3

按照本指南,我已经在数字海洋上启动并运行了一个解析服务器。在为迁移配置 mongo db 时,您执行以下命令:

sudo cat /etc/letsencrypt/archive/domain_name/{fullchain1.pem,privkey1.pem} | sudo tee /etc/ssl/mongo.pem

之后教程说:

更新 Let's Encrypt 证书后,您必须重复上述命令。如果您配置 Let's Encrypt 证书的自动续订,请记住包含此操作。

为了做到这一点,我在我的 let's encrypt cronjobs 中添加了一个 cronjob,如下所示:

30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
33 2 * * 1 cat /etc/letsencrypt/archive/DOMAIN/{fullchain1.pem,privkey1.pem} | tee /etc/ssl/mongo.pem
35 2 * * 1 /etc/init.d/nginx reload

但是,在星期一重新启动服务器后,mongod 无法启动,因为它无法找到/读取/etc/ssl/mongo.pem

如何正确设置?我需要在另一个 cronjob 中对文件进行 chown/chmod 吗?

谢谢你的帮助!

4

2 回答 2

9

我在上面的脚本中遇到了问题。不幸的是,让我们加密不会覆盖 fullchain 和 privkey,而是在证书到期时添加新版本: fullchain2.pem privkey2.pem

所以我不得不相应地改变脚本。我还将更新和 nginx 部分放在里面,所以我们只需要一个 cronjob:

#!/bin/bash

# stop nginx
/etc/init.d/nginx stop

# check for new cert
/opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

# combine latest letsencrypt files for mongo

# find latest fullchain*.pem
newestFull=$(ls -v /etc/letsencrypt/live/DOMAIN/fullchain*.pem | tail -n 1)
echo "$newestFull"

# find latest privkey*.pem
newestPriv=$(ls -v /etc/letsencrypt/live/DOMAIN/privkey*.pem | tail -n 1)
echo "$newestPriv"

# combine to mongo.pem
cat {$newestFull,$newestPriv} | tee /etc/ssl/mongo.pem

# set rights for mongo.pem 
chmod 600 /etc/ssl/mongo.pem
chown mongodb:mongodb /etc/ssl/mongo.pem

# restart mongo
/sbin/restart mongod

# start nginx
/etc/init.d/nginx start
于 2016-08-28T09:00:40.987 回答
3

好的,这就是我的最终结果。我写了一个小脚本:

#!/bin/bash

# combine letsencrypt files for mongo
cat /etc/letsencrypt/archive/DOMAIN/{fullchain1.pem,privkey1.pem} | tee /etc/ssl/mongo.pem

# set rights for mongo.pem 
chmod 600 /etc/ssl/mongo.pem
chown mongodb:mongodb /etc/ssl/mongo.pem

# restart mongo
/sbin/restart mongod

并使用 cron 作业触发它:

30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
33 2 * * 1 cat /root/myScript
35 2 * * 1 /etc/init.d/nginx reload
于 2016-05-18T21:28:53.617 回答