Nginx letsencrypt证书权限被拒绝

Question

上下文

我正在高寒码头容器(nginx:stable-alpine)中运行一个nginx实例。目标是使用nginx作为一个(或多个)码头容器的反向代理，该容器只有HTTP，并使用这个面向外部的nginx实例将它们转换为HTTPS。

环境

我没有更改Docker容器中的标准配置，即：

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

此外，我在conf.d .d子文件夹中有两个文件：

ssl-forward.conf

server {
    listen 80;
    server_tokens off;

    server_name sub.example.com;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

django.conf

server {
    listen 443 ssl;
    server_name sub.example.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/$server_name/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/$server_name/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass         http://127.0.0.1:8000;
        proxy_redirect     off;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

letsencrypt证书文件夹具有以下文件夹/文件权限，这意味着证书只能作为根用户读取，文件来自已装入的卷：

drwxr-xr-x    3 root     root          4096 May 15 10:09 accounts
drwx------    3 root     root          4096 May 15 10:09 archive
drwxr-xr-x    2 root     root          4096 May 15 10:09 csr
drwx------    2 root     root          4096 May 15 10:09 keys
drwx------    3 root     root          4096 May 15 10:09 live
-rw-r--r--    1 root     root           721 May 16 11:20 options-ssl-nginx.conf
drwxr-xr-x    2 root     root          4096 May 15 10:09 renewal
drwxr-xr-x    5 root     root          4096 May 15 10:09 renewal-hooks
-rw-r--r--    1 root     root           424 May 16 11:20 ssl-dhparams.pem

nginx的主要进程在用户root下，子进程在用户nginx下：

   13    11 nginx    S    16788   2%   0   0% nginx: worker process
   11     1 root     S    16304   2%   0   0% nginx: master process nginx -g daemon off;

Nginx配置测试给我的是：

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

问题

尽管如此，当我尝试访问https://sub.example.com时，

13#13: *9 cannot load certificate "/etc/letsencrypt/live/sub.example.com/fullchain.pem": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/sub.example.com/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib) while SSL handshaking, client: ..., server: 0.0.0.0:443

我怎么能修好它呢？是因为它是conf.d中的子配置，nginx试图通过工作进程而不是主进程(因此作为用户nginx)访问证书吗？这与主配置中的http{}指令中发生的包含有关吗？

Answer 1

老问题，但我们现在开始：

我创建/使用一个像ssl-cert这样的组，root和nginx用户(例如，www-data )都属于这个组。

然后，我在/etc/letsencrypt/archive目录和文件中设置权限，如在这个ansible片段中演示的那样。注意大的“X”

- name: "Fix the access rights of the certificates"
  become: true
  ansible.builtin.file:
    path: "/etc/letsencrypt/archive/{{ cert_domain }}"
    owner: root
    group: ssl-cert
    mode: "u=rwX,g=rX,o="
    recurse: true