Vesta Control Panel - Forum

Posted: **Tue Apr 09, 2019 5:19 pm**

Когда включаю SSL Letsencrypt то не рестартует Nginx и при заходе на сайте пишет, что сертификат истек, дата от 2015 по 2016 год (серверное время в норме), и имя домена там не фигурирует(а вроде бы имя Хоста).
Хотя в интерфейсе показывает 2019 год сертификат, все верно.

Темплейты разные пробовал, например

Code: Select all

server {
    listen      %ip%:%proxy_ssl_port%;
    server_name %domain_idn% %alias_idn%;
    ssl         on;
    ssl_certificate      %ssl_pem%;
    ssl_certificate_key  %ssl_key%;
    error_log  /var/log/httpd/domains/%domain%.error.log error;

    location / {
        proxy_pass      https://%ip%:%web_ssl_port%;
        location ~* ^.+\.(%proxy_extentions%)$ {
            root           %sdocroot%;
            access_log     /var/log/httpd/domains/%domain%.log combined;
            access_log     /var/log/httpd/domains/%domain%.bytes bytes;
            expires        max;
            try_files      $uri @fallback;
        }
    }

    location /error/ {
        alias   %home%/%user%/web/%domain%/document_errors/;
    }

    location @fallback {
        proxy_pass      https://%ip%:%web_ssl_port%;
    }

    location ~ /\.ht    {return 404;}
    location ~ /\.svn/  {return 404;}
    location ~ /\.git/  {return 404;}
    location ~ /\.hg/   {return 404;}
    location ~ /\.bzr/  {return 404;}

    include %home%/%user%/conf/web/snginx.%domain%.conf*;
}

На другом сервере удалось завести, но там phpfpm
Темплейт такой

Code: Select all

server {
    listen      %ip%:%web_ssl_port% ssl http2;
    server_name %domain_idn% %alias_idn%;
    root        %docroot%;
    index       index.php index.html index.htm;
    access_log  /var/log/nginx/domains/%domain%.log combined;
    access_log  /var/log/nginx/domains/%domain%.bytes bytes;
    error_log   /var/log/nginx/domains/%domain%.error.log error;

    ssl         on;
    ssl_certificate      %ssl_pem%;
    ssl_certificate_key  %ssl_key%;

	
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

location = /robots.txt {
    try_files $uri $uri/ /index.php?$args;
    access_log off;
    log_not_found off;
    }

    location / {
    try_files $uri $uri/ /index.php?$args;

        if (!-e $request_filename)
        {
            rewrite ^(.+)$ /index.php?q=$1 last;
        }

        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
            expires     max;
        }

        location ~ [^/]\.php(/|$) {
       
	    fastcgi_buffers 8 256k;
        fastcgi_buffer_size 128k;
        fastcgi_intercept_errors on;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
		
		fastcgi_cache microcache;
        fastcgi_cache_key $scheme$host$request_uri$request_method;
		fastcgi_cache_valid 200 301 302 30s;
		fastcgi_cache_use_stale updating error timeout invalid_header http_500;
		fastcgi_pass_header Set-Cookie;
		fastcgi_pass_header Cookie;
		fastcgi_ignore_headers Cache-Control Expires Set-Cookie;   

		
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            if (!-f $document_root$fastcgi_script_name) {
                return  404;
            }

            fastcgi_pass    %backend_lsnr%;
            fastcgi_index   index.php;
            include         /etc/nginx/fastcgi_params;
        }
    }
    error_page  403 /error/404.html;
    error_page  404 /error/404.html;
    error_page  500 502 503 504 /error/50x.html;

    location /error/ {
        alias   %home%/%user%/web/%domain%/document_errors/;
    }

    location ~* "/\.(htaccess|htpasswd)$" {
        deny    all;
        return  404;
    }
    
    location /vstats/ {
        alias   %home%/%user%/web/%domain%/stats/;
        include %home%/%user%/web/%domain%/stats/auth.conf*;
    }

    include     /etc/nginx/conf.d/phpmyadmin.inc*;
    include     /etc/nginx/conf.d/phppgadmin.inc*;
    include     /etc/nginx/conf.d/webmail.inc*;

    include     %home%/%user%/conf/web/nginx.%domain_idn%.conf*;

	
}

Как сделать чтобы рестартовал nginx и сертификат был верным?

