2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL

SSL 证书的安装

推荐使用的证书安装方式是 Let’s Encrypt 提供的 Certbot 自动脚本。(旧版本的 Certbot 称为 letsencrypt or letsencrypt-auto)

Certbot : 只支持 Unix-base 的系统,即 Linux 、Ubuntu、MacOS 等

阿里云的 SSL 证书,但现在已经没有免费的了。
腾讯云的 SSL 证书,不知道以后会不会收费了。

先去 Certbot 的官网:https://certbot.eff.org/

2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第1张图片
Certbot

意思就是在 什么 系统上使用 什么 HTTP 服务器,因为我的系统是 CentOS 7.4 所以选择 CentOS/RHEL 7 ,HTTP 服务器我选择的是 Apache 。( HTTP 服务器这块通常是选择 Apache 或者 Nginx 。)

Step 01

我的 CentOS 不是 EC2 实例

[root@~]# cat /sys/devices/virtual/dmi/id/product_uuid 
8113ECEB-...

如果没有 dmi 文件夹,就安装

[root@~]# sudo yum -y install dmidecode 

如果 UUID 是 ec2 开头的,就要运行以下两行指令

[root@~]# yum -y install yum-utils
[root@~]# yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

Step 02

安装 Certbot

[root@~]# sudo yum -y install python2-certbot-apache
......
Total                                                                                                                                4.6 MB/s | 876 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : python2-certbot-0.26.1-2.el7.noarch                                                                                                               1/4 
  Installing : certbot-0.26.1-2.el7.noarch                                                                                                                       2/4 
  Installing : 1:mod_ssl-2.4.6-80.el7.centos.1.x86_64                                                                                                            3/4 
  Installing : python2-certbot-apache-0.26.1-1.el7.noarch                                                                                                        4/4 
  Verifying  : certbot-0.26.1-2.el7.noarch                                                                                                                       1/4 
  Verifying  : python2-certbot-0.26.1-2.el7.noarch                                                                                                               2/4 
  Verifying  : 1:mod_ssl-2.4.6-80.el7.centos.1.x86_64                                                                                                            3/4 
  Verifying  : python2-certbot-apache-0.26.1-1.el7.noarch                                                                                                        4/4

Installed:
  python2-certbot-apache.noarch 0:0.26.1-1.el7                                                                                                                       

Dependency Installed:
  certbot.noarch 0:0.26.1-2.el7                    mod_ssl.x86_64 1:2.4.6-80.el7.centos.1                    python2-certbot.noarch 0:0.26.1-2.el7                   

Complete!

查看安装

[root@~]# ls /etc/ | grep "python"
python

[root@~]# yum list installed | grep "certbot"
certbot.noarch                      0.26.1-2.el7                    @epel       
python2-certbot.noarch              0.26.1-2.el7                    @epel       
python2-certbot-apache.noarch       0.26.1-1.el7                    @epel 

[root@~]# ls /etc/ | grep "letsencrypt"
letsencrypt

[root@~]# whereis certbot
certbot: /usr/bin/certbot

Step 03

开始生成 SSL 证书

[root@~]# sudo certbot --apache

如果 sudo certbot --apache 出错了:

[root@~]# sudo certbot --apache
Traceback (most recent call last):
  File "/bin/certbot", line 9, in 
    load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 570, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2751, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2405, in load
    return self.resolve()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2411, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 18, in 
    from certbot import account
  File "/usr/lib/python2.7/site-packages/certbot/account.py", line 18, in 
    from acme import messages
  File "/usr/lib/python2.7/site-packages/acme/messages.py", line 7, in 
    from acme import challenges
  File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 11, in 
    import requests
  File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in 
    from . import utils
  File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in 
    from .exceptions import InvalidURL
  File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in 
    from .packages.urllib3.exceptions import HTTPError as BaseHTTPError
  File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 95, in load_module
    raise ImportError("No module named '%s'" % (name,))
ImportError: No module named 'requests.packages.urllib3'

按以下命令操作,修复问题

[root@~]# cd /usr/lib/python2.7/site-packages/urllib3/packages/
[root@~]# sudo rm -rf ssl_match_hostname*
[root@~]# yum -y install python-urllib3.noarch

