search

capistrano-plugins / capistrano-unicorn-nginx

Capistrano tasks for automatic and sensible unicorn + nginx configuration
MIT License
175 stars 81 forks source link

Configuration of setup_ssl isn't working? #35

Closed marvindanig closed 9 years ago

marvindanig commented 9 years ago

$ cap production nginx:setup_ssl

DEBUG[295163ca] Running /usr/bin/env [ ! -d ~/.rbenv/versions/2.1.3 ] on IP DEBUG[295163ca] Command: [ ! -d ~/.rbenv/versions/2.1.3 ] DEBUG[295163ca] Finished in 0.782 seconds with exit status 1 (failed). DEBUG[af682b5a] Running /usr/bin/env [ -e /etc/ssl/certs/mydomain.com.crt ] on IP DEBUG[af682b5a] Command: [ -e /etc/ssl/certs/mydomain.com.crt ] DEBUG[af682b5a] Finished in 0.117 seconds with exit status 1 (failed). cap aborted! SSHKit::Runner::ExecuteError: Exception while executing on host IP: No such file or directory @ rb_file_s_stat - /etc/ssl/certs/www_mydomain_com.crt

Errno::ENOENT: No such file or directory @ rb_file_s_stat - /etc/ssl/certs/www_mydomain_com.crt

Tasks: TOP => nginx:setup_ssl (See full trace by running task with --trace)

My deploy/production.rb looks something like this:

set :nginx_server_name, 'mydomain.com'

ignore this if you do not need SSL

set :nginx_use_ssl, true set :nginx_upload_local_cert, true

set :nginx_ssl_cert, "#{fetch(:nginx_server_name)}.crt"

set :nginx_ssl_cert_key, "#{fetch(:nginx_server_name)}.key"

set :nginx_ssl_cert_local_path, '/etc/ssl/certs/www_mydomain_com.crt' set :nginx_ssl_cert_key_local_path, '/etc/ssl/private/www.mydomain.com.key'

What does it want? I've put the SSL cert and key in their respective folders on the server manually!

The documentation about how to use SSL on nginx is not clear. What does this mean:

set :nginx_upload_local_cert, true

Will it upload files from my local computer to remote? But why would it be necessary to upload the key from local to server, because the ssl key is generated on the server in the first place no?

Somehow, I have this feeling that Capistrano 2.x was much better than Cap 3.x.

bruno- commented 9 years ago

Dude, did you even buy the ssl certificate??

But why would it be necessary to upload the key from local to server, because the ssl key is generated on the server in the first place no?

No, the ssl key is not generated on the server, it needs to be bought.

When you buy it, you'll get the certificate and private key files (among others). Download them locally on your machine and then add this to deploy/config/production.rb.

set :nginx_use_ssl, true
set :nginx_ssl_cert_local_path, '/path/to/certificate/on/yourmachine/www_mydomain_com.crt'
set :nginx_ssl_cert_key_local_path, '/path/to/private_key/on/you/yourmachine/www_mydomain_com.key'

Somehow, I have this feeling that Capistrano 2.x was much better than Cap 3.x.

?

Closing as this is a non issue.

marvindanig commented 9 years ago

The problem was of read/write permissions on the /etc/ssl/cert and etc/ssl/private folders. It works now but took my entire night away... :(

I bought the SSL and placed the .crt file on the server using scp. The private key was generated on the linode while raising a csr request for the commercial SSL certificate, so I still don't understand which key you're meaning to reference here.

brianhu commented 9 years ago

I got the same issue. I manually uploaded my crt file to the server, and I am sure my deployer has the permission to read/write the crt file. Can anyone kindly give me some clues? Thanks!

bruno- commented 9 years ago

Hey, you should've let this plugin to upload the crt file and set the right permissions on the server. Here's the relevant capistrano task that does it. It's short and not that hard.. so if you're still stuck I'd suggest checking it out.

Apart from uploading necessary files to the server, you might want to check the nginx conf file on the server has these necessary sections. Just in case something got messed up.

Hope that helps!