向NGINX docker容器添加SSL证书
我正在尝试将SSL证书(用LetsEncrypt生成)添加到我的nginx中。nginx是从docker-compose文件构建的,我在其中创建了一个从主机到容器的卷,以便容器可以访问证书和私钥。
volumes:
- /etc/nginx/certs/:/etc/nginx/certs/当nginx容器启动并失败并出现以下错误时
[emerg] 1#1: BIO_new_file("/etc/nginx/certs/fullchain.pem") failed
(SSL: error:02001002:system library:fopen:No such file or
directory:fopen('/etc/nginx/certs/fullchain.pem','r')
error:2006D080:BIO routines:BIO_new_file:no such file)我的nginx配置文件如下所示:
server {
listen 80;
server_name server_blah www.server_blah;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name server_blah;
ssl_certificate /etc/nginx/certs/fullchain.pem;
ssl_certificate_key /etc/nginx/certs/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}我遗漏了/做错了什么?
回答 3
Stack Overflow用户
发布于 2018-07-20 01:04:58
最终破解了这一点,并能够成功地在我的开发和生产网站上重复这个过程,以使SSL证书工作!
很抱歉这篇文章太长了!
在我的设置中,我有一个ubuntu 16机器上的docker docker-compose设置。
遇到此问题的任何人,我将详细介绍我所做的步骤。
- 转到代码所在的目录
cd /opt/example_dir/
- Make一个letsencrypt的目录和它的站点。
letsencrypt目录中的sudo mkdir -p /opt/example_dir/letsencrypt/letsencrypt-site
- Create barebones -Compose.yml文件。
sudo nano /opt/example_dir/letsencrypt/docker-compose.yml
添加以下内容:
version: '2'
services:
image: nginx:latest
ports:
- "80:80"
volumes:
- ./nginx.conf:/etc/nginx/conf.d/default.conf
- ./letsencrypt-site:/usr/share/nginx/html
networks:
- docker-network
networks:
docker-network:
driver: bridge
* This will pull down the latest nginx version
* Expose port 80
* Mount a config file (that i'll create later)
* Maps the site directory so that we can have a simple test index.html for when 我们启动简单的nginx容器。
- 在
/opt/example_dir/letsencrypt中创建nginx.conf文件
sudo nano /opt/example_dir/letsencrypt/nginx.conf
将以下内容放入其中
server {
listen 80;
listen [::]:80;
server_name example_server.com;
location ~ /.well-known/acme-challenge {
allow all;
root /usr/share/nginx/html;
}
root /usr/share/nginx/html;
index index.html;
}
* This listens for requests on port 80 for the server with name example_server.com
* Gives the Certbot agent access to ./well-known/acme-challenge
* Sets the default root and file接下来,在/opt/example_dir/letsencrypt/letsencrypt-site中创建一个
- 文件
sudo nano /opt/example_dir/letsencrypt/letsencrypt-site/index.html
在其中添加以下内容
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>LetsEncrypt Setup</title>
</head>
<body>
<p>Test file for our http nginx server</p>
</body>
</html>####所有的部件都放在基本的nginx容器中!
- 现在我们启动nginx容器。
cd /opt/example_dir/letsencrypt sudo docker-compose up -d
nginx容器现在已经启动并运行,访问您定义的url,您应该会得到测试index.html页面。此时,我们已经准备好运行certbot命令来生成一些证书
- 运行以下命令生成证书,将
--email替换为您的电子邮件
sudo /docker-volumes/etc/letsencrypt:/etc/letsencrypt运行/docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt --rm \ -v /docker-volumes/etc/letsencrypt:/etc/letsencrypt\certbot\ -v docker \ -v /opt/example_dir/letsencrypt/letsencrypt-site:/data/letsencrypt \ certbot/certbot \ certonly --webroot \ -v -it -v-v--no-v数据\--webroot- -email =/data/letsencrypt\ -d example.com
- Run docker in interactive mode so you can see the output.
- When its finished generating certs it will remove itself.
- It will mount 4 volumes:
1. The letsencrypt folder where the certs are stored/
2. A lib folder
3. Maps our site folder
4. Maps a logging path
- It agrees to ToS
- Specifies the root webpath
- Specify the server address you want to generate certs for.
如果该命令运行正常,那么我们已经为此web服务器生成了证书。我们现在可以在生产站点中使用这些证书,并将nginx配置为使用ssl并使用这些证书!