具体操作细节

[root@~]# cd /usr/lib/python2.7/site-packages/urllib3/packages/
[root@packages]# ls -la
total 48
drwxr-xr-x 4 root root 4096 Sep  3 18:23 .
drwxr-xr-x 5 root root 4096 Sep  3 18:23 ..
drwxr-xr-x 2 root root 4096 Oct 15  2017 backports
-rw-r--r-- 1 root root   74 Aug  7  2014 __init__.py
-rw-r--r-- 1 root root  275 Sep  3 18:15 __init__.pyc
-rw-r--r-- 1 root root 8935 Aug  7  2014 ordered_dict.py
-rw-r--r-- 1 root root 9868 Oct 15  2017 ordered_dict.pyc
lrwxrwxrwx 1 root root   12 Sep  3 18:23 six.py -> ../../six.py
lrwxrwxrwx 1 root root   13 Sep  3 18:23 six.pyc -> ../../six.pyc
lrwxrwxrwx 1 root root   13 Sep  3 18:23 six.pyo -> ../../six.pyo
drwxr-xr-x 2 root root 4096 Oct 15  2017 ssl_match_hostname
lrwxrwxrwx 1 root root   34 Sep  3 18:11 ssl_match_hostname;5b8d08dd -> ../../backports/ssl_match_hostname
lrwxrwxrwx 1 root root   34 Sep  3 18:20 ssl_match_hostname;5b8d0afa -> ../../backports/ssl_match_hostname
lrwxrwxrwx 1 root root   34 Sep  3 18:23 ssl_match_hostname;5b8d0b99 -> ../../backports/ssl_match_hostname

[root@packages]# sudo rm -rf ssl_match_hostname*
[root@packages]# sudo yum update python-urllib3.noarch
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Package(s) python-urllib3.noarch available, but not installed.
No packages marked for update
[root@izwz9dnfbgdn5tleje5eitz packages]# yum -y install python-urllib3.noarch
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package python-urllib3.noarch 0:1.10.2-5.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================
 Package                       Arch                  Version                        Repository           Size
==============================================================================================================
Installing:
 python-urllib3                noarch                1.10.2-5.el7                   base                102 k

Transaction Summary
==============================================================================================================
Install  1 Package

Total download size: 102 k
Installed size: 378 k
Downloading packages:
python-urllib3-1.10.2-5.el7.noarch.rpm                                                 | 102 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : python-urllib3-1.10.2-5.el7.noarch                                                         1/1 
  Verifying  : python-urllib3-1.10.2-5.el7.noarch                                                         1/1 

Installed:
  python-urllib3.noarch 0:1.10.2-5.el7                                                                        

Complete!

重新运行 sudo certbot --apache

[root@~]# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected] // 如果有国外的邮箱,尽量使用国外,防止国内邮箱收件缓慢,
                       // 而且有时候会出现一些国内邮箱收不到件的问题。
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: 

直接用浏览器打开 https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf 就可以把文件下载下来;

直接用浏览器打开 https://acme-v02.api.letsencrypt.org/directory 可以查看里面的内容。这个文件是 ACME v2 的时候需要用到的,现在生成的证书是 ACME 的,ACME v2 后面会有介绍

{
  "OjTRjMzrdVo": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}

我们继续,填入 a/A 同意就可以了

......
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom. // 大意:问你要不要把 Let's Encrypt 项目的工作的内容,发送到你的电子邮箱中去。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y // 这个看你自己了,我选 y 原因是,我选择了使用这个项目,我得了解这个项目,才能防止出现不可预估的问题。
Starting new HTTPS connection (1): supporters.eff.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): deepppixel.com  // 输入你的域名
Obtaining a new certificate
Resetting dropped connection: acme-v02.api.letsencrypt.org
Resetting dropped connection: acme-v02.api.letsencrypt.org
Performing the following challenges:
http-01 challenge for deepppixel.com
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

先备份 /etc/letsencrypt 文件夹

[root@~]# cp -rf /etc/letsencrypt/ /etc/.letsencrypt.backup/

[root@~]# ls /etc/.letsencrypt.backup/
accounts  csr  keys  options-ssl-apache.conf  renewal  renewal-hooks

