我想知道是否可以对nginx ssl证书(或配置的任何其他部分)执行if语句
if ( -f /etc/letsencrypt/live/{domain}/cert.pem ) {
ssl_certificate /etc/letsencrypt/live/{domain}/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/{domain}/privkey.pem;
}
这会出现以下错误:
nginx: [emerg] "ssl_certificate" directive is not allowed here in /etc/nginx/sites-enabled/app.phase.be.conf:7
我查看了文档和谷歌,并得出结论,这是不可能做到的。它仅用于重写。
在Letsencrypt颁发证书之前,是否有另一种方法可以完全忽略ssl证书或用自签名证书替换它们。这是一个自动化过程,如果Nginx由另一个进程(例如修改过的服务器块)触发,它可以随时重新加载
编辑:
感谢@Chris指出正确的方向!
我最终做的事情看起来像是这样,但这被简化了。
config = Config().read()
logging.basicConfig(filename=config['settings']['log_file'],
filemode='a',
format='%(asctime)s [ %(levelname)s ] - %(message)s',
datefmt='%m/%d/%Y %H:%M:%S',
level=config['settings']['log_level'])
class NginxHandler(PatternMatchingEventHandler):
patterns = ["*.conf", "*.cnf"]
def process(self, event):
logging.info('PROXY-LISTENER: Vhost configuration has changed reloading Nginx')
time.sleep(1)
subprocess.call(['nginx', '-s', 'reload'])
def on_modified(self, event):
self.process(event)
# def on_created(self, event):
# self.process(event)
def on_deleted(self,event):
self.process(event)
class SslHandler(PatternMatchingEventHandler):
patterns = ["*.pem", "*.key", "*.crt"]
def process(self, event):
logging.info('PROXY-LISTENER: SSL certificate updated, reloading nginx')
subprocess.call(['nginx', '-s', 'reload'])
def on_modified(self, event):
self.process(event)
# def on_created(self, event):
# self.process(event)
def on_deleted(self,event):
self.process(event)
logging.info('PROXY-LISTENER: Starting Proxy Listener')
observer = Observer()
observer.schedule(NginxHandler(), path='/etc/nginx/sites-enabled/')
observer.schedule(SslHandler(), path='/etc/nginx/ssl/', recursive=True)
observer.start()
logging.info('PROXY-LISTENER: Nginx vhost watcher started')
logging.info('PROXY-LISTENER: Nginx certificate watcher started')
这会监视已更改的两个目录并相应地执行操作。在创建新的vhost时Ssl().add_temp_cert()被调用并创建所需的符号链接。
def add_temp_cert(self, vhost):
'''
Create a symbolic link to provide a temporary ssl certificate
for the new vhost untill a valid one has been installed
'''
subprocess.call(['mkdir', '-p', '/etc/nginx/ssl/' + self.domain])
subprocess.call(['ln', '-s', '/etc/nginx/ssl/nginx.crt', '/etc/nginx/ssl/' + domain + '/cert.pem'])
subprocess.call(['ln', '-s', '/etc/nginx/ssl/nginx.key', '/etc/nginx/ssl/' + domain + '/privkey.pem'])
else:
self.add_cert(vhost)
def add__letsencrypt_cert(self, vhost):
'''
Create a symbolic link to /etc/nginx/ssl for the obtained ssl certificate
'''
subprocess.call(['rm', '-f', '/etc/nginx/ssl/' + self.domain + '/'])
subprocess.call(['ln', '-s', '/etc/letsencrypt/live/' + self.domain + '/', '/etc/nginx/ssl/' + self.domain + '/'])
答案 0 :(得分:3)
如果您已经有一个触发nginx重新加载的现有进程/脚本,那么使用linux符号链接
server {
...
ssl_certificate /etc/nginx/ssl/link-cert.pem;
ssl_certificate_key /etc/nginx/ssl/link-privkey.pem;
...
}
#!/bin/bash
# exit on errors
set -e
# remove existing links
rm /etc/nginx/ssl/link-cert.pem
rm /etc/nginx/ssl/link-privkey.pem
DOMAIN="anthum.com"
# link files specified in nginx.conf to real cert files
if [ -f "/etc/letsencrypt/live/$DOMAIN/cert.pem" ]; then
ln -s "/etc/letsencrypt/live/$DOMAIN/cert.pem" /etc/nginx/ssl/link-cert.pem
ln -s "/etc/letsencrypt/live/$DOMAIN/privkey.pem" /etc/nginx/ssl/link-privkey.pem
else
ln -s /etc/nginx/ssl/self-signed.crt /etc/nginx/ssl/link-cert.pem
ln -s /etc/nginx/ssl/self-signed.key /etc/nginx/ssl/link-privkey.pem
fi
# Reload nginx
nginx -s reload
答案 1 :(得分:0)
只需对一些默认的自签名证书进行硬编码,并允许Certbot的Nginx插件在运行时重写ssl_certificate语句。例如,Ubuntu和Debian会生成一个自签名的蛇形" snakeoil"密钥和证书默认情况下:
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate /etc/ssl/private/ssl-cert-snakeoil.key;
如果你自己运行certbot,它应该检测Nginx并提供为你自动配置Nginx。您还可以使用--nginx明确指定要使用Nginx自动配置。