如何从 Nginx 上的 certbot 获取受信任的证书?

How can I get a trusted certificate from certbot on Nginx?

我正尝试在 Laravel Forge 服务器上 运行 Certbot。这是我一直收到的错误

nginx: [emerg] cannot load certificate "/etc/nginx/ssl/mydomain.ca/1263486/server.crt": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) nginx: configuration file /etc/nginx/nginx.conf test failed

根据我的理解,这意味着第一行说的是 BEGIN CERTIFICATE 而不是 TRUSTED CERTIFICATE,我怎样才能获得受信任的证书? Nginix 配置如下。

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/mydomain.ca/before/*;

server {   
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .mydomain.ca;
    server_tokens off;
    root /home/forge/mydomain.ca/;

# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/mydomain.ca/1263486/server.crt;
ssl_certificate_key /etc/nginx/ssl/mydomain.ca/1263486/server.key;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers (MY CIPHER HERE)
ssl_prefer_server_ciphers off;
ssl_dhparam /etc/nginx/dhparams.pem;

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";

index index.html index.htm index.php;

charset utf-8;

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/mydomain.ca/server/*;

location / {
    try_files $uri $uri/ /index.php?$query_string;
}

location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt  { access_log off; log_not_found off; }

access_log off;
error_log  /var/log/nginx/mydomain.ca-error.log error;

error_page 404 /index.php;

location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
}

location ~ /\.(?!well-known).* {
    deny all;
}
}

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/mydomain.ca/after/*;

您需要按照以下步骤操作:

  1. 安装 certbot 包
  2. 添加一个用于侦听端口 80 的服务器块
server {
    listen 80;
    server_name mydomain.ca;

    location ^~ /.well-known/acme-challenge {
        root /home/forge/certbot;
        default_type "text/plain";
        try_files $uri =404;
     }
}
  1. 修改配置中的证书路径
ssl_certificate /etc/letsencrypt/live/mydomain.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.ca/privkey.pem;
  1. 通过命令检索证书
certbot certonly --cert-name mydomain.ca -d mydomain.ca -d *.mydomain.ca --webroot --webroot-path /home/forge/certbot
  1. 通过命令重新加载 nginx 配置
nginx -t && nginx -s reload
  1. 添加用于更新证书的 cron 任务
0 0 */80 * * certbot renew