Nginx - I can't install ssl certificate, what's the problem?

D

driverx182019-10-14 01:27:10

Nginx

driverx18, 2019-10-14 01:27:10

There is an nginx config (app.conf):

server {
    listen 80;
    index index.php index.html;
    error_log  /var/log/nginx/error.log;
    access_log /var/log/nginx/access.log;
    root /var/www/public;
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass app:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        gzip_static on;
    }
}

server {
  listen 443 ssl;                                      
  ssl_certificate /etc/ssl/your_domain.crt;
  ssl_certificate_key /etc/ssl/rsa.key;
  server_name here_my_website.com;
}

The problem is that when I add a second server { (which is responsible for ssl), when I docker restart the nginx container it is always in restart state (example: Restarting (1) 58 seconds ago )
When I remove the server { which is responsible for ssl - everything starts well. I think that I did something wrong, since I am installing ssl for the first time, and I am very rarely in the nginx config. I will be very glad to help) I
looked at the docker logs - it showed:

nginx: [emerg] cannot load certificate "/etc/ssl/your_domain.crt": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/ssl/your_domain .crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)

Could it be that I put the configs in /etc/ssl/, and nginx in the container, and just can't reach them?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

K

ky0, 2019-10-14
@ky0

Well, yes, it is logical - if nginx does not find a file with a certificate, it will not start. Make it available and everything will take off.

S

SagePtr, 2019-10-14
@SagePtr

I believe that the /etc/ssl directory is outside the container and is not forwarded there, because the processes inside the container do not see it.

V

Viktor Taran, 2019-10-14
@shambler81

Well, hello, and the second server, according to you, hanging on a completely different port, should somehow take the remaining settings from the left server in general?
kindly add everything else, and even better, spread them into different files so as not to confuse your eyes.

######################################################################
## SSL configuration
######################################################################
# recommended but not manditory directive
# leave commented out unless you know what it is doing
#more_set_headers 'Strict-Transport-Security: max-age=15768000';
        ssl on;
        ssl_session_cache  shared:SSL:10m;
        ssl_session_timeout 1h;
        ssl_protocols TLSv1.2 TLSv1.1;
        add_header Strict-Transport-Security "max-age=15768000" always;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
        ssl_certificate /var/www/clients/client132/web171/ssl/3dpaneli.ru-le.crt;
        ssl_certificate_key /var/www/clients/client132/web171/ssl/3dpaneli.ru-le.key;
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;

well, then the root document who interprets php and so on and so on servers cannot take settings from other srevers in my opinion this is obvious,
well, ssl_dhparam needs to be done