Certbot/Letsencrypt的NGINX Configuraiton

Question

我无法在我的NGINX/Ubuntu18.04实例上启动和运行certbot。我在

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04

我选择让certbot重定向，它更新了我的站点的配置文件。

我的配置文件如下所示：

server {
        listen 80;
        listen [::]:80;

        root /var/www/punkmap.com/html;
        index index.html index.htm index.nginx-debian.html;

        server_name punkmap.com www.punkmap.com;

        location / {
                try_files $uri $uri/ =404;
        }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/punkmap.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/punkmap.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

certbot对我的配置文件所做的添加破坏了我的站点。通过删除certbot添加到我的配置文件中的代码行，很容易修复。然而，我在互联网上找不到任何信息来说明如何纠正这个问题。

我的站点配置应该是什么样子？

谢谢!

泰勒

Answer 1

问题是在同一个服务器块中有两个listen指令。最好的解决方案是手动编辑nginx配置，将其拆分为两个服务器块。非ssl (端口80)块应该重定向到ssl(端口443)块。像这样的事情应该有效：

server {
  listen 80;
  listen [::]:80;

  server_name punkmap.com www.punkmap.com;
  return 301 https://$host$request_uri;
}

server {

  root /var/www/punkmap.com/html;
  index index.html index.htm index.nginx-debian.html;

  server_name punkmap.com www.punkmap.com;

  location / {
    try_files $uri $uri/ =404;
  }

  listen [::]:443 ssl ipv6only=on;
  listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/punkmap.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/punkmap.com/privkey.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

然后，在将来升级时，请确保传递--cert-only参数，这样您的配置就不会再次受到干扰。请注意，我删除了Certbot注释管理的所有#，因为在此之后，它们将由您管理。