最近部署SSL证书的时候老是报错, cannot load certificate "/usr/local/nginx/ssl/*.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/nginx/ssl/*.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
这个错误也是比较常见的,我出现这个问题首先是查看自己路径下有没有这个文件,排查之后发现确实有这个文件,重启之后还是报这个错误,那这个原因可能是docker部署nginx时挂载目录出现了错误,
docker inspect nginx
往下找
这里没错,那估计是nginx自身的问题
快速用docker部署一个nginx,
docker pull nginx
#部署nginx
docker run -d -p 80:80 --name=nginx --privileged=true nginx
#进入容器内部
docker exec -it nginx /bin/bash
进入容器内部后查看nginx的配置SSL文件的要求
cd /etc
#显示文件
ls
cat ca-certificates.conf
# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
mozilla/ACCVRAIZ1.crt
mozilla/AC_RAIZ_FNMT-RCM.crt
mozilla/Actalis_Authentication_Root_CA.crt
mozilla/AffirmTrust_Commercial.crt
mozilla/AffirmTrust_Networking.crt
mozilla/AffirmTrust_Premium.crt
mozilla/AffirmTrust_Premium_ECC.crt
mozilla/Amazon_Root_CA_1.crt
mozilla/Amazon_Root_CA_2.crt
mozilla/Amazon_Root_CA_3.crt
mozilla/Amazon_Root_CA_4.crt
mozilla/Atos_TrustedRoot_2011.crt
mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
mozilla/Baltimore_CyberTrust_Root.crt
mozilla/Buypass_Class_2_Root_CA.crt
mozilla/Buypass_Class_3_Root_CA.crt
mozilla/CA_Disig_Root_R2.crt
mozilla/CFCA_EV_ROOT.crt
mozilla/COMODO_Certification_Authority.crt
mozilla/COMODO_ECC_Certification_Authority.crt
mozilla/COMODO_RSA_Certification_Authority.crt
mozilla/Certigna.crt
mozilla/Certigna_Root_CA.crt
mozilla/Certum_Trusted_Network_CA.crt
mozilla/Certum_Trusted_Network_CA_2.crt
mozilla/Chambers_of_Commerce_Root_-_2008.crt
mozilla/Comodo_AAA_Services_root.crt
mozilla/Cybertrust_Global_Root.crt
mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt
mozilla/DST_Root_CA_X3.crt
mozilla/DigiCert_Assured_ID_Root_CA.crt
mozilla/DigiCert_Assured_ID_Root_G2.crt
mozilla/DigiCert_Assured_ID_Root_G3.crt
mozilla/DigiCert_Global_Root_CA.crt
mozilla/DigiCert_Global_Root_G2.crt
mozilla/DigiCert_Global_Root_G3.crt
mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
mozilla/DigiCert_Trusted_Root_G4.crt
mozilla/E-Tugra_Certification_Authority.crt
mozilla/EC-ACC.crt
mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt
mozilla/Entrust_Root_Certification_Authority.crt
mozilla/Entrust_Root_Certification_Authority_-_EC1.crt
mozilla/Entrust_Root_Certification_Authority_-_G2.crt
mozilla/Entrust_Root_Certification_Authority_-_G4.crt
mozilla/GDCA_TrustAUTH_R5_ROOT.crt
mozilla/GTS_Root_R1.crt
mozilla/GTS_Root_R2.crt
mozilla/GTS_Root_R3.crt
mozilla/GTS_Root_R4.crt
mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
mozilla/GlobalSign_ECC_Root_CA_-_R4.crt
mozilla/GlobalSign_ECC_Root_CA_-_R5.crt
mozilla/GlobalSign_Root_CA.crt
mozilla/GlobalSign_Root_CA_-_R2.crt
mozilla/GlobalSign_Root_CA_-_R3.crt
mozilla/GlobalSign_Root_CA_-_R6.crt
mozilla/Global_Chambersign_Root_-_2008.crt
mozilla/Go_Daddy_Class_2_CA.crt
mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt
mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt
mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
mozilla/Hongkong_Post_Root_CA_1.crt
mozilla/Hongkong_Post_Root_CA_3.crt
mozilla/ISRG_Root_X1.crt
mozilla/IdenTrust_Commercial_Root_CA_1.crt
mozilla/IdenTrust_Public_Sector_Root_CA_1.crt
