Which comes first - creating the nginx site `.conf` file or running `certbot-auto certonly`?

孤人 提交于 2021-01-29 12:14:49

问题


I'm trying to automate the setup of certbot + nginx on a server using Ansible.

The first time it runs, there are no letsencrypt certificates (yet). However I create the nginx conf as follows, referencing SSL/cert directories that will be created by certbot

server {

  listen              443 ssl;
  server_name         example.co;

  # ...

  # SSL
  ssl_certificate /etc/letsencrypt/live/example.co/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.co/privkey.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

}

server {
  if ($host = example.co) {
      return 301 https://$host$request_uri;
  }

  listen 80;
  server_name example.co;
  return 404;
}

Then later in the ansible play I run certbot-auto with the --nginx plugin, but I receive an error

> /usr/local/bin/certbot-auto certonly --nginx -n --agree-tos --text -d example.co --email admin@example.co

Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/example.co/fullchain.pem"

It seems that certbot first checks the nginx conf before proceeding (which makes sense) but the conf fails validation since it refers to directories that don't exist. Also, the --nginx plugin (or at least some other plugin) are required so I can't leave it off.

So I'm in a sort of chicken-and-egg situation because -

  1. I can't create the nginx conf before running certbot because certbot tries to validate the nginx conf, and it fails because it references directories that don't exist

  2. I can't run certbot before creating the nginx conf because certbot uses the site's conf to requires new cerificates

The only option i can see is to

  • create the nginx conf without the #SSL lines
  • run certbot to get new certs
  • update the nginx conf file to add in the #SSL lines

This feels messy, but not sure if there's another way?

What's the right order to run this in?

Thanks!


回答1:


The .conf file surely needs to be there before running certbot. Certbot will then itself write the path to the certificates into the file, so step 3 should not be necessary.



来源:https://stackoverflow.com/questions/58295060/which-comes-first-creating-the-nginx-site-conf-file-or-running-certbot-aut

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!