Posted: **Tue Apr 09, 2019 6:30 pm**

Какая ОС на сервере? Какая ошибка при рестарте nginx

Code: Select all

service nginx restart

Posted: **Tue Apr 09, 2019 6:55 pm**

CentOS 6.1

nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (2: No such file or directory)
2019/04/09 21:51:45 [emerg] 30624#30624: open() "/var/log/nginx/error.log" failed (2: No such file or directory)
nginx: configuration file /etc/nginx/nginx.conf test failed

Nginx.conf

Code: Select all

# Server globals
user                    nginx;
worker_processes        2;
error_log               /var/log/nginx/error.log;
pid                     /var/run/nginx.pid;

load_module "modules/ngx_http_geoip_module.so";

# Worker config
events {
        worker_connections  1024;
        use                 epoll;
}

http {
    # Main settings
    sendfile                        on;
    tcp_nopush                      on;
    tcp_nodelay                     on;
    client_header_timeout           1m;
    client_body_timeout             1m;
    client_header_buffer_size       2k;
    client_body_buffer_size         256k;
    client_max_body_size            100m;
    large_client_header_buffers     4   8k;
    send_timeout                    30;
    keepalive_timeout               60 60;
    reset_timedout_connection       on;
    server_tokens                   off;
    server_name_in_redirect         off;
    server_names_hash_max_size      512;
    server_names_hash_bucket_size   512;

### GeoIP start
	  geoip_country /usr/share/GeoIP/GeoIP.dat;
	  geoip_city  /usr/share/GeoIP/GeoLiteCity.dat;
### SET FASTCGI Variables ###
  fastcgi_param GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
  fastcgi_param GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
  fastcgi_param GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
  fastcgi_param GEOIP_REGION $geoip_region;
  fastcgi_param GEOIP_CITY $geoip_city;
  fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
  fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
  fastcgi_param GEOIP_LATITUDE $geoip_latitude;
  fastcgi_param GEOIP_LONGITUDE $geoip_longitude;

###geo ip apache###
proxy_set_header GEOIP_COUNTRY_CODE $geoip_country_code;
proxy_set_header GEOIP_COUNTRY_CODE3 $geoip_country_code3;
proxy_set_header GEOIP_COUNTRY_NAME $geoip_country_name;
proxy_set_header GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
proxy_set_header GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
proxy_set_header GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
proxy_set_header GEOIP_REGION $geoip_region;
proxy_set_header GEOIP_CITY $geoip_city;
proxy_set_header GEOIP_POSTAL_CODE $geoip_postal_code;
proxy_set_header GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
proxy_set_header GEOIP_LATITUDE $geoip_latitude;
proxy_set_header GEOIP_LONGITUDE $geoip_longitude;


  
    # Log format
    log_format  main    '$remote_addr - $remote_user [$time_local] $request '
                        '"$status" $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';
    log_format  bytes   '$body_bytes_sent';
    #access_log          /var/log/nginx/access.log  main;
    access_log off;


    # Mime settings
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;


    # Compression
    gzip                on;
    gzip_comp_level     9;
    gzip_min_length     512;
    gzip_buffers        8 64k;
    gzip_types          text/plain text/css text/javascript
                        application/x-javascript;
    gzip_proxied        any;


    # Proxy settings
    proxy_redirect      off;
    proxy_set_header    Host            $host;
    proxy_set_header    X-Real-IP       $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass_header   Set-Cookie;
    proxy_connect_timeout   90;
    proxy_send_timeout  90;
    proxy_read_timeout  90;
    proxy_buffers       32 4k;


