nginx proxy_pass 条件下的 ssl 证书自动更新

2024年1月20日 37 条评论

由于 let’s encrypt 签发的证书有效期只有 90 天，并且有的服务没有绑定目录，是通过 proxy_pass 转发的其他服务，就导致在更新证书的时候经常会出问题。

之前为了更新证书都是修改配置文件，证书更新完成之后再把配置文件换回去，但是，一直这个做法总是比较麻烦。查看 acme 的日志就会发现，其实是文件访问失败了。：

[Wed 17 Jan 2024 12:21:11 AM CST] responseHeaders='HTTP/2 200

server: nginx

date: Tue, 16 Jan 2024 16:21:11 GMT

content-type: application/json

content-length: 1309

boulder-requester: 1023612387

cache-control: public, max-age=0, no-cache

link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"

replay-nonce: LPSUY_lxhOXaxMC2EZ9QV4b0zXRV24srjF5J4XvlRDA5S8Yb1zE

x-frame-options: DENY

strict-transport-security: max-age=604800

[Wed 17 Jan 2024 12:21:12 AM CST] code='200'

[Wed 17 Jan 2024 12:21:12 AM CST] original='{

"identifier": {

"type": "dns",

"value": "c.oba.by"

"status": "invalid",

"expires": "2024-01-23T16:21:04Z",

"challenges": [

{

"type": "http-01",

"status": "invalid",

"error": {

"type": "urn:ietf:params:acme:error:unauthorized",

"detail": "43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404",

"status": 403

"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA",

"token": "TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",

"validationRecord": [

{

"url": "http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",

"hostname": "c.oba.by",

"port": "80",

"addressesResolved": [

"43.16.12.199"

"addressUsed": "43.16.12.199"

{

"url": "https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",

"hostname": "c.oba.by",

"port": "443",

"addressesResolved": [

"43.16.12.199"

"addressUsed": "43.16.12.199"

}

"validated": "2024-01-16T16:21:06Z"

}

]

[Wed 17 Jan 2024 12:21:12 AM CST] response='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'

[Wed 17 Jan 2024 12:21:12 AM CST] original='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'

[Wed 17 Jan 2024 12:21:12 AM CST] status='invalid

invalid'

[Wed 17 Jan 2024 12:21:12 AM CST] error='"error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403'

[Wed 17 Jan 2024 12:21:12 AM CST] errordetail='43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404'

[Wed 17 Jan 2024 12:21:12 AM CST] Invalid status, c.oba.by:Verify error detail:43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404

[Wed 17 Jan 2024 12:21:12 AM CST] pid

[Wed 17 Jan 2024 12:21:12 AM CST] No need to restore nginx, skip.

[Wed 17 Jan 2024 12:21:12 AM CST] _clearupdns

[Wed 17 Jan 2024 12:21:12 AM CST] dns_entries

[Wed 17 Jan 2024 12:21:12 AM CST] skip dns.

[Wed 17 Jan 2024 12:21:12 AM CST] _on_issue_err

[Wed 17 Jan 2024 12:21:12 AM CST] Please check log file for more details: /usr/local/acme.sh/acme.sh.log

[Wed 17 Jan 2024 12:21:11 AM CST] responseHeaders='HTTP/2 200 server: nginx date: Tue, 16 Jan 2024 16:21:11 GMT content-type: application/json content-length: 1309 boulder-requester: 1023612387 cache-control: public, max-age=0, no-cache link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" replay-nonce: LPSUY_lxhOXaxMC2EZ9QV4b0zXRV24srjF5J4XvlRDA5S8Yb1zE x-frame-options: DENY strict-transport-security: max-age=604800 ' [Wed 17 Jan 2024 12:21:12 AM CST] code='200' [Wed 17 Jan 2024 12:21:12 AM CST] original='{ "identifier": { "type": "dns", "value": "c.oba.by" }, "status": "invalid", "expires": "2024-01-23T16:21:04Z", "challenges": [ { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404", "status": 403 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA", "token": "TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw", "validationRecord": [ { "url": "http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw", "hostname": "c.oba.by", "port": "80", "addressesResolved": [ "43.16.12.199" ], "addressUsed": "43.16.12.199" }, { "url": "https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw", "hostname": "c.oba.by", "port": "443", "addressesResolved": [ "43.16.12.199" ], "addressUsed": "43.16.12.199" } ], "validated": "2024-01-16T16:21:06Z" } ] }' [Wed 17 Jan 2024 12:21:12 AM CST] response='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}' [Wed 17 Jan 2024 12:21:12 AM CST] original='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}' [Wed 17 Jan 2024 12:21:12 AM CST] response='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}' [Wed 17 Jan 2024 12:21:12 AM CST] status='invalid invalid' [Wed 17 Jan 2024 12:21:12 AM CST] error='"error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403' [Wed 17 Jan 2024 12:21:12 AM CST] errordetail='43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404' [Wed 17 Jan 2024 12:21:12 AM CST] Invalid status, c.oba.by:Verify error detail:43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404 [Wed 17 Jan 2024 12:21:12 AM CST] pid [Wed 17 Jan 2024 12:21:12 AM CST] No need to restore nginx, skip. [Wed 17 Jan 2024 12:21:12 AM CST] _clearupdns [Wed 17 Jan 2024 12:21:12 AM CST] dns_entries [Wed 17 Jan 2024 12:21:12 AM CST] skip dns. [Wed 17 Jan 2024 12:21:12 AM CST] _on_issue_err [Wed 17 Jan 2024 12:21:12 AM CST] Please check log file for more details: /usr/local/acme.sh/acme.sh.log

