hailin
/
rwadurian
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: 使用 Let's Encrypt 默认证书路径 

- SSL 证书直接引用 /etc/letsencrypt/live/rwaapi.szaiai.com/
- 移除不必要的软链接创建步骤
- 添加 certbot 自动续期说明
- 更新 SSL 证书问题排查命令

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Developer 2025-12-01 20:59:59 -08:00
parent 2ece6328ba
commit c421a06f16
1 changed files with 28 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
backend/services/identity-service/docs/DEPLOYMENT_GUIDE.md
View File

@ -127,12 +127,15 @@
│ └── rwaapi.szaiai.com.conf # API 网关配置
├── sites-enabled/ # 已启用站点 (软链接)
│ └── rwaapi.szaiai.com.conf → ../sites-available/rwaapi.szaiai.com.conf
├── snippets/ # 可复用配置片段
│ ├── proxy-params.conf # 代理参数
│ └── ssl-params.conf # SSL 安全参数
└── ssl/
├── rwaapi.szaiai.com.pem # SSL 证书
└── rwaapi.szaiai.com.key # SSL 私钥
└── snippets/ # 可复用配置片段
├── proxy-params.conf # 代理参数
└── ssl-params.conf # SSL 安全参数
/etc/letsencrypt/live/rwaapi.szaiai.com/ # Let's Encrypt SSL 证书 (自动管理)
├── fullchain.pem # 完整证书链
├── privkey.pem # 私钥
├── cert.pem # 服务器证书
└── chain.pem # 中间证书
```
**使用 `sites-available/sites-enabled` 的优势:**
@ -284,9 +287,9 @@ server {
listen 443 ssl http2;
server_name rwaapi.szaiai.com;
# SSL 证书
ssl_certificate /etc/nginx/ssl/rwaapi.szaiai.com.pem;
ssl_certificate_key /etc/nginx/ssl/rwaapi.szaiai.com.key;
# Let's Encrypt SSL 证书 (默认路径)
ssl_certificate /etc/letsencrypt/live/rwaapi.szaiai.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rwaapi.szaiai.com/privkey.pem;
# 引入 SSL 安全参数
include snippets/ssl-params.conf;
@ -950,11 +953,18 @@ rm -f /etc/nginx/sites-enabled/default
# 6. 安装 SSL 证书 (Let's Encrypt)
apt install -y certbot python3-certbot-nginx
# 获取证书 (证书自动保存到 /etc/letsencrypt/live/rwaapi.szaiai.com/)
certbot certonly --nginx -d rwaapi.szaiai.com
# 证书会自动保存到 /etc/letsencrypt/live/rwaapi.szaiai.com/
# 然后创建软链接到 /etc/nginx/ssl/:
ln -s /etc/letsencrypt/live/rwaapi.szaiai.com/fullchain.pem /etc/nginx/ssl/rwaapi.szaiai.com.pem
ln -s /etc/letsencrypt/live/rwaapi.szaiai.com/privkey.pem /etc/nginx/ssl/rwaapi.szaiai.com.key
# 证书文件:
# /etc/letsencrypt/live/rwaapi.szaiai.com/fullchain.pem (完整证书链)
# /etc/letsencrypt/live/rwaapi.szaiai.com/privkey.pem (私钥)
# 无需创建软链接Nginx 配置直接引用 Let's Encrypt 路径
# 设置自动续期 (Let's Encrypt 证书有效期 90 天)
# certbot 已自动配置 systemd timer可通过以下命令验证:
systemctl list-timers | grep certbot
# 或手动测试续期:
certbot renew --dry-run
# 7. 测试配置
nginx -t
@ -1136,9 +1146,11 @@ docker compose up -d --build identity-service
- 检查 OPTIONS 预检请求是否返回 204
### Q3: SSL 证书问题
- 检查证书路径: `ls -la /etc/nginx/ssl/`
- 测试 SSL: `openssl s_client -connect rwaapi.szaiai.com:443`
- 检查证书有效期: `openssl x509 -in /etc/nginx/ssl/rwaapi.szaiai.com.pem -noout -dates`
- 检查 Let's Encrypt 证书: `ls -la /etc/letsencrypt/live/rwaapi.szaiai.com/`
- 测试 SSL 连接: `openssl s_client -connect rwaapi.szaiai.com:443`
- 检查证书有效期: `openssl x509 -in /etc/letsencrypt/live/rwaapi.szaiai.com/fullchain.pem -noout -dates`
- 手动续期证书: `certbot renew`
- 查看续期日志: `journalctl -u certbot.timer`
### Q4: 服务间通信失败
- 检查 Docker 网络: `docker network inspect rwa-network`