    # Cloudflare https://www.cloudflare.com/ips
    set_real_ip_from   ИП-АДРЕС/21;
    set_real_ip_from   ИП-АДРЕС/20;
    #set_real_ip_from   2400:cb00::/32;
    #set_real_ip_from   2606:4700::/32;
    #set_real_ip_from   2803:f800::/32;
    #set_real_ip_from   2405:b500::/32;
    #set_real_ip_from   2405:8100::/32;
    real_ip_header     CF-Connecting-IP;


    # SSL PCI Compliance
    ssl_session_cache   shared:SSL:10m;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers        "ECDHE-RSA-AES256-GCM-SHA384:bla-bla-bla-bla-bla.......";


    # Error pages
    error_page          403          /error/403.html;
    error_page          404          /error/404.html;
    error_page          502 503 504  /error/50x.html;


    # Cache
    proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=512m;
    proxy_temp_path  /var/cache/nginx/temp;
    proxy_cache_key "$host$request_uri $cookie_user";
    proxy_ignore_headers Expires Cache-Control;
    proxy_cache_use_stale error timeout invalid_header http_502;
    proxy_cache_valid any 3d;

    map $http_cookie $no_cache {
        default 0;
        ~SESS 1;
        ~wordpress_logged_in 1;
    }


    # Wildcard include
    include             /etc/nginx/conf.d/*.conf;
	
	server {
	location ~ \.php$ {
    if (!-e $request_filename) {
        return 404;
    }
    fastcgi_pass    127.0.0.1:9000;
    include         fastcgi_params;
    include /etc/nginx/fastcgi_params;
}

}
	
}

Posted: **Tue Apr 09, 2019 7:16 pm**

Доступ сможете предоставить? Посмотрим что с LE

Posted: **Tue Apr 09, 2019 9:19 pm**

Спасибо за предложение, сейчас пока еще сам пытаюсь крутить.
Сейчас при рестарте nginx уже вижу что-то более понятное

nginx: [emerg] bind() to ЗДЕСЬ-ИП:80 failed (98: Address already in use)
nginx: [emerg] still could not bind()

Но что с этим делать пока не ясно.

Code: Select all

айпишки затер, верхний так и был с ноликами
/etc/nginx$ netstat -ant | grep -i listen | grep ':80'
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      
tcp        0      0 176.000000:8080         0.0.0.0:*                   LISTEN      
tcp        0      0 178.000000:8080          0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:8081              0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:8083                0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:8084              0.0.0.0:*                   LISTEN

Теперь то же самое пишет, но про порт 443.

nginx: [emerg] bind() to ЗДЕСЬ-ИП:443 failed (98: Address already in use)

netstat показывает по 443

tcp 0 0 :::443 :::* LISTEN 2488/httpd

Code: Select all

/etc/httpd/conf.d/149.202.139.49.conf:NameVirtualHost 149.000000:8443
/etc/httpd/conf.d/149.202.139.49.conf:Listen 149.000000:8443
/etc/httpd/conf.d/176.31.252.120.zzz:NameVirtualHost 176.000000:8443
/etc/httpd/conf.d/176.31.252.120.zzz:Listen 176.000000:8443
/etc/httpd/conf.d/178.33.202.49.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.33.202.49.conf:Listen 178.000000:8443
/etc/httpd/conf.d/178.33.202.50.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.33.202.50.conf:Listen 178.000000:8443
/etc/httpd/conf.d/178.33.202.51.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.33.202.51.conf:Listen 178.000000:8443
/etc/httpd/conf.d/178.32.4.210.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.32.4.210.conf:Listen 178.000000:8443
/etc/httpd/conf.d/ssl.conf:Listen 443
/etc/httpd/conf.d/ssl.conf:<VirtualHost _default_:443>
/etc/httpd/conf.d/ssl.conf:#ServerName www.example.com:443
/etc/httpd/conf.d/149.202.137.179.conf:NameVirtualHost 149.000000:8443
/etc/httpd/conf.d/149.202.137.179.conf:Listen 149.000000:8443
/etc/httpd/conf.d/178.32.4.211.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.32.4.211.conf:Listen 178.000000:8443
/etc/httpd/conf.d/178.32.4.208.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.32.4.208.conf:Listen 178.000000:8443
/etc/httpd/conf.d/178.33.202.48.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.33.202.48.conf:Listen 178.000000:8443
/etc/httpd/conf.d/178.32.4.209.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.32.4.209.conf:Listen 178.000000:8443
/etc/httpd/conf.d/94.23.211.178.conf:NameVirtualHost 176.000000:8443
/etc/httpd/conf.d/94.23.211.178.conf:Listen 176.000000:8443