mozilla/Izenpe.com.crt
mozilla/Microsec_e-Szigno_Root_CA_2009.crt
mozilla/Microsoft_ECC_Root_Certificate_Authority_2017.crt
mozilla/Microsoft_RSA_Root_Certificate_Authority_2017.crt
mozilla/NAVER_Global_Root_Certification_Authority.crt
mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
mozilla/Network_Solutions_Certificate_Authority.crt
mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt
mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt
mozilla/QuoVadis_Root_CA.crt
mozilla/QuoVadis_Root_CA_1_G3.crt
mozilla/QuoVadis_Root_CA_2.crt
mozilla/QuoVadis_Root_CA_2_G3.crt
mozilla/QuoVadis_Root_CA_3.crt
mozilla/QuoVadis_Root_CA_3_G3.crt
mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt
mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt
mozilla/SSL.com_Root_Certification_Authority_ECC.crt
mozilla/SSL.com_Root_Certification_Authority_RSA.crt
mozilla/SZAFIR_ROOT_CA2.crt
mozilla/SecureSign_RootCA11.crt
mozilla/SecureTrust_CA.crt
mozilla/Secure_Global_CA.crt
mozilla/Security_Communication_RootCA2.crt
mozilla/Security_Communication_Root_CA.crt
mozilla/Sonera_Class_2_Root_CA.crt
mozilla/Staat_der_Nederlanden_EV_Root_CA.crt
mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt
mozilla/Starfield_Class_2_CA.crt
mozilla/Starfield_Root_Certificate_Authority_-_G2.crt
mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt
mozilla/SwissSign_Gold_CA_-_G2.crt
mozilla/SwissSign_Silver_CA_-_G2.crt
mozilla/T-TeleSec_GlobalRoot_Class_2.crt
mozilla/T-TeleSec_GlobalRoot_Class_3.crt
mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt
mozilla/TWCA_Global_Root_CA.crt
mozilla/TWCA_Root_Certification_Authority.crt
mozilla/TeliaSonera_Root_CA_v1.crt
mozilla/TrustCor_ECA-1.crt
mozilla/TrustCor_RootCert_CA-1.crt
mozilla/TrustCor_RootCert_CA-2.crt
mozilla/Trustis_FPS_Root_CA.crt
mozilla/Trustwave_Global_Certification_Authority.crt
mozilla/Trustwave_Global_ECC_P256_Certification_Authority.crt
mozilla/Trustwave_Global_ECC_P384_Certification_Authority.crt
mozilla/UCA_Extended_Validation_Root.crt
mozilla/UCA_Global_G2_Root.crt
mozilla/USERTrust_ECC_Certification_Authority.crt
mozilla/USERTrust_RSA_Certification_Authority.crt
mozilla/VeriSign_Universal_Root_Certification_Authority.crt
mozilla/XRamp_Global_CA_Root.crt
mozilla/certSIGN_ROOT_CA.crt
mozilla/certSIGN_Root_CA_G2.crt
mozilla/e-Szigno_Root_CA_2017.crt
mozilla/ePKI_Root_Certification_Authority.crt
mozilla/emSign_ECC_Root_CA_-_C3.crt
mozilla/emSign_ECC_Root_CA_-_G3.crt
mozilla/emSign_Root_CA_-_C1.crt
mozilla/emSign_Root_CA_-_G1.crt
这个就是它里面的内容,主要看里面的注释
cat ca-certificates.conf让我们把证书安装在/etc/ssl/certs目录下,这下之前的问题就说的通了
将自己的证书部署在/etc/ssl/certs目录下就可以了,下面展示我的配置(docker的)
docker run --name nginx -p 80:80 -p 443:443 -v /usr/local/vue:/usr/local/vue -v /usr/local/nginx/nginx.conf:/etc/nginx/nginx.conf -v /usr/local/nginx/logs:/var/log/nginx -v /etc/ssl/certs:/etc/ssl/certs --privileged=true -d --restart=always nginx
这里为了方便直接将挂载目录设置成和nginx内部的一样了,不一样的话,填写pem和key文件的话要安装nginx内部的容器来
ssl_certificate /etc/ssl/certs/*.crt;
ssl_certificate_key /etc/ssl/certs/*.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
部署完后就可以用https访问你的网址了
参考阅读
您阅读本篇文章共花了:
发表评论