假设运行环境为centos6.8,Web 服务器是 Nginx 1.12.0(因为我的生产环境是),python2.6.6 当前工作目录为 /root
获取certbot客户端
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
停止nginxservice nginx stop
生成证书
./certbot-auto certonly --standalone --email 你的邮箱地址 -d 你的域名地址
当前网站有多个域名时需在后面增加,例如
./certbot-auto certonly --standalone --email 你的邮箱地址 -d 你的域名1 -d 你的域名2
例如:
./certbot-auto certonly --standalone --email ‘*******@qq.com’ -d ‘www.pvpvv.com’
ssl_certificate /etc/letsencrypt/live/www.pvpvv.com/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/www.pvpvv.com/privkey.pem;启动nginxservice nginx start
No module named yum错误的解决办法
今天用yum安装软件的时候出现如下错误:
There was a problem importing one of the Python modules required to run yum. The error leading to this problem was:
No module named yum
Please install a package which provides this module, or verify that the module is installed correctly.
It’s possible that the above module doesn’t match the current version of Python, which is:
If you cannot solve this problem yourself, please go to the yum faq at:
yum 错误,搜索一番后知道是yum和Python是依赖关系,yum是python的模块,所以采用以下解决方案:
系统python的当前版本 Python 2.7
肯定是yum的版本与当前python的版本不一致造成的
所以修改yum的配置,修改文件: vim /usr/bin/yum
修改头#!/usr/bin/python => #!/usr/bin/python2.6
再次检查python版本
[dup@localhost Python-2.7.14]$ python --version
Python 2.7.14
目前已经是新版本。
解决系统 python 软链接指向 python2.7 版本后,因为yum是不兼容 python 2.7的,所以yum不能正常工作,需要指定 yum 的python版本。
[dup@localhost Python-2.7.14]$ yum
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:
No module named yum
Please install a package which provides this module, or
verify that the module is installed correctly.
It’s possible that the above module doesn’t match the
current version of Python, which is:
2.7.14 (default, Jan 19 2018, 00:52:34)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-18)]
If you cannot solve this problem yourself, please go to
the yum faq at:
http://yum.baseurl.org/wiki/Faq
#vim /usr/bin/yum
将文件头部的
#!/usr/bin/python
改成
#!/usr/bin/python2.6.6
生成证书
./certbot-auto certonly --standalone --email ‘@qq.com’ -d ‘www.pvpvv.com’
Package python-devel-2.6.6-66.el6_8.i686 already installed and latest version
No package python-virtualenv available.
Package python-tools-2.6.6-66.el6_8.i686 already installed and latest version
No package python-pip available.
Package 1:mod_ssl-2.2.15-69.el6.centos.i686 already installed and latest version
Nothing to do
Creating virtual environment…
./certbot-auto: line 1004: virtualenv: command not found
没有python-pip和python-virtualenv
安装python-pip
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.pypython get-pip.py
安装python-virtualenvpip install virtualenv停止nginxservice nginx stop
再次生成证书
./certbot-auto certonly --standalone --email '@qq.com’ -d ‘www.pvpvv.com’
提示成功:
IMPORTANT NOTES:
-
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.pvpvv.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.pvpvv.com/privkey.pem
Your cert will expire on 2019--. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew all of your certificates, run
“certbot-auto renew” -
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
查看生产的证书
tree /etc/letsencrypt/live/
nginx配置server {
listen 80; server_name www.pvpvv.com;
return 301 https://www.
s
e
r
v
e
r
n
a
m
e
server_name
servernamerequest_uri;
}
server{
listen 443 ssl;
server_name www.pvpvv.com pvpvv.com;ssl on;
ssl_certificate /etc/letsencrypt/live/www.pvpvv.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.pvpvv.com/privkey.pem;
ssl_session_timeout 5m;ssl_protocols SSLv3 TLSv1;ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
index index.html index.php;
root /home/www;
location / {
proxy_pass http://web服务的ip或者域名
}
}
查看nginx配置nginx -t
启动nginxservice nginx start
listen 80端口主要是为了在用户访问网站的时候未输入https,使用http的方式访问80,则自动跳转请求https的访问地址
重启nginx:
nginx -s reload
https自动更新:
配置crontab
由于let’s encrypt 生成的CA证书有效时间只有3个月,所以在CA证书到期以后我们需要手动进行更新,重新获取,或者使用Linux的crontab定时任务定时获取
首先完成步骤3后检测能否正常更新证书:
./certbot-auto renew --dry-run
#!/bin/bash
续签
/usr/bin/certbot renew --quiet
重启 nginx
/usr/sbin/nginx -s reload
查看任务列表
crontab -l
增加cron
crontab -e
注意如果是首次添加则会选择编辑器,按找自己习惯选择就行,我这里选择的是vi
在文件末尾追加:
每个月的1号 03:00 运行
00 03 1 * * /youpath/regen.sh
执行此脚本测试是否正常:
chmod +x regen.sh
./regin.sh
重启crontab
sudo systemctl restart cron