我已经在this guide之后启动并在数字海洋上运行解析服务器。 配置mongo db进行迁移时,请执行以下命令:
sudo cat /etc/letsencrypt/archive/domain_name/{fullchain1.pem,privkey1.pem} | sudo tee /etc/ssl/mongo.pem
之后教程说:
续订Let's Encrypt证书后,您必须重复上述命令。如果您配置Let的加密证书的自动续订,请记住包括此操作。
为了做到这一点,我在我的let的加密cronjobs中添加了一个cronjob,如下所示:
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
33 2 * * 1 cat /etc/letsencrypt/archive/DOMAIN/{fullchain1.pem,privkey1.pem} | tee /etc/ssl/mongo.pem
35 2 * * 1 /etc/init.d/nginx reload
然而,在星期一重新启动服务器后,mongod将无法启动,因为它无法找到/读取/etc/ssl/mongo.pem。
如何正确设置?我是否需要在另一个cronjob中chown / chmod该文件?
感谢您的帮助!
答案 0 :(得分:8)
我遇到了上面脚本的问题。不幸的是,让我们加密dons不会覆盖fullchain和privkey,但在证书需要续订时添加新版本:
fullchain2.pem
privkey2.pem
所以我必须相应地改变脚本。我还将更新和nginx部分放在里面,所以我们只需要一个cronjob:
#!/bin/bash
# stop nginx
/etc/init.d/nginx stop
# check for new cert
/opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
# combine latest letsencrypt files for mongo
# find latest fullchain*.pem
newestFull=$(ls -v /etc/letsencrypt/live/DOMAIN/fullchain*.pem | tail -n 1)
echo "$newestFull"
# find latest privkey*.pem
newestPriv=$(ls -v /etc/letsencrypt/live/DOMAIN/privkey*.pem | tail -n 1)
echo "$newestPriv"
# combine to mongo.pem
cat {$newestFull,$newestPriv} | tee /etc/ssl/mongo.pem
# set rights for mongo.pem
chmod 600 /etc/ssl/mongo.pem
chown mongodb:mongodb /etc/ssl/mongo.pem
# restart mongo
/sbin/restart mongod
# start nginx
/etc/init.d/nginx start
答案 1 :(得分:3)
好的,所以这就是我最终的结果。 我写了一个小脚本:
#!/bin/bash
# combine letsencrypt files for mongo
cat /etc/letsencrypt/archive/DOMAIN/{fullchain1.pem,privkey1.pem} | tee /etc/ssl/mongo.pem
# set rights for mongo.pem
chmod 600 /etc/ssl/mongo.pem
chown mongodb:mongodb /etc/ssl/mongo.pem
# restart mongo
/sbin/restart mongod
用cron作业解雇它:
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
33 2 * * 1 cat /root/myScript
35 2 * * 1 /etc/init.d/nginx reload