我有这个dockerfile:
FROM nginx
COPY .docker/certificates/fullchain.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem
COPY .docker/certificates/privkey.pem /etc/letsencrypt/live/mydomain.com/privkey.pem
COPY .docker/config/options-ssl-nginx.conf /etc/nginx/options-ssl-nginx.conf
COPY .docker/config/ssl-dhparams.pem /etc/nginx/ssl-dhparams.pem
COPY .docker/config/nginx.conf /etc/nginx/conf.d/default.conf
RUN chmod +r /etc/letsencrypt/live/mydomain.com/fullchain.pem
我的nginx配置中有这个:
server {
listen 443 ssl default_server;
server_name _;
# Why can't this file be found?
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
# ssl_certificate /etc/nginx/fullchain.pem;
# ssl_certificate_key /etc/nginx/privkey.pem;
include /etc/nginx/options-ssl-nginx.conf;
ssl_dhparam /etc/nginx/ssl-dhparams.pem;
...
}
Nginx崩溃与:
[emerg] 7#7: cannot load certificate "/etc/letsencrypt/live/mydomain.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/mydomain.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
但是,如果我改变的位置fullchain.pem和privkey.pem,例如,/etc/nginx/fullchaim.pem与/etc/nginx/privkey.pem和更新nginx的配置,它确实找到文件,按预期工作。
这是中的服务定义docker-compose.yml:
nginx-server:
container_name: "nginx-server"
build:
context: ../../
dockerfile: .docker/dockerfiles/NginxDockerfile
restart: on-failure
ports:
- "80:80"
- "443:443"
volumes:
- static-content:/home/docker/code/static
- letsencrypt-data:/etc/letsencrypt
- certbot-data:/var/www/certbot
depends_on:
- api
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
networks:
- api-network
- main
# Commented out to verify that the files aren't being deleted by certbot
# certbot:
# image: certbot/certbot
# container_name: "certbot"
# depends_on:
# - nginx-server
# restart: unless-stopped
# volumes:
# - letsencrypt-data:/etc/letsencrypt
# - certbot-data:/var/www/certbot
# entrypoint: "/bin/sh -c 'sleep 30s && trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
目的是fullchain.pem用作初始证书,直到可以让我们加密为止。请注意,目前没有任何certbot服务,并且/etc/letsencrypt/live/mydomain.com根本没有在其他任何地方引用目录(仅在NginxDockerfile和中nginx.conf),因此其他服务删除文件不应该成为问题。重建--no-cache无济于事。
为什么nginx不能在此特定位置找到文件,但是如果将它们复制到其他位置也可以找到它们?
编辑:按照建议,我最终改为使用主机卷。当主机卷位于存储库中root_of_context/path/to/gitignored/directory/letsencrypt:/etc/letsencrypt时/etc/letsencrypt:/etc/letsencrypt,此方法不起作用(,但是与一起使用时,我个人觉得很丑,但是很好。
卷是在运行时挂载的,因此在构建容器之后。
自从您安装letsencrypt-data之后/etc/letsencrypt,Nginx就会在其中查找文件letsencrypt-data。
我不知道目的的这个安装,但我想如果你删除你的容器会在运行成功- letsencrypt-data:/etc/letsencrypt的volumes。
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句