文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
首页
学习
活动
专区
圈层
工具
MCP广场
返回腾讯云官网
社区首页 >问答首页 >配置问题:使用LetsCncrypt的多域自动SSL使用OpenResty &Lua-R校- auto

配置问题:使用LetsCncrypt的多域自动SSL使用OpenResty &Lua-R校- auto
EN

Stack Overflow用户
提问于 2020-04-21 17:30:46
回答 1查看 2.4K关注 0票数 1

请原谅,长篇大论地写下来--我非常感谢你在这方面的任何帮助。

我正在尝试使用SSL设置多租户子域+自定义域,使用LetsEncrypt:

(有些将使用子域,有些将使用自定义域)

代码语言:javascript
运行
复制
https://customer1.myapp.com
https://customer2.myapp.com
https://customer1.com (customer sets up A/CNAME recoreds at his DNS provider)

我正在使用Ubuntu和用户名'ubuntu‘的EC2实例。

我从以下教程中了解到:

https://sandeep.dev/how-we-generate-and-renew-ssl-certs-for-arbitrary-custom-domains-using-letsencrypt-cjtk0utui000c1cs1f7y9ua5n

https://www.digitalocean.com/community/tutorials/how-to-use-the-openresty-web-framework-for-nginx-on-ubuntu-16-04

https://sandro-keil.de/blog/openresty-nginx-with-auto-generated-ssl-certificate-from-lets-encrypt/

我已经成功地完成了以下工作:

  • 在服务器上安装了基本的构建
  • 安装OpenResty (附带它自己的Nginx和OpenSSL)
  • 安装LuaRocks
  • 安装Lua-R校-自动-ssl
  • 为resty创建目录 sudo /etc/ sudo chown -R ubuntu /etc/ssl sudo chown -R www-data /etc/re校-auto chmod -R 777 /etc/r校-auto/-R/
  • 创建自签名证书,有效期为3600天。

这是我的启动文件 (/usr/local/openresty/nginx/ conf /nginx.conf)

(我会进一步完善它,以满足我的重定向和安全需求)

代码语言:javascript
运行
复制
#user nginx;

error_log  /usr/local/openresty/nginx/logs/error.log warn;

events {
    worker_connections 1024;
}

http {

  lua_shared_dict auto_ssl 1m;
  lua_shared_dict auto_ssl_settings 64k;

  init_by_lua_block {

    auto_ssl = (require "resty.auto-ssl").new()
    auto_ssl:set("allow_domain", function(domain)
      return true
    end)
    auto_ssl:set("dir", "/etc/resty-auto-ssl")
    auto_ssl:init()

  }

  init_worker_by_lua_block {
    auto_ssl:init_worker()
  }

 # access_log /usr/local/openresty/nginx/logs/access.log main;

  server {

      listen 443 ssl;

      ssl_certificate_by_lua_block {
        auto_ssl:ssl_certificate()
      }

      ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
      ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;

      root /var/www/myapp.com/public;
      index index.php index.html index.htm;

      location / {

        try_files $uri $uri/ /index.php?$query_string; 

      }

#     location ~ \.php$ {
#       include snippets/fastcgi-php.conf;
#       fastcgi_pass unix:/run/php/php7.4-fpm.sock;
#       fastcgi_read_timeout 600;
#     }

      location ~ /\.ht {
        deny all;
      }

  }

  server {

    listen 80;
    server_name *.myapp.com myapp.com;

    location /.well-known/acme-challenge/ {
        content_by_lua_block {
          auto_ssl:challenge_server()
        }
    }

    location / {
      return 301 https://myapp.com$request_uri;
    }

  }

  server {

    listen 8999;

    location / {
        content_by_lua_block {
          auto_ssl:hook_server()
        }
    }

  }

}

我面临多个问题,比如:

  1. 不能提到nginx配置中的用户--没有它仍然可以工作。
代码语言:javascript
运行
复制
- Trying to mention user in 1st line of config files gives me error.
- So i commented it out and tried to caryy on anyways

  1. 脱水失败,但创建了证书
代码语言:javascript
运行
复制
- keep getting following error in my log:  `lets_encrypt.lua:40: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=XXXX HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain myapp.com --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config`
- But it still goes on & does create a certificate after which it gives random number generator error.
- Sometimes, if I delete everything inside `/etc/resty-auto-ssl` - it dosent give me such errors.

