哪个先出现-创建nginx网站`.conf`文件还是运行`certbot-auto certonly`? [英] Which comes first - creating the nginx site `.conf` file or running `certbot-auto certonly`?

问题描述

我正在尝试使用Ansible在服务器上自动设置certbot + nginx.

I'm trying to automate the setup of certbot + nginx on a server using Ansible.

它第一次运行时，还没有letencrypt证书.但是我按如下方式创建nginx conf，引用 将由certbot创建的SSL/cert目录

The first time it runs, there are no letsencrypt certificates (yet). However I create the nginx conf as follows, referencing SSL/cert directories that will be created by certbot

server {

  listen              443 ssl;
  server_name         example.co;

  # ...

  # SSL
  ssl_certificate /etc/letsencrypt/live/example.co/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.co/privkey.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

}

server {
  if ($host = example.co) {
      return 301 https://$host$request_uri;
  }

  listen 80;
  server_name example.co;
  return 404;
}

然后在后面的播放中，我使用-nginx 插件运行 certbot-auto ，但收到错误消息

Then later in the ansible play I run certbot-auto with the --nginx plugin, but I receive an error

> /usr/local/bin/certbot-auto certonly --nginx -n --agree-tos --text -d example.co --email admin@example.co

Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/example.co/fullchain.pem"

似乎certbot在继续之前先检查了nginx conf(这很有意义)，但是conf验证失败，因为它引用了不存在的目录.另外，还需要-nginx 插件(或至少一些其他插件)，所以我不能放弃它.

It seems that certbot first checks the nginx conf before proceeding (which makes sense) but the conf fails validation since it refers to directories that don't exist. Also, the --nginx plugin (or at least some other plugin) are required so I can't leave it off.

所以我处于一种鸡与蛋的情况，因为-

So I'm in a sort of chicken-and-egg situation because -

1. 在运行certbot之前，我无法创建nginx conf，因为certbot尝试验证nginx conf，但失败了，因为它引用了不存在的目录

1. I can't create the nginx conf before running certbot because certbot tries to validate the nginx conf, and it fails because it references directories that don't exist

在创建nginx conf之前，我无法运行certbot，因为certbot使用站点的conf来要求新证书

I can't run certbot before creating the nginx conf because certbot uses the site's conf to requires new cerificates

我唯一看到的选择是

• 创建nginx conf 而没有 #SSL 行
• 运行certbot以获得新证书
• 更新nginx conf文件以在 #SSL 行中添加

• create the nginx conf without the #SSL lines
• run certbot to get new certs
• update the nginx conf file to add in the #SSL lines

这感觉很混乱，但是不确定是否还有其他方法?

This feels messy, but not sure if there's another way?

执行此命令的正确顺序是什么?

What's the right order to run this in?

谢谢！

推荐答案

在运行certbot之前，肯定需要存在.conf文件.然后，Certbot自己将证书的路径写入文件中，因此步骤3不必要.

The .conf file surely needs to be there before running certbot. Certbot will then itself write the path to the certificates into the file, so step 3 should not be necessary.

这篇关于哪个先出现-创建nginx网站`.conf`文件还是运行`certbot-auto certonly`?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！