时间戳

首页 > 解决方案 > nginx docker 容器无法读取 certbot 证书

nginx - nginx docker 容器无法读取 certbot 证书

问题描述

我已经在本地安装了 certbot 并成功地为 mydomain.blah 和 site1.mydomain.blah 创建了证书,它们位于/etc/letsencrypt/live/mydomain.blah/etc/letsencrypt/live/site1.mydomain.blah

现在我试图在 nginx 容器中使用它们,所以在我的 docker-compose 中,我映射了一个这样的卷:

version '3.4'

services:
  webserver:
    image: nginx
    volumes:
      - ./conf:/etc/nginx/conf.d
      - /etc/letsencrypt/live:/cert
    ports:
      - "80:80"
      - "443:443"

我的 nginx conf 就是这样:

server {
    listen       443 ssl;
    server_name  mydomain.blah;

    ssl_certificate /cert/mydomain.blah/fullchain.pem;
    ssl_certificate_key /cert/mydomain.blah/privkey.pem;

    location / {
        proxy_pass http://1.2.3.4:8080;
    }
}

server {
    listen       443 ssl;
    server_name  site1.mydomain.blah;

    ssl_certificate /cert/site1.mydomain.blah/fullchain.pem;
    ssl_certificate_key /cert/site1.mydomain.blah/privkey.pem;

    location / {
        proxy_pass http://4.3.2.1:8080;
    }
}

但是当我启动我的 docker-compose 时,nginx 退出并出现错误cannot load certificate "/cert/mydomain.blah/fullchain.pem",因为存在No such file or directory.

我尝试将 docker exec 放入容器中,并且文件夹及其证书都按预期存在,所以我不明白可能是什么问题

标签: nginxssldocker-composelets-encryptcertbot

解决方案

我发现了问题: docker-compose 无法与符号链接相处,并且/etc/letsencrypt/live文件夹符号链接到/etc/letsencrypt/archive那些:

root@VM-CAMPI:~# ls -la /etc/letsencrypt/live/mydomain.blah/
total 12
drwxr-xr-x 2 root root 4096 Feb 12 11:04 .
drwx------ 3 root root 4096 Feb 12 11:04 ..
-rw-r--r-- 1 root root  692 Feb 12 11:04 README
lrwxrwxrwx 1 root root   38 Feb 12 11:04 cert.pem -> ../../archive/mydomain.blah/cert1.pem
lrwxrwxrwx 1 root root   39 Feb 12 11:04 chain.pem -> ../../archive/mydomain.blah/chain1.pem
lrwxrwxrwx 1 root root   43 Feb 12 11:04 fullchain.pem -> ../../archive/mydomain.blah/fullchain1.pem
lrwxrwxrwx 1 root root   41 Feb 12 11:04 privkey.pem -> ../../archive/mydomain.blah/privkey1.pem

所以解决方案只是安装第一卷文件夹:

version '3.4'

services:
  webserver:
    image: nginx
    volumes:
      - ./conf:/etc/nginx/conf.d
      - /etc/letsencrypt:/cert # <-- here
    ports:
      - "80:80"
      - "443:443"

并像这样设置 che nginx conf

server {
    listen       443 ssl;
    server_name  mydomain.blah;

    ssl_certificate /cert/live/mydomain.blah/fullchain.pem; # <-- here
    ssl_certificate_key /cert/live/mydomain.blah/privkey.pem; # <-- here

    location / {
        proxy_pass http://1.2.3.4:8080;
    }
}

server {
    listen       443 ssl;
    server_name  site1.mydomain.blah;
 
    ssl_certificate /cert/live/site1.mydomain.blah/fullchain.pem; # <-- here
    ssl_certificate_key /cert/live/site1.mydomain.blah/privkey.pem; # <-- here

    location / {
        proxy_pass http://4.3.2.1:8080;
    }
}

推荐阅读