[Wed 17 Jan 2024 12:21:11 AM CST] responseHeaders='HTTP/2 200 
server: nginx
date: Tue, 16 Jan 2024 16:21:11 GMT
content-type: application/json
content-length: 1309
boulder-requester: 1023612387
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: LPSUY_lxhOXaxMC2EZ9QV4b0zXRV24srjF5J4XvlRDA5S8Yb1zE
x-frame-options: DENY
strict-transport-security: max-age=604800

'
[Wed 17 Jan 2024 12:21:12 AM CST] code='200'
[Wed 17 Jan 2024 12:21:12 AM CST] original='{
  "identifier": {
    "type": "dns",
    "value": "c.oba.by"
  },
  "status": "invalid",
  "expires": "2024-01-23T16:21:04Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA",
      "token": "TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",
      "validationRecord": [
        {
          "url": "http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",
          "hostname": "c.oba.by",
          "port": "80",
          "addressesResolved": [
            "43.16.12.199"
          ],
          "addressUsed": "43.16.12.199"
        },
        {
          "url": "https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw",
          "hostname": "c.oba.by",
          "port": "443",
          "addressesResolved": [
            "43.16.12.199"
          ],
          "addressUsed": "43.16.12.199"
        }
      ],
      "validated": "2024-01-16T16:21:06Z"
    }
  ]
}'
[Wed 17 Jan 2024 12:21:12 AM CST] response='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'
[Wed 17 Jan 2024 12:21:12 AM CST] original='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'
[Wed 17 Jan 2024 12:21:12 AM CST] response='{"identifier":{"type":"dns","value":"c.oba.by"},"status":"invalid","expires":"2024-01-23T16:21:04Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304848726146/WKikiA","token":"TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","validationRecord":[{"url":"http://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"80","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"},{"url":"https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw","hostname":"c.oba.by","port":"443","addressesResolved":["43.16.12.199"],"addressUsed":"43.16.12.199"}],"validated":"2024-01-16T16:21:06Z"}]}'
[Wed 17 Jan 2024 12:21:12 AM CST] status='invalid
invalid'
[Wed 17 Jan 2024 12:21:12 AM CST] error='"error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404","status": 403'
[Wed 17 Jan 2024 12:21:12 AM CST] errordetail='43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404'
[Wed 17 Jan 2024 12:21:12 AM CST] Invalid status, c.oba.by:Verify error detail:43.16.12.199: Invalid response from https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw: 404
[Wed 17 Jan 2024 12:21:12 AM CST] pid
[Wed 17 Jan 2024 12:21:12 AM CST] No need to restore nginx, skip.
[Wed 17 Jan 2024 12:21:12 AM CST] _clearupdns
[Wed 17 Jan 2024 12:21:12 AM CST] dns_entries
[Wed 17 Jan 2024 12:21:12 AM CST] skip dns.
[Wed 17 Jan 2024 12:21:12 AM CST] _on_issue_err
[Wed 17 Jan 2024 12:21:12 AM CST] Please check log file for more details: /usr/local/acme.sh/acme.sh.log

访问：https://c.oba.by/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw这个文件的时候 404 了。对应的 nginx 配置文件为：

server

{

listen 80;