  1. 找不到OpenSSL随机数发生器
代码语言:javascript
运行
复制
- I keep getting following error in my log:  `Can't load ./.rnd into RNG random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=./.rnd curl: (22) The requested URL returned error: 500 Internal Server Error`

  1. PHP在OpenResty提供的nginx上
代码语言:javascript
运行
复制
- I have properly installed php-fpm and have tested it when using nginx standalone.
- But, now that I am using nginx provided with openresty, it dosent seem to work
- Error (Shown when tested config using: nginx -t command):  `"/usr/local/openresty/nginx/conf/snippets/fastcgi-php.conf" failed (2: No such file or directory)`

  1. 创建证书失败
代码语言:javascript
运行
复制
- Sometimes this error is followed by error in above point number 2:

auto-ssl: could not get certificate for myapp.com - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 123.201.226.209, server: 0.0.0.0:443

set_response_cert(): auto-ssl: failed to set ocsp stapling for xxxx.myapp.com - continuing anyway - failed to get ocsp response: OCSP responder query failed (http://ocsp.int-x3.letsencrypt.org): no resolver defined to resolve "ocsp.int-x3.letsencrypt.org", context: ssl_certificate_by_lua*, client: 123.201.226.209, server: 0.0.0.0:443

connect() to unix:/run/php/php7.4-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 123.201.226.209, server: , request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.4-fpm.sock:", host: "xxxx.myapp.com"

  1. 当试图访问customer1.com时,记录指向myapp.com服务器IP "Error creating new order :: Cannot issue for \"X.X.X.X\": The ACME server can not issue a certificate for an IP address" ssl_certificate.lua:281: auto-ssl: could not determine domain for request (SNI not supported?) - using fallback - , context: ssl_certificate_by_lua*, client: 45.148.10.72, server: 0.0.0.0:443
代码语言:javascript
运行
复制
- ... where x.x.x.x is A recored for customer1.com whch was opened from browser

我有以下困惑:

  1. 我应该为myapp.com获得一个正确的(付费的)通配符阳性ssl证书吗?(并以此作为后盾)
代码语言:javascript
运行
复制
- This covers all my subdomain and I won't have to deal with limits on subdomain by letsencrypt.
- This way I only have to use lets encrypt for custom domains like customer1.com

  1. 我不确定是否正确设置了我的用户和权限--任何指针都会有帮助。
  2. 我希望我最后的nginx配置能够满足以下需求
代码语言:javascript
运行
复制
- Redirect [http://myapp.com](http://myapp.com/) & [http://www.myapp.com](http://www.myapp.com/) to -> [https://myapp.com](https://myapp.com/)
- Redirect [https://www.myapp.com](https://www.myapp.com/) to -> [https://myapp.com](https://myapp.com/)
- Redirect [http://customer1.com](http://customer1.com/) & [http://www.customer1.com](http://www.customer1.com/) to -> [https://customer1.com](https://customer1.com/)
- And then on my acutal ssl server block - write all logic for auto ssl generation

nginx
lets-encrypt
openresty
php
ssl
EN

回答 1

Stack Overflow用户

发布于 2020-06-27 22:15:35

要回答所有这些问题有点困难,所以我将尝试回答5& 6中的一部分。我已经在prod环境中设置了开放的权限,请参阅链接

  1. 我遇到了OCSP订书机的问题。通过将以下内容添加到我的NGINX配置中,我发现它得到了解决:
代码语言:javascript
运行
复制
# A DNS resolver must be defined for OSCP stapling to function.
resolver 172.20.0.10 ipv6=off;

关于问题6,我建议customer1.com应该是myapp.com的CNAME。

我还建议将openresty映像用作基础,或者至少使用反向工程版本将坞映像转换为EC2实例。这是我的文档:

代码语言:javascript
运行
复制
FROM openresty/openresty:latest-xenial

RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-auto-ssl
RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-http
RUN apt-get update
RUN apt-get install -y dnsutils

RUN openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/CN=sni-support-required-for-valid-ssl' -keyout /etc/ssl/resty-auto-ssl-fallback.key -out /etc/ssl/resty-auto-ssl-fallback.crt

ADD nginx.conf /usr/local/openresty/nginx/conf/nginx.conf

希望这能帮上忙。

票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/61349531

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2025 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 深公网安备号 44030502008569

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号 | 京公网安备号11010802020287

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档