4096 Feb 12 11:04 ..
-rw-r--r-- 1 root root 692 Feb 12 11:04 README
lrwxrwxrwx 1 root root 38 Feb 12 11:04 cert.pem -> ../../archive/mydomain.blah/cert1.pem
lrwxrwxrwx 1 root root 39 Feb 12 11:04 chain.pem -> ../../archive/mydomain.blah/chain1.pem
lrwxrwxrwx 1 root root 43 Feb 12 11:04 fullchain.pem -> ../../archive/mydomain.blah/fullchain1.pem
lrwxrwxrwx 1 root root 41 Feb 12 11:04 privkey.pem -> ../../archive/mydomain.blah/privkey1.pem
所以解决方案只是将卷挂载到一个文件夹中:
version '3.4'
services:
webserver:
image: nginx
volumes:
- ./conf:/etc/nginx/conf.d
- /etc/letsencrypt:/cert # <-- here
ports:
- "80:80"
- "443:443"
并像那样设置 che nginx conf
server {
listen 443 ssl;
server_name mydomain.blah;
ssl_certificate /cert/live/mydomain.blah/fullchain.pem; # <-- here
ssl_certificate_key /cert/live/mydomain.blah/privkey.pem; # <-- here
location / {
proxy_pass http://1.2.3.4:8080;
}
}
server {
listen 443 ssl;
server_name site1.mydomain.blah;
ssl_certificate /cert/live/site1.mydomain.blah/fullchain.pem; # <-- here
ssl_certificate_key /cert/live/site1.mydomain.blah/privkey.pem; # <-- here
location / {
proxy_pass http://4.3.2.1:8080;
}
}