NGINX 上的 SSL 证书无法加载 [英] SSL Certificate on NGINX fails to load
问题描述
我正在尝试将我从 Godaddy 获得的 SSL 证书安装到我的 NGINX 服务器上.我确信我的所有路径都是正确的,并且据我所知,我的服务器配置是正确的,但仍然出现以下错误.
I am trying to install an SSL certificate that I obtained from Godaddy onto my NGINX server. I am positive I have all of the paths correct and from what I understand my server configuration is correct, but still I get the following error.
Feb 20 11:06:35 my.server.com nginx[6173]: nginx: [emerg] cannot load certificate "/etc/ssl/certs/certificate.crt": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/ssl/certs/certificate.crt','r') error:2006D002:BIO routines:BIO_new_file:system lib)
Feb 20 11:00:01 my.server.com nginx[5969]: nginx: configuration file /etc/nginx/nginx.conf test failed
以下是我的 SSL 配置.我已将其放入路径 /etc/nginx/conf.d/ssl.conf 下的文件中.
Below is my SSL configuration. I have placed this into a file at the path /etc/nginx/conf.d/ssl.conf.
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name my.server.com;
root /usr/share/nginx/html;
ssl_certificate /etc/ssl/certs/certificate.crt;
ssl_certificate_key /etc/ssl/private/private.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://[MY_IP_ADDRESS]:8443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
这看起来是一个权限问题,但我已经运行 chown 来更改 root 用户的权限,并且我已经通过 chmod 将文件权限更改为 600.这不正确吗?有人可以就如何解决此问题给我一些指导吗?
This looks to be a permissions issue, but I have ran chown to change the permissions to the root user, and I have changed the file permission to 600 via chmod. Is this not correct? Can someone please give me some guidance on how to resolve this issue?
** 更新 **
我确实检查过,发现 SSL 证书不归 root 用户所有.我已将所有 SSL 文件修改为由 root 所有者和组拥有,并将文件权限更改为 600,我尝试了 700.当我运行 sudo ls -l 时,我得到以下输出
I did check and found that the SSL certs was not owned by the root user. I've modified all SSL files to be owned by the root owner and group, and changed the file permissions to 600 and I've tried 700. I get this output below when I run sudo ls -l
-rwx------. 1 root root 7072 Feb 20 10:41 my.server.com.chained.crt
-rwx------. 1 root root 2277 Feb 20 10:36 my.server.com.crt
-rwx------. 1 root root 4795 Feb 20 10:39 intermediate.crt
我仍然遇到同样的错误.我也试过普通证书和全链证书.有没有人知道发生了什么?
I am still getting the same error though. I've also tried both the normal cert and the full chain cert. Does anyone have an idea what is going on?
推荐答案
我终于解决了我的问题.事实证明,当我移动文件 (mv) 时,它更改了文件的安全上下文,从而使 nginx 无法读取它们.我通过在我的 nginx 根文件夹上运行以下命令解决了这个问题.
I finally solved my issue. Turns out when I moved the files (mv) it changed the security context of the files, and thus made them unreadable to nginx. I resolved the issue by running the following command on my root nginx folder.
restorecon -v -R /etc/nginx
我是从这篇帖子中发现的.
感谢大家的帮助!
这篇关于NGINX 上的 SSL 证书无法加载的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