#listen [::]:80;

server_name c.oba.by ;

index index.html index.htm index.php default.html default.htm default.php;

root /home/wwwroot/c.oba.by;

#include rewrite/none.conf;

#error_page 404 /404.html;

# Deny access to PHP files in specific directory

#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

location / {

return 301 https://$host$request_uri;

}

access_log /home/wwwlogs/c.oba.by.log;

}

server { listen 80; #listen [::]:80; server_name c.oba.by ; index index.html index.htm index.php default.html default.htm default.php; root /home/wwwroot/c.oba.by; #include rewrite/none.conf; #error_page 404 /404.html; # Deny access to PHP files in specific directory #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; } location / { return 301 https://$host$request_uri; } access_log /home/wwwlogs/c.oba.by.log; }

server
    {
        listen 80;
        #listen [::]:80;
        server_name c.oba.by ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/c.oba.by;

        #include rewrite/none.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }


        location / {
            return 301 https://$host$request_uri;
        }

        access_log  /home/wwwlogs/c.oba.by.log;
    }

http 直接 301到了 https，那么反问 challenge 文件就会访问到对应的 https 端口下，而这个端口下同样没有这个文件。

那么要解决就需要让 nginx 能够正常的提供/.well-known/acme-challenge/TOjFFZItAzAziiTP69t1hDwA7oe2lfzzHhpys2pAuWw访问权限。

之前尝试添加过 location 解决，但是依然失败，再次尝试：

server

{

listen 80;

#listen [::]:80;

server_name c.oba.by ;

index index.html index.htm index.php default.html default.htm default.php;

root /home/wwwroot/c.oba.by;

#include rewrite/none.conf;

#error_page 404 /404.html;

# Deny access to PHP files in specific directory

#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

location /.well-known {

alias /home/wwwroot/c.oba.by/.well-known;

}

location / {

return 301 https://$host$request_uri;

}

access_log /home/wwwlogs/c.oba.by.log;

}

server { listen 80; #listen [::]:80; server_name c.oba.by ; index index.html index.htm index.php default.html default.htm default.php; root /home/wwwroot/c.oba.by; #include rewrite/none.conf; #error_page 404 /404.html; # Deny access to PHP files in specific directory #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; } location /.well-known { alias /home/wwwroot/c.oba.by/.well-known; } location / { return 301 https://$host$request_uri; } access_log /home/wwwlogs/c.oba.by.log; }

server
    {
        listen 80;
        #listen [::]:80;
        server_name c.oba.by ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/c.oba.by;

        #include rewrite/none.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

location /.well-known {
        alias /home/wwwroot/c.oba.by/.well-known;
    }


        location / {
            return 301 https://$host$request_uri;
        }

        access_log  /home/wwwlogs/c.oba.by.log;
    }

不过这次把 location 提到最开始的位置了：

location /.well-known {

alias /home/wwwroot/c.oba.by/.well-known;

}

location /.well-known { alias /home/wwwroot/c.oba.by/.well-known; }

location /.well-known {
        alias /home/wwwroot/c.oba.by/.well-known;
    }

再次尝试更新证书就 ok 了，为了保险 https 配置下也可以加入这个路径，对应路径/home/wwwroot/c.oba.by/.well-known如果不存在的话需要重新创建。

[Wed 17 Jan 2024 08:59:51 AM CST] Your cert is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.cer

[Wed 17 Jan 2024 08:59:51 AM CST] Your cert key is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.key

[Wed 17 Jan 2024 08:59:51 AM CST] The intermediate CA cert is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/ca.cer

[Wed 17 Jan 2024 08:59:51 AM CST] And the full chain certs is there[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/fullchain.cer

[Wed 17 Jan 2024 08:59:51 AM CST] Your cert is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.cer [Wed 17 Jan 2024 08:59:51 AM CST] Your cert key is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.key [Wed 17 Jan 2024 08:59:51 AM CST] The intermediate CA cert is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/ca.cer [Wed 17 Jan 2024 08:59:51 AM CST] And the full chain certs is there[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/fullchain.cer

[Wed 17 Jan 2024 08:59:51 AM CST] Your cert is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.cer
[Wed 17 Jan 2024 08:59:51 AM CST] Your cert key is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/c.oba.by.key
[Wed 17 Jan 2024 08:59:51 AM CST] The intermediate CA cert is in[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/ca.cer
[Wed 17 Jan 2024 08:59:51 AM CST] And the full chain certs is there[1;32m/usr/local/nginx/conf/ssl/c.oba.by_ecc/fullchain.cer

