Letsencrypt: проблемы с Nginx и сертификатом Topic is solved
Letsencrypt: проблемы с Nginx и сертификатом
Когда включаю SSL Letsencrypt то не рестартует Nginx и при заходе на сайте пишет, что сертификат истек, дата от 2015 по 2016 год (серверное время в норме), и имя домена там не фигурирует(а вроде бы имя Хоста).
Хотя в интерфейсе показывает 2019 год сертификат, все верно.
Темплейты разные пробовал, например
На другом сервере удалось завести, но там phpfpm
Темплейт такой
Как сделать чтобы рестартовал nginx и сертификат был верным?
Хотя в интерфейсе показывает 2019 год сертификат, все верно.
Темплейты разные пробовал, например
Code: Select all
server {
listen %ip%:%proxy_ssl_port%;
server_name %domain_idn% %alias_idn%;
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
error_log /var/log/httpd/domains/%domain%.error.log error;
location / {
proxy_pass https://%ip%:%web_ssl_port%;
location ~* ^.+\.(%proxy_extentions%)$ {
root %sdocroot%;
access_log /var/log/httpd/domains/%domain%.log combined;
access_log /var/log/httpd/domains/%domain%.bytes bytes;
expires max;
try_files $uri @fallback;
}
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location @fallback {
proxy_pass https://%ip%:%web_ssl_port%;
}
location ~ /\.ht {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}
include %home%/%user%/conf/web/snginx.%domain%.conf*;
}
Темплейт такой
Code: Select all
server {
listen %ip%:%web_ssl_port% ssl http2;
server_name %domain_idn% %alias_idn%;
root %docroot%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
try_files $uri $uri/ /index.php?$args;
access_log off;
log_not_found off;
}
location / {
try_files $uri $uri/ /index.php?$args;
if (!-e $request_filename)
{
rewrite ^(.+)$ /index.php?q=$1 last;
}
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
}
location ~ [^/]\.php(/|$) {
fastcgi_buffers 8 256k;
fastcgi_buffer_size 128k;
fastcgi_intercept_errors on;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_cache microcache;
fastcgi_cache_key $scheme$host$request_uri$request_method;
fastcgi_cache_valid 200 301 302 30s;
fastcgi_cache_use_stale updating error timeout invalid_header http_500;
fastcgi_pass_header Set-Cookie;
fastcgi_pass_header Cookie;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass %backend_lsnr%;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;
error_page 404 /error/404.html;
error_page 500 502 503 504 /error/50x.html;
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location ~* "/\.(htaccess|htpasswd)$" {
deny all;
return 404;
}
location /vstats/ {
alias %home%/%user%/web/%domain%/stats/;
include %home%/%user%/web/%domain%/stats/auth.conf*;
}
include /etc/nginx/conf.d/phpmyadmin.inc*;
include /etc/nginx/conf.d/phppgadmin.inc*;
include /etc/nginx/conf.d/webmail.inc*;
include %home%/%user%/conf/web/nginx.%domain_idn%.conf*;
} Re: Letsencrypt: проблемы с Nginx и сертификатом
Какая ОС на сервере? Какая ошибка при рестарте nginx
Code: Select all
service nginx restartRe: Letsencrypt: проблемы с Nginx и сертификатом
CentOS 6.1
Nginx.confnginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (2: No such file or directory)
2019/04/09 21:51:45 [emerg] 30624#30624: open() "/var/log/nginx/error.log" failed (2: No such file or directory)
nginx: configuration file /etc/nginx/nginx.conf test failed
Code: Select all
# Server globals
user nginx;
worker_processes 2;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
load_module "modules/ngx_http_geoip_module.so";
# Worker config
events {
worker_connections 1024;
use epoll;
}
http {
