Gunicorn 无法访问让我们加密文件

Question

(venv) ubuntu@ip-172-31-6-77:~/redrebelgames_python$ gunicorn redrebelgames_python.wsgi:application
[2021-11-25 20:01:09 +0000] [3758] [INFO] Starting gunicorn 20.1.0
Traceback (most recent call last):
  File "/home/ubuntu/redrebelgames_python/venv/bin/gunicorn", line 8, in <module>
    sys.exit(run())
  File "/home/ubuntu/redrebelgames_python/venv/lib/python3.8/site-packages/gunicorn/app/wsgiapp.py", line 67, in run
    WSGIApplication("%(prog)s [OPTIONS] [APP_MODULE]").run()
  File "/home/ubuntu/redrebelgames_python/venv/lib/python3.8/site-packages/gunicorn/app/base.py", line 231, in run
    super().run()
  File "/home/ubuntu/redrebelgames_python/venv/lib/python3.8/site-packages/gunicorn/app/base.py", line 72, in run
    Arbiter(self).run()
  File "/home/ubuntu/redrebelgames_python/venv/lib/python3.8/site-packages/gunicorn/arbiter.py", line 198, in run
    self.start()
  File "/home/ubuntu/redrebelgames_python/venv/lib/python3.8/site-packages/gunicorn/arbiter.py", line 155, in start
    self.LISTENERS = sock.create_sockets(self.cfg, self.log, fds)
  File "/home/ubuntu/redrebelgames_python/venv/lib/python3.8/site-packages/gunicorn/sock.py", line 162, in create_sockets
    raise ValueError('certfile "%s" does not exist' % conf.certfile)
ValueError: certfile "/etc/letsencrypt/live/api.redrebelgames.com/cert.pem" does not exist

如何允许 gunicorn 访问这些文件？出于某种原因，它不起作用，简单地更改 chmod 权限也不起作用，因为 certbot 最终会将它们改回来。

Answer 1

certbot 文件由一个身份（通常是 root）拥有。您正在以不同的身份运行 Gunicorn。关键是授予 Gunicorn 身份读取 Let's Encrypt 文件的权限。通常，您可以将 Gunicorn 用户名添加到 Let's Encrypt 身份组名称，并使该组可以读取文件。

示例命令：

sudo usermod -a -G groupname username

身份用户名必须在更改组成员后重新登录。重启系统比较简单。

另一种方法（不推荐）是将 Gunicorn 作为特权进程运行。这有安全风险。