主页 / server / 问题 / 858551
Accepted
030
Asked: 2017-06-30 04:09:19 +0800 CST

如何防止需要停止进程才能让letsencrypt运行成功?

  • 772

当尝试使用 certbot 创建新证书时,假设是80或者443需要可用,但情况似乎并非如此:

-------------------------------------------------------------------------------
The program nginx (process ID 123454) is already listening on TCP port 443. This
will prevent us from binding to that port. Please stop the nginx program
temporarily and then try again.
-------------------------------------------------------------------------------
At least one of the (possibly) required ports is already taken.

发生。

如何在不停止服务(例如 nginx)的情况下更新证书?

尝试解决问题

版本?

root@hostname:~# letsencrypt --version
letsencrypt 0.4.1

选项?

root@hostname:~# letsencrypt --help

  letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  renew                Renew previously obtained certs that are near expiry
  revoke               Revoke a previously obtained certificate
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation
  plugins              Display information about installed plugins

Choice of server plugins for obtaining and installing cert:

  (the apache plugin is not installed)
  --standalone      Run a standalone webserver for authentication
  (nginx support is experimental, buggy, and not installed by default)
  --webroot         Place files in a server's webroot folder for authentication

OR use different plugins to obtain (authenticate) the cert and then install it:

  --authenticator standalone --installer apache

More detailed help:

  -h, --help [topic]    print this message, or detailed help on a topic;
                        the available topics are:

   all, automation, paths, security, testing, or any of the subcommands or
   plugins (certonly, install, nginx, apache, standalone, webroot, etc)

使用以下选项是否安全?

  (nginx support is experimental, buggy, and not installed by default)
  --webroot         Place files in a server's webroot folder for authentication
lets-encrypt

2 个回答

  1. Best Answer

    如果您尝试以独立方式使用 certbot(与任何其他 Web 服务器分开),那么是的,您的 Web 服务器将需要停止,以便 certbot 可以使用这些端口。

    但是,您可以将 certbot 需要的目录直接集成到您的网络服务器配置中,然后 certbot 本身就不需要绑定到这些端口。

    • 1

  2. 我从来没有这样做过nginx,但你可能不得不certbot使用dns-01ACME 协议选项。这样,证书更新所需的域控制探测就会发生,而不必绑定实际服务流量的端口。

    为此,您当然需要控制您的 DNS,并且可能必须nginx在成功更新证书后发出信号以重新加载其配置,但这可以在不停机的情况下完成。

    • 1

相关问题