让我们加密失败的授权程序 - docker

Question

我正在尝试为我的站点设置 https 证书。由于我使用的是 docker 容器，因此我设置了以下配置

1. Node 将 public 内容提供给名为 static-content
的命名驱动程序
2. 此驱动程序由 nginx 访问和服务

我的docker-撰写文件

version : '2'

services:
  nginx:
    container_name: nginx
    build: ./nginx/
    ports:
      - "80:80"
      - "443:443"
    links:
      - web:web
    volumes:
      - /etc/letsencrypt/:/etc/letsencrypt/
      - /etc/ssl:/etc/ssl
      - static-content:/usr/src/app

  web:
    container_name: web
    image: kannaj/42exp
    env_file: .env
    volumes:
      - ./logs:/usr/src/app/logs
      - static-content:/usr/src/app/public
    expose:
      - "8000"
    environment:
      - NODE_ENV=production

    command: npm run package

volumes:
  static-content:

运行ning docker volume inspect static-content 显示如下

[
    {
        "Driver": "local",
        "Labels": null,
        "Mountpoint": "/var/lib/docker/volumes/www_static-content/_data",
        "Name": "www_static-content",
        "Options": {},
        "Scope": "local"
    }
]

然后我运行 sudo certbot certonly --force-renewal --webroot -w /var/lib/docker/volumes/www_static-content/_data -d 42exp.com -d www.42exp.com

但我收到以下错误

  Domain: 42exp.com
   Type:   unauthorized
   Detail: Invalid response from
   http://42exp.com/.well-known/acme-challenge/KbQko2Y6lZfiDcbZ-dF7DTchX3G__wmZVMMn4xT8tjs
   [139.162.21.71]: 404

   Domain: www.42exp.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.42exp.com/.well-known/acme-challenge/gHHrVOYg9OfLznO7SiH_HTo6A6SGLpUHYuJax1U65ws
   [139.162.21.71]: 404

经过一番研究，我将以下内容添加到 nginx 中的服务器块，假设 certbot 无法访问域

  location ~ /.well-known {
            allow all;
    }

我现在收到了不同的 404 响应

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.42exp.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.42exp.com/.well-known/acme-challenge/dWH2F9pApDnElq8jpqiykaylqUF7NR-RZ8MmWTg1NRA:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: 42exp.com
   Type:   unauthorized
   Detail: Invalid response from
   http://42exp.com/.well-known/acme-challenge/z_A7WOrYzEEu0RvmAFkgpNCz9ONNYByGc3RkdeqmJDo:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

我查看了我的静态内容文件夹，似乎确实有一个 .well-known 文件夹。我不确定为什么我仍然收到 404。 有人能帮忙吗？

Answer 1

如 this thread 中所述：

• 您指定的网络根是否正确？
• 如果你把文件放在 /usr/src/app/.well-known/acme-challenge/test 你能在 http://www.42exp.com/.well-known/acme-challenge/test 找到它吗？

测试文件似乎不存在，NGiNX returns 404.html 页面的内容。

As seen here, the certbot path might not be correct. See this tutorial（不是在 docker 上下文中，但仍然可以为您提供一些线索）

无论如何，请检查 nginx 日志以查看正在访问的内容。

你需要说明 /.well-known 应该指向哪里：root /usr/src/app;
但是看到“NGiNX Pitfalls and Common Mistakes”

Putting root inside of a location block will work and it’s perfectly valid.

What’s wrong is when you start adding location blocks. If you add a root to every location block then a location block that isn’t matched will have no root.

Therefore, it is important that a root directive occur prior to your location blocks, which can then override this directive if they need to.

Answer 2

原来我必须在这里包含一个根指令

 location ~ /.well-known {
            root /usr/src/app;
            allow all;
    }