问题
I'm trying to automate the setup of certbot + nginx on a server using Ansible.
The first time it runs, there are no letsencrypt certificates (yet). However I create the nginx conf as follows, referencing SSL/cert directories that will be created by certbot
server {
listen 443 ssl;
server_name example.co;
# ...
# SSL
ssl_certificate /etc/letsencrypt/live/example.co/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.co/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = example.co) {
return 301 https://$host$request_uri;
}
listen 80;
server_name example.co;
return 404;
}
Then later in the ansible play I run certbot-auto
with the --nginx
plugin, but I receive an error
> /usr/local/bin/certbot-auto certonly --nginx -n --agree-tos --text -d example.co --email admin@example.co
Error while running nginx -c /etc/nginx/nginx.conf -t.
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/example.co/fullchain.pem"
It seems that certbot first checks the nginx conf before proceeding (which makes sense) but the conf fails validation since it refers to directories that don't exist. Also, the --nginx
plugin (or at least some other plugin) are required so I can't leave it off.
So I'm in a sort of chicken-and-egg situation because -
I can't create the nginx conf before running certbot because certbot tries to validate the nginx conf, and it fails because it references directories that don't exist
I can't run certbot before creating the nginx conf because certbot uses the site's conf to requires new cerificates
The only option i can see is to
- create the nginx conf without the
#SSL
lines - run certbot to get new certs
- update the nginx conf file to add in the
#SSL
lines
This feels messy, but not sure if there's another way?
What's the right order to run this in?
Thanks!
回答1:
The .conf file surely needs to be there before running certbot. Certbot will then itself write the path to the certificates into the file, so step 3 should not be necessary.
来源:https://stackoverflow.com/questions/58295060/which-comes-first-creating-the-nginx-site-conf-file-or-running-certbot-aut