nginx容器无法在共享的certbot卷中找到证书。

huangapple go评论106阅读模式
英文:

nginx container cannot see the certificate in shared certbot volume

问题

以下是您要翻译的内容:

所以我已经将Certbot作为一个容器运行,并使用以下命令创建普通和通配符证书

 sudo docker run -it --rm --name certbot -v certbot_certs:/etc/letsencrypt -v /var/www/certbot:/var/www/certbot -v ~/.secrets/certbot:/.secrets/certbot certbot/dns-digitalocean certonly --dns-digitalocean --dns-digitalocean-credentials /.secrets/certbot/do.ini --server https://acme-v02.api.letsencrypt.org/directory --email xxxxxxxxxxxxxxxxxxxx --agree-tos --no-eff-email -d <domain> -d *.<domain>;

操作在终端结果中显示成功

成功接收到证书。
证书保存在:/etc/letsencrypt/live/<domain>/fullchain.pem
密钥保存在:/etc/letsencrypt/live/<domain>/privkey.pem
此证书将于2023年10月08日过期。
这些文件将在证书更新时更新。

我的docker-compose.yml在nginx容器的配置中声明了这个

volumes:
    - certbot_certs:/etc/nginx/ssl:ro
    - /var/www/certbot:/var/www/certbot:ro

而nginx.conf包含

server {
    listen 443 ssl http2;

    server_name geokotze.dev www.geokotze.dev;

    ssl_certificate /etc/nginx/ssl/live/<domain>/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/<domain>/privkey.pem;

    location / {
        root /usr/share/nginx/html;
        index index.html;
    }
}

对certbot_certs卷树的检查显示了证书位于/live//下

所以从我理解的来看,这应该可以工作。

但是我却收到了以下错误

[emerg] 1#1: 无法加载证书"/etc/nginx/ssl/live/<domain>/fullchain.pem":BIO_new_file() 失败(SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/nginx/ssl/live/<domain>/fullchain.pem, r) error:10000080:BIO routines::no such file)

我太蠢了,也太累了(目前每天工作10小时的厨房班次,试图成为一名开发人员),不能继续自己解决这个问题。在我尝试使用Compose运行之前,它是可以工作的,所以我确信在compose.yml中弄错了什么,但我找不到问题在哪里。

请帮助我,亲爱的技术爱好者。请。

另外,任何提示都会受到重视,不会被视为居高临下。

<3

我希望它能够正常工作,如果我花更多时间来排除问题,而不是睡觉,厨师会将我加入酱汁中。

英文:

So i have certbot run as a container and create a normal and wildcard certificate with the following command

 sudo docker run -it --rm --name certbot -v certbot_certs:/etc/letsencrypt -v /var/www/certbot:/var/www/certbot -v ~/.secrets/certbot:/.secrets/certbot certbot/dns-digitalocean certonly --dns-digitalocean --dns-digitalocean-credentials /.secrets/certbot/do.ini --server https://acme-v02.api.letsencrypt.org/directory --email xxxxxxxxxxxxxxxxxxxx --agree-tos --no-eff-email -d &lt;domain&gt; -d *.&lt;domain&gt;


the operation is successful as shown in the terminal result


Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/&lt;domain&gt;/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/&lt;domain&gt;/privkey.pem
This certificate expires on 2023-10-08.
These files will be updated when the certificate renews.

my docker-compose.ylm has this declared in the config of the nginx container

      volumes:
        - certbot_certs:/etc/nginx/ssl:ro
        - /var/www/certbot:/var/www/certbot:ro

and the nginx.conf contains



server {
    listen 443 ssl http2;

    
    server_name geokotze.dev www.geokotze.dev;

    ssl_certificate /etc/nginx/ssl/live/&lt;domain&gt;/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/&lt;domain&gt;/privkey.pem;
    
    location / {
        root /usr/share/nginx/html;
        index index.html;
    }
}

a check of the certbot_certs volume tree shows the certificates under /live/<domain>/

so from what i understand this should work.

And yet i get the error

[emerg] 1#1: cannot load certificate &quot;/etc/nginx/ssl/live/&lt;domain&gt;/fullchain.pem&quot;: BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/nginx/ssl/live/&lt;domain&gt;/fullchain.pem, r) error:10000080:BIO routines::no such file)

I am too dumb and tired (currently working 10 hour kitchen shifts trying to become a dev) to keep trying to figure this out on my own. Before i tried to run it with compose it worked so i am sure i fucked something in the compose.yml but i cant't figure out what.

Help me fellow nerds. Please.

Also any tips are valued and would not be taken as condescending.

<3

I was expecting it to work and if i spend more time troubleshooting instead of sleeping the chef will add me to the sauce

答案1

得分: 2

如果您曾经使用过 docker-compose,那么您可能熟悉这样一个事实,即您的 docker-compose.yaml 中的服务名称会被修改(通过添加项目前缀和实例编号)以形成容器名称。也就是说,如果我在名为 example 的目录中有以下 docker-compose.yaml

services:
    web:
      image: alpinelinux/darkhttpd

那么我最终会得到:

$ docker ps --format='{{ .Names }}'
example-web-1

同样的情况也适用于卷。如果我有:

services:
    web:
      image: alpinelinux/darkhttpd
      volumes:
        - certbot_certs:/etc/nginx/ssl

volumes:
  certbot_certs:

那么最终我会得到:

$ docker volume ls
DRIVER    VOLUME NAME
local     example_certbot_certs

换句话说,您在 docker-compose.yaml 文件中的 certbot_certs 与您使用 docker run 命令行创建的卷相同。

如果您希望您的 compose 堆栈引用一个 已存在的 卷,您需要将该卷标记为 external,如下所示:

services:
    web:
      image: alpinelinux/darkhttpd
      volumes:
        - certbot_certs:/etc/nginx/ssl

volumes:
  certbot_certs:
    external: true
英文:

If you've worked with docker-compose, you are probably familiar with the fact that service names in your docker-compose.yaml are modified (by adding a project prefix and an instance number) to form container names. That is, if I have the following docker-compose.yaml in a directory named example:

services:
    web:
      image: alpinelinux/darkhttpd

Then I end up with:

$ docker ps --format=&#39;{{ .Names }}&#39;
example-web-1

The same thing happens for volumes. If I have:

services:
    web:
      image: alpinelinux/darkhttpd
      volumes:
        - certbot_certs:/etc/nginx/ssl

volumes:
  certbot_certs:

Then I end up with:

$ docker volume ls
DRIVER    VOLUME NAME
local     example_certbot_certs

In other words, the certbot_certs volume in your docker-compose.yaml file is not the same as the volume you created with your docker run command line.

If you want your compose stack to refer to an existing volume, you need to mark the volume as external, like this:

services:
    web:
      image: alpinelinux/darkhttpd
      volumes:
        - certbot_certs:/etc/nginx/ssl

volumes:
  certbot_certs:
    external: true

huangapple
  • 本文由 发表于 2023年7月11日 06:39:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/76657740.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定