我有一个nginx服务器设置为反向代理,似乎每天崩溃。以前服务器从来没有任何问题,但是最近(一个月左右),我开始注意到nginx没有运行,因此我必须登录服务器才能再次启动该过程。
我无法在日志中找到任何有用的东西。感谢您在诊断问题方面的帮助。
nginx版本:nginx / 1.10.3(Ubuntu)
操作系统:Ubuntu 16.04.4 LTS(在LXC中运行)
# systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Sat 2018-06-23 21:49:46 UTC; 1min 23s ago
Process: 13485 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=1/FAILURE)
Process: 13402 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 13401 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 13403 (code=exited, status=0/SUCCESS)
Jun 23 10:30:17 nginx systemd[1]: Starting A high performance web server and a reverse proxy server...
Jun 23 10:30:17 nginx systemd[1]: Started A high performance web server and a reverse proxy server.
cat /var/log/nginx/error.log
2018/06/23 21:49:46 [notice] 13484#13484: signal process started
access.log文件中没有可疑的东西。
让我知道是否还有其他有用的信息
答案 0 :(得分:2)
我遇到了同样的问题,并且是同样的错误源:certbot正在关闭nginx服务器,并且在更新后无法再次启动它。
您可以通过检查以下日志来检查是否遇到相同的问题。第一个nginx日志:
tail -n 100 /var/log/nginx/error.log
结果:
2019/02/05 12:07:37 [notice] 1629#1629: signal process started
2019/02/05 12:07:37 [error] 1629#1629: open() "/run/nginx.pid" failed (2: No such file or directory)
2019/02/05 12:07:38 [emerg] 1655#1655: bind() to 0.0.0.0:80 failed (98: Address already in use)
2019/02/05 12:07:38 [emerg] 1655#1655: bind() to 0.0.0.0:443 failed (98: Address already in use)
2019/02/05 12:07:38 [emerg] 1655#1655: bind() to [::]:443 failed (98: Address already in use)
2019/02/05 12:07:38 [emerg] 1655#1655: bind() to 0.0.0.0:444 failed (98: Address already in use)
2019/02/05 12:07:38 [emerg] 1655#1655: bind() to [::]:444 failed (98: Address already in use)
[...]
2019/02/05 12:07:38 [emerg] 1655#1655: still could not bind()
2019/02/05 12:07:41 [alert] 1631#1631: unlink() "/run/nginx.pid" failed (2: No such file or directory)
我们看到nginx尝试重新启动失败。
您也可以检查系统日志:
tail -n 100 /var/log/syslog
并寻找相同的时间戳:
Feb 5 12:07:30 systemd[1]: Starting Certbot...
Feb 5 12:07:31 systemd[1]: Stopping A high performance web server and a reverse proxy server...
Feb 5 12:07:31 systemd[1]: Stopped A high performance web server and a reverse proxy server.
Feb 5 12:07:38 systemd[1]: Starting A high performance web server and a reverse proxy server...
我们看到certbot似乎引起了问题。
就我而言,我有一个旧版本的certbot。您可以使用certbot --version命令检查版本。就我而言,我有certbot 0.10.2 ...
因此,首先,升级您的certbot应用程序,并添加nginx插件:
sudo apt-get update
sudo apt-get install certbot python-certbot-nginx
检查您的新版本:certbot --version-> certbot 0.28.0。
然后,您将必须使用nginx插件将更新配置文件相应地修改为新版本。续订conf文件位于/etc/letsencrypt/renewal/*目录中。 请注意,certbot文档不鼓励您手动修改它们 ...
我从以下位置修改所有续订配置文件:
# renew_before_expiry = 30 days
version = 0.10.2
archive_dir = /etc/letsencrypt/archive/yourdomain
cert = /etc/letsencrypt/live/yourdomain/cert.pem
privkey = /etc/letsencrypt/live/yourdomain/privkey.pem
chain = /etc/letsencrypt/live/yourdomain/chain.pem
fullchain = /etc/letsencrypt/live/yourdomain/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = standalone
post_hook = service nginx start
account = yourkey
pre_hook = service nginx stop
installer = nginx
收件人:
# renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/yourdomain
cert = /etc/letsencrypt/live/yourdomain/cert.pem
privkey = /etc/letsencrypt/live/yourdomain/privkey.pem
chain = /etc/letsencrypt/live/yourdomain/chain.pem
fullchain = /etc/letsencrypt/live/yourdomain/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = yourkey
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = nginx
installer = nginx
(请注意,仅修改了版本和身份验证器行,添加了 server 行,并且 pre_hook 和 post_hook 行已删除)。
然后,您可以使用以下命令,通过模拟续订来检查下一次续订是否将顺利进行:
certbot renew --dry-run
您应该为每个证书获得以下内容,没有红色错误:
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/yourdomain/fullchain.pem
答案 1 :(得分:0)
似乎在/var/log/syslog中找到了解决问题的方法。 certbot试图关闭Nginx服务器以尝试续订证书,但是由于某些配置问题(我的错),它会失败并且不会重新打开Nginx服务器。