# Main settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 1m;
client_body_timeout 1m;
client_header_buffer_size 2k;
client_body_buffer_size 256k;
client_max_body_size 100m;
large_client_header_buffers 4 8k;
send_timeout 30;
keepalive_timeout 60 60;
reset_timedout_connection on;
server_tokens off;
server_name_in_redirect off;
server_names_hash_max_size 512;
server_names_hash_bucket_size 512;
### GeoIP start
geoip_country /usr/share/GeoIP/GeoIP.dat;
geoip_city /usr/share/GeoIP/GeoLiteCity.dat;
### SET FASTCGI Variables ###
fastcgi_param GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
fastcgi_param GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
fastcgi_param GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
fastcgi_param GEOIP_REGION $geoip_region;
fastcgi_param GEOIP_CITY $geoip_city;
fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
fastcgi_param GEOIP_LATITUDE $geoip_latitude;
fastcgi_param GEOIP_LONGITUDE $geoip_longitude;
###geo ip apache###
proxy_set_header GEOIP_COUNTRY_CODE $geoip_country_code;
proxy_set_header GEOIP_COUNTRY_CODE3 $geoip_country_code3;
proxy_set_header GEOIP_COUNTRY_NAME $geoip_country_name;
proxy_set_header GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
proxy_set_header GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
proxy_set_header GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
proxy_set_header GEOIP_REGION $geoip_region;
proxy_set_header GEOIP_CITY $geoip_city;
proxy_set_header GEOIP_POSTAL_CODE $geoip_postal_code;
proxy_set_header GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
proxy_set_header GEOIP_LATITUDE $geoip_latitude;
proxy_set_header GEOIP_LONGITUDE $geoip_longitude;
# Log format
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format bytes '$body_bytes_sent';
#access_log /var/log/nginx/access.log main;
access_log off;
# Mime settings
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Compression
gzip on;
gzip_comp_level 9;
gzip_min_length 512;
gzip_buffers 8 64k;
gzip_types text/plain text/css text/javascript
application/x-javascript;
gzip_proxied any;
# Proxy settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Set-Cookie;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
# Cloudflare https://www.cloudflare.com/ips
set_real_ip_from ИП-АДРЕС/21;
set_real_ip_from ИП-АДРЕС/20;
#set_real_ip_from 2400:cb00::/32;
#set_real_ip_from 2606:4700::/32;
#set_real_ip_from 2803:f800::/32;
#set_real_ip_from 2405:b500::/32;
#set_real_ip_from 2405:8100::/32;
real_ip_header CF-Connecting-IP;
# SSL PCI Compliance
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:bla-bla-bla-bla-bla.......";
# Error pages
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 502 503 504 /error/50x.html;
# Cache
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=512m;
proxy_temp_path /var/cache/nginx/temp;
proxy_cache_key "$host$request_uri $cookie_user";
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_valid any 3d;
map $http_cookie $no_cache {
default 0;
~SESS 1;
~wordpress_logged_in 1;
}
# Wildcard include
include /etc/nginx/conf.d/*.conf;
server {
location ~ \.php$ {
if (!-e $request_filename) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
include /etc/nginx/fastcgi_params;
}
}
}
Re: Letsencrypt: проблемы с Nginx и сертификатом
Доступ сможете предоставить? Посмотрим что с LE
Re: Letsencrypt: проблемы с Nginx и сертификатом
Спасибо за предложение, сейчас пока еще сам пытаюсь крутить.
Сейчас при рестарте nginx уже вижу что-то более понятное
Теперь то же самое пишет, но про порт 443.