[root@~]# ls /etc/letsencrypt/
accounts  csr  keys  options-ssl-apache.conf  renewal  renewal-hooks

如果出现下面的错误信息,则需要配置 Apache 的虚拟机

Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

添加虚拟主机 Apache vhost

我使用的域名是 deepppixel.com,域名要添加解析哦。

我创建的是基于域名的虚拟主机,就是多个域名指向同一个服务器地址。

还有两种方式是:基于 IP 地址 和基于端口。

先创建保存虚拟主机配置的文件夹

// 虚拟主机的配置文件
[root@~]# mkdir -p /etc/httpd/conf/vhost

然后创建域名网站的内容文件夹

// 使用域名方便以后添加新的域名,不会产生冲突,不要随意命名,你会后悔的
[root@~]# mkdir -p /var/www/deepppixel.com

添加域名的 log 日志文件

[root@~]# touch /etc/httpd/logs/deepppixel.com-error_log
[root@~]# touch /etc/httpd/logs/deepppixel.com-access_log

把上面创建的虚拟主机路径添加到 Apache 的配置文件中

[root@~]# vim /etc/httpd/conf/httpd.conf
......
# vhost
Include conf/vhost/*.conf

开始添加虚拟主机文件

[root@~]# vim /etc/httpd/conf/vhost/deepppixel.com.conf

    ServerName deepppixel.com
    ServerAlias deepppixel.com *.deepppixel.com
    DocumentRoot "/www/deepppixel.com"
    ErrorLog "/logs/deepppixel.com-error_log"
    CustomLog "/logs/deepppixel.com-access_log"
    
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    

检查 httpd.conf 是否有错

[root@~]# httpd -t
// 没有找到文件夹
AH00112: Warning: DocumentRoot [/www/deepppixel.com] does not exist 
// CustomLog 后面需要跟 两个或三个参数
AH00526: Syntax error on line 7 of /etc/httpd/conf/vhost/deepppixel.com.conf:
CustomLog takes two or three arguments, a file name, a custom log format string or format name, and an optional "env=" or "expr=" clause (see docs) 

出现了两个错误,修改如下

  2 
  3     ServerName deepppixel.com
  4     ServerAlias deepppixel.com *.deepppixel.com
    // 修改的 AH00112
  5     DocumentRoot "/var/www/deepppixel.com"
  6     ErrorLog "logs/deepppixel.com-error_log"
    // 修改的 AH00526
  7     CustomLog "logs/deepppixel.com-access_log" "%h %l %u %t \"%r\" %>s %b"
  8     
  9         Options Indexes FollowSymLinks
 10         AllowOverride None
 11         Require all granted
 12     
 13 

重新检查即可

[root@~]# httpd -t
Syntax OK

重启 Apache 服务器

[root@~]# systemctl restart httpd.service

刷新网页,啊哦

2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第2张图片
403

首先,在没有配置虚拟机的时候,我们的网站是直接访问 var/www/html/ 下的文件,但是 Apache 在配置虚拟机后会直接访问虚拟机的配置,而忽略默认的配置信息;也就是说现在网站是直接访问 /var/www/deepppixel.com 目录下的文件的,但是下面什么也没有。

开始修复问题

// 权限没问题
[root@~]# ls -la /var/www/
total 20
drwxr-xr-x   5 root root 4096 Sep 13 16:44 .
drwxr-xr-x. 20 root root 4096 Sep  5 11:54 ..
drwxr-xr-x   2 root root 4096 Jun 27 21:49 cgi-bin
drwxr-xr-x   2 root root 4096 Sep 13 16:44 deepppixel.com
drwxr-xr-x   2 root root 4096 Sep 13 16:14 html
lrwxrwxrwx   1 root root   15 Sep  7 12:38 public -> /vagrant/public

// 开始创建 index.html 首页文件
[root@~]# touch /var/www/deepppixel.com/index.html

[root@~]# echo 'Apache HTTP Server... deepppixel.com Hello World !' > /var/www/deepppixel.com/index.html

[root@~]# cat /var/www/deepppixel.com/index.html
Apache HTTP Server... deepppixel.com Hello World !