Posted: **Wed Apr 10, 2019 9:27 am**

Если остановить панель, затем httpd, и перезапустить nginx,
то потом не поднимается обратно httpd

Code: Select all

/etc/httpd/conf.d$ service httpd start
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 176.31.252.120:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.32.4.210:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.32.4.211:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.32.4.208:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.32.4.209:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 149.202.137.179:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.33.202.49:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.33.202.48:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.33.202.51:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.33.202.50:8443 has no VirtualHosts
(98)Address already in use: make_sock: could not bind to address [::]:443
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down

они видимо мешают друг другу, но как устранить не знаю..

в /etc/httpd/conf.d/ssl.conf Listen 443
и в конфигах айпишек, 149.202.137.179.conf

Code: Select all

NameVirtualHost 149.202.137.179:8080
Listen 149.202.137.179:8080
NameVirtualHost 149.202.137.179:8443
Listen 149.202.137.179:8443

Posted: **Wed Apr 10, 2019 2:41 pm**

Попробуйте выполнить

Code: Select all

service nginx stop
service httpd stop
killall httpd
killall nginx
service httpd start
service nginx start

Posted: **Wed Apr 10, 2019 2:58 pm**

imperio wrote: ↑
Wed Apr 10, 2019 2:41 pm
Попробуйте выполнить

Не сработало, также при включении ssl не стартует nginx
когда kill делал, писало no process killed

Posted: **Wed Apr 10, 2019 3:34 pm**

Лучше будет если вы предоставите доступ и мы посмотрим прямо на сервере

Posted: **Thu Apr 11, 2019 11:02 am**

imperio wrote: ↑
Wed Apr 10, 2019 3:34 pm
Лучше будет если вы предоставите доступ и мы посмотрим прямо на сервере

Кажется удалось победить, пока тестирую
Поменял здесь /etc/httpd/conf.d/ssl.conf
Listen с 443 на 1500
Нормальный вариант?

Но в шаблонах /home/domain.ru/conf/web/domain.ru.nginx.ssl.conf
Порты все равно 443, 8443 стоит

---------
Еще такой момент, если блокируете на сервере ботов по Юзер Агенту, то может срезаться бот letsencrypt, не знаю какой у них UA, пришлось пока отключить блокировку по UA. От этого может возникать ошибка .well-known/acme-challenge/

Vesta Control Panel - Forum

Letsencrypt: проблемы с Nginx и сертификатом

Letsencrypt: проблемы с Nginx и сертификатом

Re: Letsencrypt: проблемы с Nginx и сертификатом

Re: Letsencrypt: проблемы с Nginx и сертификатом

Re: Letsencrypt: проблемы с Nginx и сертификатом

Re: Letsencrypt: проблемы с Nginx и сертификатом

Re: Letsencrypt: проблемы с Nginx и сертификатом

Re: Letsencrypt: проблемы с Nginx и сертификатом

Re: Letsencrypt: проблемы с Nginx и сертификатом

Re: Letsencrypt: проблемы с Nginx и сертификатом

Re: Letsencrypt: проблемы с Nginx и сертификатом