- 关闭了nginx容器
cd /opt/example_dir/letsencrypt/ sudo docker-compose down
设置生产nginx容器
目录结构现在应该如下所示。其中你有你的代码/ web应用程序项目,然后是我们上面创建的letsencrypt文件夹。
/opt/example_dir
/ -> project_folder
/ -> letsencrypt参数创建名为dh-
- 的文件夹
sudo mkdir -p /opt/example_dir/project_folder/dh-param
- Generate a dh key
/opt/example_dir/project_folder中的sudo openssl dhparam -out /opt/example_dir/project_folder/dh-param/dhparam-2048.pem 2048
- 更新docker-compose.yml和nginx.conf文件
project_folder是我的源代码所在的位置,所以我在这里为nginx创建了一个生产配置文件,并更新了docker-compose.yml以挂载我的nginx配置、dh-pharam交换密钥以及我们之前创建的证书本身。
docker-compose中的nginx服务
nginx:
image: nginx:1.11.3
restart: always
ports:
- "80:80"
- "443:443"
- "8000:8000"
volumes:
- ./nginx.conf:/etc/nginx/conf.d/default.conf
- ./dh-param/dhparam-2048.pem:/etc/ssl/certs/dhparam-2048.pem
- /docker-volumes/etc/letsencrypt/live/exampleserver.com/fullchain.pem:/etc/letsencrypt/live/exampleserver.com/fullchain.pem
- /docker-volumes/etc/letsencrypt/live/exampleserver.com/privkey.pem:/etc/letsencrypt/live/exampleserver.com/privkey.pem
networks:
- docker-network
volumes_from:
- flask
depends_on:
- flask
- falcon
links:
- datastoreproject_folder中的nginx.conf
error_log /var/log/nginx/error.log warn;
server {
listen 80;
listen [::]:80;
server_name exampleserver.com
location / {
rewrite ^ https://$host$request_uri? permanent;
}
#for certbot challenges (renewal process)
location ~ /.well-known/acme-challenge {
allow all;
root /data/letsencrypt;
}
}
#https://exampleserver.com
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name exampleserver.com;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/exampleserver.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/exampleserver.com/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
# Define the specified charset to the “Content-Type” response header field
charset utf-8;
}在这一点上一切都准备好了!(最后)
- 启动码头容器。
cd /opt/example_dir/project_folder sudo docker-compose up -d #使用以下命令检查docker日志: sudo docker logs -f -t
我知道这需要很多步骤,但这就是我所做的,它对我很有效,希望它能帮助其他人。
Stack Overflow用户
发布于 2020-09-15 16:06:15
我的解决方案是:
我通过以下方式将/etc/letsencrypt/live/mydomain.com/映射到/etc/nginx/certs/:
volumes:
- /etc/letsencrypt/live/mydomain.com/:/etc/nginx/certs/在本例中,它映射了软符号链接。
lrwxrwxrwx 1 root root 38 Sep 15 00:21 chain.pem -> ../../archive/mydomain.com/chain1.pem
lrwxrwxrwx 1 root root 42 Sep 15 00:21 fullchain.pem -> ../../archive/mydomain.com/fullchain1.pem
lrwxrwxrwx 1 root root 40 Sep 15 00:21 privkey.pem -> ../../archive/mydomain.com/privkey1.pem最后,我按如下方式更改了volume部分:
volumes:
- /etc/letsencrypt/archive/mydomain.com/:/etc/nginx/certs/Stack Overflow用户
发布于 2018-07-19 15:54:05
我现在也有同样的问题。相同的错误代码。
我在我的.pem文件上尝试了不同的方法:
将权限(chmod)更改为:
- 777
- 755
- 600
的
- 将所有者(chown)更改为:
- nginx (在chown中定义的用户
将位置更改为:
- /etc/ssl/certs
- /etc/nginx/ssl
- /etc/letsencrypt/live
的
- 将扩展坞挂载更改为:
- ro docker
不幸的是,这些解决方案对我来说都不起作用。
当我连接到容器终端时,即使我能够列出(ls)这些文件,nginx看起来也无法找到这些文件。
为了给出更多细节,我在Synology DS918+网络连接服务器上运行Docker。
我希望这将有助于找到解决方案!我将尝试和尝试各种事情,如果我设法让它工作,我会回来的!
https://stackoverflow.com/questions/51399883
复制相似问题
腾讯云开发者