Сейчас при рестарте nginx уже вижу что-то более понятное
Но что с этим делать пока не ясно.nginx: [emerg] bind() to ЗДЕСЬ-ИП:80 failed (98: Address already in use)
nginx: [emerg] still could not bind()
Code: Select all
айпишки затер, верхний так и был с ноликами
/etc/nginx$ netstat -ant | grep -i listen | grep ':80'
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 176.000000:8080 0.0.0.0:* LISTEN
tcp 0 0 178.000000:8080 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8083 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8084 0.0.0.0:* LISTEN
netstat показывает по 443nginx: [emerg] bind() to ЗДЕСЬ-ИП:443 failed (98: Address already in use)
tcp 0 0 :::443 :::* LISTEN 2488/httpd
Code: Select all
/etc/httpd/conf.d/149.202.139.49.conf:NameVirtualHost 149.000000:8443
/etc/httpd/conf.d/149.202.139.49.conf:Listen 149.000000:8443
/etc/httpd/conf.d/176.31.252.120.zzz:NameVirtualHost 176.000000:8443
/etc/httpd/conf.d/176.31.252.120.zzz:Listen 176.000000:8443
/etc/httpd/conf.d/178.33.202.49.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.33.202.49.conf:Listen 178.000000:8443
/etc/httpd/conf.d/178.33.202.50.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.33.202.50.conf:Listen 178.000000:8443
/etc/httpd/conf.d/178.33.202.51.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.33.202.51.conf:Listen 178.000000:8443
/etc/httpd/conf.d/178.32.4.210.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.32.4.210.conf:Listen 178.000000:8443
/etc/httpd/conf.d/ssl.conf:Listen 443
/etc/httpd/conf.d/ssl.conf:<VirtualHost _default_:443>
/etc/httpd/conf.d/ssl.conf:#ServerName www.example.com:443
/etc/httpd/conf.d/149.202.137.179.conf:NameVirtualHost 149.000000:8443
/etc/httpd/conf.d/149.202.137.179.conf:Listen 149.000000:8443
/etc/httpd/conf.d/178.32.4.211.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.32.4.211.conf:Listen 178.000000:8443
/etc/httpd/conf.d/178.32.4.208.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.32.4.208.conf:Listen 178.000000:8443
/etc/httpd/conf.d/178.33.202.48.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.33.202.48.conf:Listen 178.000000:8443
/etc/httpd/conf.d/178.32.4.209.conf:NameVirtualHost 178.000000:8443
/etc/httpd/conf.d/178.32.4.209.conf:Listen 178.000000:8443
/etc/httpd/conf.d/94.23.211.178.conf:NameVirtualHost 176.000000:8443
/etc/httpd/conf.d/94.23.211.178.conf:Listen 176.000000:8443Re: Letsencrypt: проблемы с Nginx и сертификатом
Если остановить панель, затем httpd, и перезапустить nginx,
то потом не поднимается обратно httpd
они видимо мешают друг другу, но как устранить не знаю..
в /etc/httpd/conf.d/ssl.conf Listen 443
и в конфигах айпишек, 149.202.137.179.conf
то потом не поднимается обратно httpd
Code: Select all
/etc/httpd/conf.d$ service httpd start
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 176.31.252.120:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.32.4.210:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.32.4.211:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.32.4.208:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.32.4.209:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 149.202.137.179:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.33.202.49:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.33.202.48:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.33.202.51:8443 has no VirtualHosts
[Wed Apr 10 12:22:27 2019] [warn] NameVirtualHost 178.33.202.50:8443 has no VirtualHosts
(98)Address already in use: make_sock: could not bind to address [::]:443
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting downв /etc/httpd/conf.d/ssl.conf Listen 443
и в конфигах айпишек, 149.202.137.179.conf
Code: Select all
NameVirtualHost 149.202.137.179:8080
Listen 149.202.137.179:8080
NameVirtualHost 149.202.137.179:8443
Listen 149.202.137.179:8443Re: Letsencrypt: проблемы с Nginx и сертификатом
Попробуйте выполнить
Code: Select all
service nginx stop
service httpd stop
killall httpd
killall nginx
service httpd start
service nginx startRe: Letsencrypt: проблемы с Nginx и сертификатом
Лучше будет если вы предоставите доступ и мы посмотрим прямо на сервере
Re: Letsencrypt: проблемы с Nginx и сертификатом
Кажется удалось победить, пока тестирую
Поменял здесь /etc/httpd/conf.d/ssl.conf
Listen с 443 на 1500
Нормальный вариант?
Но в шаблонах /home/domain.ru/conf/web/domain.ru.nginx.ssl.conf
Порты все равно 443, 8443 стоит
---------
Еще такой момент, если блокируете на сервере ботов по Юзер Агенту, то может срезаться бот letsencrypt, не знаю какой у них UA, пришлось пока отключить блокировку по UA. От этого может возникать ошибка .well-known/acme-challenge/