☆版权☆

* 网站名称：obaby@mars
* 网址：https://lang.ma/
* 个性：https://oba.by/
* 本文标题：《nginx proxy_pass 条件下的 ssl 证书自动更新》
* 本文链接：https://loli.gifts/2024/01/15152
* 短链接：https://oba.by/?p=15152
* 转载文章请标明文章来源，原文标题以及原文链接。请遵从《署名-非商业性使用-相同方式共享 2.5 中国大陆 (CC BY-NC-SA 2.5 CN) 》许可协议。

Previous Post Next Post

obaby

爱好广泛的火星小妖精，有问题欢迎留言交流啊~(✪ω✪) 爬虫类工具请先点击这个链接查看用法https://oba.by/?p=12240 闺蜜圈APP下载 https://guimiquan.cn

37 comments

王光卫博客说道：

2024年1月20日 12:24

Firefox 121 Windows 10 中国中国移动
自动更新就安逸了，免得经常去更新

回复
1. obaby说道：
  
  2024年1月20日 12:58
  
  Google Chrome 118 Mac OS X 10.15 中国–山东–青岛联通
  嗯嗯，是的。
  
  回复
阿猪说道：

2024年1月20日 15:11

Google Chrome 120 Windows 10 中国中国联通
这个封面图我能看老半天

回复
1. obaby说道：
  
  2024年1月20日 15:55
  
  Google Chrome 120 Windows 10 中国–山东–临沂联通
  喜欢可以多看会儿
  
  回复
小饿说道：

2024年1月20日 18:23

Google Chrome 120 Mac OS X 10.15 中国–河北–石家庄电信
曾经尝试过npm，部署了好多遍都没成功，后来的方案是，国内服务器用宝塔面板，国外服务器用1panel，免费、自动续期，纵享丝滑~

回复
1. obaby说道：
  
  2024年1月20日 19:44
  
  Google Chrome 120 Android 10 中国–山东–临沂联通
  嗯嗯一般的话面板方便，我这里服务比较多。还不如直接命令来得快，另外这些面板之前装过熟悉这些面板的功夫我都改完了
  
  回复
w4j1e说道：

2024年1月20日 22:52

Microsoft Edge 120 Windows 10 中国中国移动
如果 cdn 控制台也需要一份证书的话咋办？

回复
1. obaby说道：
  
  2024年1月20日 23:25
  
  Google Chrome 120 Android 10 中国–山东–临沂联通
  这个不大好办啦有的cdn支持自动签发免费证书，目前用的失控是这样的。但是无畏云貌似不支持用的一年的免费证书
  
  回复
粽叶加米说道：

2024年1月20日 23:15

Google Chrome 120 Windows 10 中国–广东移动
我用的是Bitnami栈HTTPS配置工具bncert，可自动续订。

回复
1. obaby说道：
  
  2024年1月21日 11:31
  
  Google Chrome 120 Android 10 中国中国联通
  这个没用过找时间研究下
  
  回复
似水流年说道：

2024年1月21日 09:36

Google Chrome 99 Windows 10 中国–河南–漯河联通
不知道为啥能获取但解析不了你的feed了，难道是因为这个？

回复
1. obaby说道：
  
  2024年1月21日 11:32
  
  Google Chrome 120 Android 10 中国中国联通
  应该不是吧这个是另外一个服务的证书。
  
  回复
2. obaby说道：
  
  2024年1月21日 14:54
  
  Google Chrome 120 Android 10 中国–山东–临沂联通
  修好了文章导致的
  
  回复
  1. 似水流年说道：
    
    2024年1月21日 16:46
    
    Microsoft Edge 120 Windows 10 中国–河南–漯河联通
    又可以开心的解析了。
    
    回复
    1. obaby说道：
      
      2024年1月21日 20:37
      
      Google Chrome 120 Android 10 中国–山东–临沂联通
      嗯嗯
      
      回复
Dabenshi说道：

2024年1月21日 12:05

Google Chrome 120 Windows 10 中国–北京–北京联通
是不是又动RSS了，XML Fatal Error 63: CData section not finished

