修SSL證書debug紀錄
renew cert成功但網站依然顯示過期,聽網上的人講刪了/etc/letsencrypt再申請於是(………似乎是bad advice
報錯1:cannot load fullchain.pem
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/網站域名/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/網站域名/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
解決方法:用certbot certonly重新申請
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx) [Misconfigured]
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
報錯2:ssl-dhparams.pem failed
nginx: [emerg] BIO_new_file("/etc/letsencrypt/ssl-dhparams.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/ssl-dhparams.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
解決方法:需要生成一個dhparams 4096-bit key
cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096
來自:https://scaron.info/blog/improve-your-nginx-ssl-configuration.html
('This is going to take a long time'是真的有點久)
完成以後把它複制回去對應的目錄下面+重新命名
cp /etc/ssl/certs/dhparam.pem /etc/letsencrypt/
cd /etc/letsencrypt/
mv dhparam.pem ssl-dhparams.pem
2048位也可以 https://gist.github.com/fotock/9cf9afc2fd0f813828992ebc4fdaad6f
如果實在很久的話可以看看這條 https://www.linode.com/community/questions/18453/generating-a-diffie-hellman-4096-bit-key
報錯3
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
解決方法:remove the symbolic link
sudo rm /etc/nginx/sites-enabled/default