Let's Encrypt实现免费的https证书申请
具体参考
certbot官网安装部分
certbot官网使用部分
letsencrypt官网
nginx的基本部署部分
安装certbot
user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
user@webserver:~$ ./certbot-auto --help
nginx的部署
其中letsencrypt提供了多种部署模式,
主要几种模式:nginx,webroot,standalone
建议使用webroot。
nginx模式需要更新nginx的配置文件,比较自动化,但是可能会因为修改了配置文件导致一些问题,操作前必须备份好相关的配置文件。
standalone模式,需要停止原来占用80和443端口的进程,也就是nginx,然后才能申请证书,过程可能会因为网络问题,特别慢,导致影响业务使用,同时由于每次调用certbot,都会校验版本情况,进行更新,如果出现更新过程异常,会导致进程异常挂起等,可能影响业务使用。
所以使用相对可控的webroot模式。
具体的nginx的部署说明
过程中需要用到git,python等,过程中需要安装相关依赖组件等。
下载对应的代码
$ sudo apt-get update
$ sudo apt-get install -y git
$ sudo git clone https://github.com/certbot/certbot /opt/letsencrypt
创建对应的站点目录
以下是简单例子,非实用语句,根据实际情况自己进行相关调整
$ cd /var/www
$ mkdir letsencrypt
$ sudo chgrp www-data letsencrypt
建立配置文件(也可以不建立,直接使用语句执行)
配置文件路径可以自己安排,后面语句调用的时候进行调整
/etc/letsencrypt/configs/my-domain.conf
# the domain we want to get the cert for;
# technically it's possible to have multiple of this lines, but it only worked
# with one domain for me, another one only got one cert, so I would recommend
# separate config files per domain.
domains = my-domain
# increase key size
rsa-key-size = 2048 # Or 4096
# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory
# this address will receive renewal reminders
email = my-email
# turn off the ncurses UI, we want this to be run as a cronjob
text = True
# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
# and then letting LE fetch it
authenticator = webroot
webroot-path = /var/www/letsencrypt/
创建校验站点(必须要占用80端口,同一个站点下)
nginx的配置文件如下:
server {
listen 80 default_server;
server_name my-domain;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
# ...
}
这样设置后,certbot在生成证书的时候,会到具体的路径下访问,根据返回输出来判断网站合法性, /.well-known/acme-challenge是隐藏文件夹,自动生成,不需要自己手动生成,但是需要提供权限让certbot生成。
完成后重启nginx
sudo nginx -t && sudo nginx -s reload
申请生成证书,如果不需要用邮箱,可以把配置文件的邮箱地址注释掉,在调用命令后增加参数–register-unsafely-without-email
$ cd /opt/letsencrypt
$ ./certbot-auto --config /etc/letsencrypt/configs/my-domain.conf certonly
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --config /etc/letsencrypt/configs/my-domain.conf certonly
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/my-domain/fullchain.pem. Your cert
will expire on date. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
...
然后添加自动重签的任务
建立任务脚本:
#!/bin/sh
cd /workdata/software
echo -e "2\n" | ./certbot-auto --config /etc/letsencrypt/configs/wim1.wgamecloud.com.conf certonly --register-unsafely-without-email
if [ $? -ne 0 ]
then
ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
echo -e "The Let's Encrypt cert has not been renewed! n n"
$ERRORLOG
else
/workdata/nginx/sbin/nginx -s reload
fi
exit 0
并且在crontab中增加相关任务
0 0 1 JAN,MAR,MAY,JUL,SEP,NOV * /path/to/renew-letsencrypt.sh
不过建议一周更新一次,因为lets encrypt限制了,一周只能更新5次,一个证书有效期90天,过于频繁更新会导致被禁止更新
过程问题
过程中,如果python用了Anaconda这种的话,过程中可能出现缺了某些lib,需要增加软连接,把对应的lib连接过去
如:
ln -s /root/anaconda3/pkgs/python-2.7.15-h9bab390_2/lib/libpython2.7.so.1.0 /lib64
另外可能出现ImportError: No module named virtualenv报错,通过yum安装,发现版本过低引起,需要重装新版本
[root@iZ282iltjiwZ https]# yum install python-virtualenv
Loaded plugins: security
Setting up Install Process
Package python-virtualenv-12.0.7-1.el6.noarch already installed and latest version
Nothing to do
wget https://files.pythonhosted.org/packages/33/bc/fa0b5347139cd9564f0d44ebd2b147ac97c36b2403943dbee8a25fd74012/virtualenv-16.0.0.tar.gz
sudo tar zxvf virtualenv-16.0.0.tar.gz
cd virtualenv-16.0.0
python setup.py install
.....
#成功安装后的提示
Installed /usr/local/python27/lib/python2.7/site-packages/virtualenv-16.0.0-py2.7.egg
Processing dependencies for virtualenv==16.0.0
Finished processing dependencies for virtualenv==16.0.0
3970
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
