让我们在nginx上用mongod加密ssl更新的cron jobs
[英]cron jobs for let's encrypt ssl renewal with mongod on nginx
问题描述
I've got a parse-server up and running on digital ocean following this guide . 
根据本指南,我已经在数字海洋上启动并运行了解析服务器。 When configuring mongo db for migration you execute this command: 配置mongo db进行迁移时,执行以下命令:
sudo cat /etc/letsencrypt/archive/domain_name/{fullchain1.pem,privkey1.pem} | sudo tee /etc/ssl/mongo.pem
After that the tutorial says: 之后教程说:
You will have to repeat the above command after renewing your Let's Encrypt certificate.
In order to do this I added a cronjob to my let's encrypt cronjobs like this: 为了做到这一点,我在我的let的加密cronjobs中添加了一个cronjob,如下所示:
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
33 2 * * 1 cat /etc/letsencrypt/archive/DOMAIN/{fullchain1.pem,privkey1.pem} | tee /etc/ssl/mongo.pem
35 2 * * 1 /etc/init.d/nginx reload
However after restarting the server on a monday, mongod wouldn't start because it couldn't find/read /etc/ssl/mongo.pem . 但是,在星期一重新启动服务器后,mongod将无法启动,因为它无法找到/读取/etc/ssl/mongo.pem 。
How do I set this up correctly? 如何正确设置? Do I need to chown/chmod the file in another cronjob? 我是否需要在另一个cronjob中chown / chmod该文件?
Thanks for your help! 谢谢你的帮助!
2 个解决方案
解决方案1
9 已采纳 2016-08-28 09:00:40
I ran into a problem with the script above. 我遇到了上面脚本的问题。 Unfortunately let's encrypt doens't override fullchain and privkey but adds new versions when certificate is due to renew: fullchain2.pem privkey2.pem 不幸的是,让我们加密dons不会覆盖fullchain和privkey,但是当证书需要更新时会添加新版本: fullchain2.pem privkey2.pem
So I had to alter the script accordingly. 所以我不得不相应地改变脚本。 I also put the renew and nginx part inside so we need only one cronjob: 我还将更新和nginx部分放在里面,所以我们只需要一个cronjob:
#!/bin/bash
# stop nginx
/etc/init.d/nginx stop
# check for new cert
/opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
# combine latest letsencrypt files for mongo
# find latest fullchain*.pem
newestFull=$(ls -v /etc/letsencrypt/live/DOMAIN/fullchain*.pem | tail -n 1)
echo "$newestFull"
# find latest privkey*.pem
newestPriv=$(ls -v /etc/letsencrypt/live/DOMAIN/privkey*.pem | tail -n 1)
echo "$newestPriv"
# combine to mongo.pem
cat {$newestFull,$newestPriv} | tee /etc/ssl/mongo.pem
# set rights for mongo.pem
chmod 600 /etc/ssl/mongo.pem
chown mongodb:mongodb /etc/ssl/mongo.pem
# restart mongo
/sbin/restart mongod
# start nginx
/etc/init.d/nginx start
解决方案2
3 2016-05-18 21:28:53
Ok, so here is what I ended up with. 好的,所以这就是我最终的结果。 I wrote a little script: 我写了一个小脚本:
#!/bin/bash
# combine letsencrypt files for mongo
cat /etc/letsencrypt/archive/DOMAIN/{fullchain1.pem,privkey1.pem} | tee /etc/ssl/mongo.pem
# set rights for mongo.pem
chmod 600 /etc/ssl/mongo.pem
chown mongodb:mongodb /etc/ssl/mongo.pem
# restart mongo
/sbin/restart mongod
and fire it with a cron job: 用cron工作解雇它:
30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
33 2 * * 1 cat /root/myScript
35 2 * * 1 /etc/init.d/nginx reload
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.