CertBot 快速let's enc

发布时间:2019-10-14 09:22:25编辑:auto阅读(2430)

    因为一些开发的原因,不得不把网站换https,目前免费的ssl证书有 let's encrypt

    经过一番的实践,终于把证书正确安装上,这里记录下过程和遇到的问题,方便需要的朋友。

    环境

    我的环境是阿里云ubuntu-16.04

    下载工具

    下载 certbot 工具

    git clone https://github.com/certbot/certbot

    生成ssl证书

    按照这个certbot文档的说明操作

    cd certbot
    ./letsencrypt-auto certonly --standalone --email your@qq.com -d your.domain.com

    记得修改 your.domain.com 为你的域名

    但是并没有如意,报了如下错误:

    Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
    Hit:1 http://mirrors.cloud.aliyuncs.com/ubuntu xenial InRelease
    Hit:2 http://mirrors.cloud.aliyuncs.com/ubuntu xenial-updates InRelease
    Hit:3 http://mirrors.cloud.aliyuncs.com/ubuntu xenial-security InRelease
    Reading package lists... Done                     
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    augeas-lenses is already the newest version (1.4.0-0ubuntu1).
    ca-certificates is already the newest version (20160104ubuntu1).
    gcc is already the newest version (4:5.3.1-1ubuntu1).
    libaugeas0 is already the newest version (1.4.0-0ubuntu1).
    libffi-dev is already the newest version (3.2.1-4).
    python is already the newest version (2.7.11-1).
    python-dev is already the newest version (2.7.11-1).
    libssl-dev is already the newest version (1.0.2g-1ubuntu4.8).
    openssl is already the newest version (1.0.2g-1ubuntu4.8).
    python-virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
    virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
    0 upgraded, 0 newly installed, 0 to remove and 37 not upgraded.
    Creating virtual environment...
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in <module>
        main()
      File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
        symlink=options.symlink)
      File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
        download=download,
      File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
        call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
      File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
        % (cmd_desc, proc.returncode))
    OSError: Command /root/.local/share/letsencrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2
    

    通过搜索,找到了certbot的issue #issuecomment-273014451

    原因是说,系统安装了多个版本的python,那么怎么删除呢?
    我按照这里的方法解决了。

    解决方法:

    apt-get purge python-virtualenv python3-virtualenv virtualenv
    pip install virtualenv
    

    然后再次执行ssl证书生成命令:

    cd certbot
    ./letsencrypt-auto certonly --standalone --email your@qq.com -d your.domain.com

    这里可能需要等待几分钟,出现类似的信息,则生成成功了。

    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/www.lanyueos.com/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/www.lanyueos.com/privkey.pem
       Your cert will expire on 2017-11-14. To obtain a new or tweaked
       version of this certificate in the future, simply run
       letsencrypt-auto again. To non-interactively renew *all* of your
       certificates, run "letsencrypt-auto renew"
     - Your account credentials have been saved in your Certbot
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Certbot so
       making regular backups of this folder is ideal.
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    

    配置nginx

    在nginx配置文件的server中增加下面代码:

    
    listen 443 ssl;
    listen [::]:443 ssl ipv6only=on;
    
    ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem;
    

    记得修改 your.domain.com 为你的域名

    重启nginx

    service nginx start

    如果出现启动失败,请执行如下命令检查测配置文件

    nginx -t

    打开网站:https://your.domain.com 如果看到浏览器的绿色标志,恭喜你设置成功!

    自动更新证书

    可以新建一个任务 certbot-auto-renew-cron, 这个是一个 cron 计划,这段内容的意思就是 每隔 两个月的 凌晨 2:15 执行 更新操作。

    ./certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start"
    

    --pre-hook 这个参数表示执行更新操作之前要做的事情,因为我有 --standalone 模式的证书,所以需要 停止 nginx 服务,解除端口占用。
    --post-hook 这个参数表示执行更新操作完成后要做的事情,这里就恢复 nginx 服务的启用

    crontab certbot-auto-renew-cron
    

关键字