如何从 Nginx 上的 certbot 获取受信任的证书?
How can I get a trusted certificate from certbot on Nginx?
我正尝试在 Laravel Forge 服务器上 运行 Certbot。这是我一直收到的错误
nginx: [emerg] cannot load certificate
"/etc/nginx/ssl/mydomain.ca/1263486/server.crt":
PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM
routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) nginx:
configuration file /etc/nginx/nginx.conf test failed
根据我的理解,这意味着第一行说的是 BEGIN CERTIFICATE 而不是 TRUSTED CERTIFICATE,我怎样才能获得受信任的证书? Nginix 配置如下。
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/mydomain.ca/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .mydomain.ca;
server_tokens off;
root /home/forge/mydomain.ca/;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/mydomain.ca/1263486/server.crt;
ssl_certificate_key /etc/nginx/ssl/mydomain.ca/1263486/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers (MY CIPHER HERE)
ssl_prefer_server_ciphers off;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/mydomain.ca/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/mydomain.ca-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/mydomain.ca/after/*;
您需要按照以下步骤操作:
- 安装 certbot 包
- 添加一个用于侦听端口 80 的服务器块
server {
listen 80;
server_name mydomain.ca;
location ^~ /.well-known/acme-challenge {
root /home/forge/certbot;
default_type "text/plain";
try_files $uri =404;
}
}
- 修改配置中的证书路径
ssl_certificate /etc/letsencrypt/live/mydomain.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.ca/privkey.pem;
- 通过命令检索证书
certbot certonly --cert-name mydomain.ca -d mydomain.ca -d *.mydomain.ca --webroot --webroot-path /home/forge/certbot
- 通过命令重新加载 nginx 配置
nginx -t && nginx -s reload
- 添加用于更新证书的 cron 任务
0 0 */80 * * certbot renew
我正尝试在 Laravel Forge 服务器上 运行 Certbot。这是我一直收到的错误
nginx: [emerg] cannot load certificate "/etc/nginx/ssl/mydomain.ca/1263486/server.crt": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) nginx: configuration file /etc/nginx/nginx.conf test failed
根据我的理解,这意味着第一行说的是 BEGIN CERTIFICATE 而不是 TRUSTED CERTIFICATE,我怎样才能获得受信任的证书? Nginix 配置如下。
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/mydomain.ca/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .mydomain.ca;
server_tokens off;
root /home/forge/mydomain.ca/;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/mydomain.ca/1263486/server.crt;
ssl_certificate_key /etc/nginx/ssl/mydomain.ca/1263486/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers (MY CIPHER HERE)
ssl_prefer_server_ciphers off;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/mydomain.ca/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/mydomain.ca-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/mydomain.ca/after/*;
您需要按照以下步骤操作:
- 安装 certbot 包
- 添加一个用于侦听端口 80 的服务器块
server {
listen 80;
server_name mydomain.ca;
location ^~ /.well-known/acme-challenge {
root /home/forge/certbot;
default_type "text/plain";
try_files $uri =404;
}
}
- 修改配置中的证书路径
ssl_certificate /etc/letsencrypt/live/mydomain.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.ca/privkey.pem;
- 通过命令检索证书
certbot certonly --cert-name mydomain.ca -d mydomain.ca -d *.mydomain.ca --webroot --webroot-path /home/forge/certbot
- 通过命令重新加载 nginx 配置
nginx -t && nginx -s reload
- 添加用于更新证书的 cron 任务
0 0 */80 * * certbot renew