永久免费安装https方法

假设运行环境为centos6.8,Web 服务器是 Nginx 1.12.0(因为我的生产环境是),python2.6.6 当前工作目录为 /root
获取certbot客户端
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

停止nginxservice nginx stop
生成证书
./certbot-auto certonly --standalone --email 你的邮箱地址 -d 你的域名地址

当前网站有多个域名时需在后面增加，例如
./certbot-auto certonly --standalone --email 你的邮箱地址 -d 你的域名1 -d 你的域名2
例如：
./certbot-auto certonly --standalone --email ‘*******@qq.com’ -d ‘www.pvpvv.com’

ssl_certificate /etc/letsencrypt/live/www.pvpvv.com/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/www.pvpvv.com/privkey.pem;启动nginxservice nginx start

No module named yum错误的解决办法
今天用yum安装软件的时候出现如下错误:
There was a problem importing one of the Python modules required to run yum. The error leading to this problem was:
No module named yum
Please install a package which provides this module, or verify that the module is installed correctly.
It’s possible that the above module doesn’t match the current version of Python, which is:
If you cannot solve this problem yourself, please go to the yum faq at:

yum 错误，搜索一番后知道是yum和Python是依赖关系，yum是python的模块，所以采用以下解决方案：

系统python的当前版本 Python 2.7

肯定是yum的版本与当前python的版本不一致造成的
所以修改yum的配置，修改文件： vim /usr/bin/yum
修改头#!/usr/bin/python => #!/usr/bin/python2.6
再次检查python版本
[dup@localhost Python-2.7.14]$ python --version
Python 2.7.14
目前已经是新版本。
解决系统 python 软链接指向 python2.7 版本后，因为yum是不兼容 python 2.7的，所以yum不能正常工作，需要指定 yum 的python版本。
[dup@localhost Python-2.7.14]$ yum
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:
No module named yum
Please install a package which provides this module, or
verify that the module is installed correctly.
It’s possible that the above module doesn’t match the
current version of Python, which is:
2.7.14 (default, Jan 19 2018, 00:52:34)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-18)]
If you cannot solve this problem yourself, please go to
the yum faq at:
http://yum.baseurl.org/wiki/Faq
#vim /usr/bin/yum
将文件头部的
#!/usr/bin/python
改成
#!/usr/bin/python2.6.6
生成证书
./certbot-auto certonly --standalone --email ‘@qq.com’ -d ‘www.pvpvv.com’
Package python-devel-2.6.6-66.el6_8.i686 already installed and latest version
No package python-virtualenv available.
Package python-tools-2.6.6-66.el6_8.i686 already installed and latest version
No package python-pip available.
Package 1:mod_ssl-2.2.15-69.el6.centos.i686 already installed and latest version
Nothing to do
Creating virtual environment…
./certbot-auto: line 1004: virtualenv: command not found
没有python-pip和python-virtualenv
安装python-pip
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.pypython get-pip.py
安装python-virtualenvpip install virtualenv停止nginxservice nginx stop
再次生成证书
./certbot-auto certonly --standalone --email '@qq.com’ -d ‘www.pvpvv.com’
提示成功：
IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/www.pvpvv.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/www.pvpvv.com/privkey.pem
  Your cert will expire on 2019--. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot-auto
  again. To non-interactively renew all of your certificates, run
  “certbot-auto renew”

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

查看生产的证书
tree /etc/letsencrypt/live/
nginx配置server {
listen 80; server_name www.pvpvv.com;
return 301 https://www.$serve{r}_{n}ame$request_uri;
}

server{
listen 443 ssl;
server_name www.pvpvv.com pvpvv.com;ssl on;
ssl_certificate /etc/letsencrypt/live/www.pvpvv.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.pvpvv.com/privkey.pem;
ssl_session_timeout 5m;ssl_protocols SSLv3 TLSv1;ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
index index.html index.php;
root /home/www;
location / {
proxy_pass http://web服务的ip或者域名
}
}

查看nginx配置nginx -t

启动nginxservice nginx start

listen 80端口主要是为了在用户访问网站的时候未输入https，使用http的方式访问80,则自动跳转请求https的访问地址

重启nginx：
nginx -s reload

https自动更新：
配置crontab
由于let’s encrypt 生成的CA证书有效时间只有3个月，所以在CA证书到期以后我们需要手动进行更新，重新获取，或者使用Linux的crontab定时任务定时获取
首先完成步骤3后检测能否正常更新证书：
./certbot-auto renew --dry-run

然后编辑自定义脚本regen.sh：

#!/bin/bash

续签

/usr/bin/certbot renew --quiet

重启 nginx

/usr/sbin/nginx -s reload

查看任务列表
crontab -l

增加cron
crontab -e

注意如果是首次添加则会选择编辑器，按找自己习惯选择就行，我这里选择的是vi
在文件末尾追加：

每个月的1号 03:00 运行
00 03 1 * * /youpath/regen.sh

执行此脚本测试是否正常：
chmod +x regen.sh
./regin.sh

重启crontab
sudo systemctl restart cron