我的Debian运行vps时遇到了一些麻烦。它通过基于nginx,gunicorn,django的基础架构来托管多个网站。 有问题的网站具有由我们加密管理的ssl证书。
我认为问题在于让我们进行加密时想要续订证书。
错误
出现错误时的系统日志:
Dec 12 00:01:46 vps465872 systemd[1]: Starting Certbot...
Dec 12 00:01:49 vps465872 systemd[1]: Stopping A high performance web server and a reverse proxy server...
Dec 12 00:01:49 vps465872 systemd[1]: Stopped A high performance web server and a reverse proxy server.
Dec 12 00:01:55 vps465872 certbot[600]: nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)
Dec 12 00:01:56 vps465872 systemd[1]: Starting A high performance web server and a reverse proxy server...
Dec 12 00:01:56 vps465872 nginx[658]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 12 00:01:56 vps465872 nginx[658]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Dec 12 00:01:57 vps465872 nginx[658]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 12 00:01:57 vps465872 nginx[658]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Dec 12 00:01:57 vps465872 nginx[658]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 12 00:01:57 vps465872 nginx[658]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Dec 12 00:01:58 vps465872 nginx[658]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 12 00:01:58 vps465872 nginx[658]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Dec 12 00:01:58 vps465872 nginx[658]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 12 00:01:58 vps465872 nginx[658]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Dec 12 00:01:59 vps465872 nginx[658]: nginx: [emerg] still could not bind()
Dec 12 00:01:59 vps465872 systemd[1]: nginx.service: Control process exited, code=exited status=1
Dec 12 00:01:59 vps465872 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Dec 12 00:01:59 vps465872 systemd[1]: nginx.service: Unit entered failed state.
Dec 12 00:01:59 vps465872 systemd[1]: nginx.service: Failed with result 'exit-code'.
Dec 12 00:01:59 vps465872 certbot[600]: Hook command "service nginx start" returned error code 1
Dec 12 00:01:59 vps465872 certbot[600]: Error output from service:
Dec 12 00:01:59 vps465872 certbot[600]: Job for nginx.service failed because the control process exited with error code.
Dec 12 00:01:59 vps465872 certbot[600]: See "systemctl status nginx.service" and "journalctl -xe" for details.
复制
就这样吧。让我们手动重做该过程。我杀死了nginx周围的所有东西:
ps -ef |grep nginx
kill -9 xxxx
kill -9 xxxx
我重新启动了Nginx:
service nginx start
然后一切正常。
我对certbot进行了试运行:
certbot renew --dry-run
现在我有错误:
Attempting to renew cert (xxx.fr) from /etc/letsencrypt/renewal/xxx.fr.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6... Skipping.
调查
我在/ run目录中查找:文件nginx.pid不再存在。
另一方面,一些 ps -ef | grep nginx 告诉我该进程仍在运行,确实网站正在运行。因此,如果我执行 nginx启动服务,则会向我输出地址冲突错误。
我发现stackoverflow上的人和我有同样的问题,但是解决方案不起作用。但这给了我寻找线索的线索。 Certbot renew: nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)
所以我正在寻找: /etc/letsencrypt/renewal/xxx.fr.conf文件包含以下钩子:
[renewalparams]
authenticator = standalone
installer = nginx
pre_hook = service nginx stop
post_hook = service nginx start
很好。我看一下相关的脚本/etc/init.d/nginx: 一开始它通过
提取pidPID=$(cat /etc/nginx/nginx/nginx.conf | grep -Ev' ^\s*#' | awk' BEGIN { RS="[;{}]" } { if ($1 == "pid") print $2 }' | head -n1)
此命令运行良好。
停止:
stop_nginx() {
start-stop-daemon --stop --quiet --retry=$STOP_SCHEDULE --pidfile $PID --name $NAME
RETVAL="$?"
sleep 1
return "$RETVAL"
}
开始
start_nginx() {
start-stop-daemon --start --quiet --pidfile $PID --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --pidfile $PID --exec $DAEMON -- \
$DAEMON_OPTS 2>/dev/null \
|| return 2
}
看起来不错。此外,当该服务的pid正常运行时,start和stop命令也可以正常运行。
结论
仅此而已,这是我不了解的问题。
答案 0 :(得分:2)
我建议使用webroot模式,而不要使用独立模式。要续订证书,它将在您的Web服务器的根目录中创建一个“ .well-known / acme-challenge /”。
上行时间减少了停机时间,因为您只需通过post_hook重新启动Nginx服务,而不是“ stop-wait-start”
希望这种替代解决方案有帮助