大嘎好,半吊子运维又出现了。
一个网站,用得好好的,忽然说不安全了。登上去一看,果然不安全。
显示NET::ERR_CERT_DATE_INVALID
赶紧登录到服务器上看一看是怎么肥事
得知是nginx的搭的服务器
nginx -t 看一下
再看一下 /etc/nginx/nginx.conf, 啥也没有,再仔细瞄一下原来放在 include /etc/nginx/conf.d/*.conf;
server
{
listen 80;
listen [::]:80;
server_name sub.xxx.com;
location / {
return 301 https://sub.xxx.com$request_uri;
}
access_log /data/logs/www.log main;
error_log /data/logs/www_error.log error;}
server
{
listen 443 ssl http2;
server_name sub.xxx.com;
index index.php index.html;
root /data/wwwroot/xxxxxx;
location / {
rewrite ^/$ /index.php last;
if (!-e $request_filename) {
rewrite "^/(.*)$" /index.php/$1 last;
}
}
location ~ ^(.+\\.php)(.*)$ {
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$
{
expires 12h;
access_log off;
}
location /_log {
autoindex on;
autoindex_localtime on;
}
access_log /data/logs/www.log main;
error_log /data/logs/www_error.log error;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/sub.xxx.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/sub.xxx.com/privkey.pem; # managed by Certbot}
看来用的是Let’s Encrypt免费SSL证书,这个证书有个麻烦一点的地方就是90天过期,看来自从上次更新之后已经有90天了,所以过期了。
找到原因就好办了,将证书续期一下完事。
发现原来运维使用了 certbot ,那就更简单了。
# certbot certificates 看一下,果然有相应的证书
那就用certbot 更新一下证书 renew ,成功完成。
如果显示不成功,需要先暂停 nginx (systemctl stop nginx.service)
# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/sub.xxx.com.conf
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sub.xxx.com
Waiting for verification…
Cleaning up challenges
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/sub.xxx.com/fullchain.pem
Processing /etc/letsencrypt/renewal/xxx.com.conf
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxx.com
Waiting for verification…
Cleaning up challenges
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/xxx.com/fullchain.pem
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/sub.xxx.com/fullchain.pem (success)
/etc/letsencrypt/live/xxx.com/fullchain.pem (success)
参考文章: https://www.liaosam.com/use-cron-service-and-certbot-for-renewal-of-letsencrypt-ssl-certificates.html