回复
1. obaby说道：
  
  2024年1月21日 12:07
  
  Google Chrome 120 Android 10 中国中国联通
  no
  
  回复
2. obaby说道：
  
  2024年1月21日 12:07
  
  Google Chrome 120 Android 10 中国中国联通
  可能是最新的文章导致的
  
  回复
3. obaby说道：
  
  2024年1月21日 14:54
  
  Google Chrome 120 Android 10 中国–山东–临沂联通
  修好了文章特殊字符导致的
  
  回复
老麦说道：

2024年1月21日 16:26

Google Chrome 120 Mac OS X 10.15 中国–广东–清远电信
为了解决这个证书问题，大家的解决办法都不太一样呢，不过只要解决了问题就好。

回复
1. obaby说道：
  
  2024年1月21日 16:54
  
  Google Chrome 120 Android 10 中国–山东–临沂联通
  嗯嗯是哒
  
  回复
六月是只猫说道：

2024年1月21日 20:03

Microsoft Edge 118 Windows 10 中国–北京–北京联通
目前一直用的腾讯云的ssl 这个是免费一年的..不用繁琐的更换了哈哈

回复
1. obaby说道：
  
  2024年1月21日 20:37
  
  Google Chrome 120 Android 10 中国–山东–临沂联通
  嗯嗯 cdn用的是腾讯的。这种能自动部署的用的工具
  
  回复
皇家元林说道：

2024年1月22日 00:15

Firefox 121 Windows 10 中国中国移动
我说你前两天的文章，怎么今天才在订阅中显示的呢。
话说这个自动更新，老是安装不了。最后放弃了

回复
1. obaby说道：
  
  2024年1月22日 09:25
  
  Google Chrome 120 Windows 10 中国–山东–临沂联通
  rss发了篇文章发挂了
  自动更新的工具还是挺多的，可以换一个试试
  
  回复
老宋说道：

2024年1月22日 03:43

Firefox 121 Windows 10 中国–广东–深圳移动
域名快点转入成功，我就要申请SSL证书了，然后又要百度做难了

回复
关关说道：

2024年1月22日 09:18

Google Chrome 120 Mac OS X 10.15 中国–江苏–无锡电信
像那些90天就要过期的是真的麻烦有自动更新还好那些cdn要自己上传证书简直要全程骂骂咧咧

回复
1. obaby说道：
  
  2024年1月22日 09:25
  
  Google Chrome 120 Windows 10 中国–山东–临沂联通
  是的，时间短了之后就是手工上传就恶心了。
  
  回复
终成说道：

2024年1月22日 09:43

Google Chrome 120 Android 10 中国–江苏广电网
我都懒得折腾ssl，自从各平台都开始变成90天证书之后，目前国内大厂似乎只剩腾讯云还是提供免费的一年期证书了。但是我还是选择了30块一年的通配符证书

回复
1. obaby说道：
  
  2024年1月22日 09:55
  
  Google Chrome 120 Windows 10 中国–山东–临沂联通
  30一年价格还是可以的
  
  回复
萧俊介说道：

2024年1月22日 11:12

Google Chrome 120 Mac OS X 10.15 中国–湖北–武汉电信
阿里云的证书策略现在改成了「每年20张的免费额度，但要在3个月内用完。」就挺恶心的，无奈我也换成了面板自动续期的证书了。

回复
1. obaby说道：
  
  2024年1月22日 12:09
  
  Google Chrome 120 Android 10 中国–山东–临沂联通
  阿里这个吃相贼恶心，从免费邮箱推送改额度之后就不敢用他们的免费服务了。垃圾
  
  回复
Jeffer.Z说道：

2024年1月23日 10:51

Google Chrome 119 Mac OS X 10.15 中国–北京–北京联通
不用面板，纯手搓，羡慕这个动手能力，我如果会这些，我要一天折腾一遍服务器。

回复
1. Jeffer.Z说道：
  
  2024年1月23日 10:52
  
  Google Chrome 119 Mac OS X 10.15 中国–北京–北京联通
  评论区友链识别 http和https 是不同结果啊，不显示友链了。
  
  回复
  1. obaby说道：
    
    2024年1月23日 11:02
    
    Google Chrome 118 Mac OS X 10.15 中国–山东–青岛联通
    这个是全匹配的，嘎嘎。等找时间优化下匹配逻辑。
    
    回复
紫慕说道：

2024年7月30日 00:25

Google Chrome 126 Windows 10 美国
前来考古，喵喵喵，我就记得你好像发过。

回复
1. obaby说道：
  
  2024年7月30日 07:42
  
  Google Chrome 126 Android 10 中国–山东–临沂联通
  考古队员你好
  
  回复