[root@~]# systemctl restart httpd.service
2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第3张图片
403 ok

重新运行 sudo certbot --apache 指令

[root@~]# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: deepppixel.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 

我们刚才配置的虚拟机已经识别出来了

1: deepppixel.com

我们这里只有一个选项,所以填 1

......
blank to select all options shown (Enter 'c' to cancel):  1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for deepppixel.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf/vhost/deepppixel.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/vhost/deepppixel.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
// 不重定向 HTTP 到 HTTPS 
1: No redirect - Make no further changes to the webserver configuration.
// 全部把 HTTP 重定向到 HTTPS,并禁止 HTTP 的访问
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 

看看新的问题,我们是要做 HTTPS 的,所以直接选择 2

......
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf/vhost/deepppixel.com.conf to ssl vhost in /etc/httpd/conf/vhost/deepppixel.com-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://deepppixel.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=deepppixel.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/deepppixel.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/deepppixel.com/privkey.pem
   Your cert will expire on 2018-12-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

如果你也看到了以上的信息 Congratulations! You have successfully enabled https://deepppixel.com 那么你成功了。证书就保存在 /etc/letsencrypt/live/deepppixel.com/ 下面

现在刷新你的网页

2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第4张图片
https

现在查看一个证书 ( Chrome 浏览器 )

2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第5张图片
https

因为 SSL 证书默认 90 天有效,所以要自己过期前更新证书,以下使用自动更新,每一天的半夜会自动运行更新操作

[root@~]# 0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew 

你是不是已经认为完了呢?

当然还没有啦!现在创建的只是 ACME 证书,现在最新的是 ACME v2 可以支持通配符 *.deepppixel.com

Step 04

我在 Certbot-DNS 里面选择了一个可以使用第三方登录的 DNS 插件,你也可以自行选择你喜欢的 DNS 。

我一开始选择的插件是 certbot-dns-cloudxns 但是要实名认证,其实没什么,只是实名认证老是提示信息错误没有具体原因,多次尝试无果,客服无果后,只能更换一个了。

我现在选用的是 certbot-dns-cloudflare ,先注册再看下面的图片,进行选择。

【图-01】中,红色框那里是可以跳转到一次添加多个域名的功能,这里只演示添加一个,所以我们填上面的框框,再点击确认。

2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第6张图片
图-01 Cloudflare - Web Performance & Security

【图-01】Add Site 后,直接 next 【图-02】再选择付费项 【图-03】,我选的是免费,之后它会自动加载你之前在注册商那边对应的域名所添加的 HTTP 解析记录【图-04】,如果还想增加解析,可以自行增加。

2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第7张图片
图-02 Cloudflare - Web Performance & Security next
2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第8张图片
图-03 Cloudflare - Web Performance & Security money
2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第9张图片
图-04 Cloudflare - Web Performance & Security 解析

直接点击 help 【图-05】选择 other 就会跳转到【图-06】按照 Setp 1 / 2 去域名注册服务商那里修改 DNS,我的域名是在腾讯那里注册的,所以我得去腾讯那里修改,修改方法【图-07】,修改完成后再回到 Cloudflare【图-06】点击 i`m done 即可。

2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第10张图片
图-05 Cloudflare - Web Performance & Security help nameservers
2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第11张图片
图-06 Cloudflare - Web Performance & Security 改 namexxx 步骤.jpg
图-07 cloudflare nameservers

完成修改后 点击 I`m done 后,会出现【图-08】。我们做那么多的目的就是要拿到 API key ,滚动到下面找到 Get your API Key 【图-09】(图8和图9是同一个页面),点开后进入 My Profile 滚动到最下面找到 API Keys 【图-10】点击 view 就可以拿到 API Keys 了。

这里有两个 API Keys ,Origin 是在公共服务器上使用的,我这边是个人的服务器,所以选择 Global 的 Keys。

2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第12张图片
图-08 Cloudflare - Web Performance & Security done
2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第13张图片
图-09 Cloudflare - Web Performance & Security api get
2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第14张图片
图-10 My Profile _ Cloudflare - Web Performance & Security

Step 05

开始进行 DNS 的安装

先安装 Certbot DNS 插件

yum 查找

[root@~]# yum search dns-cloudflare dns-cloudxns dns-digitalocean dns-dnsimple dns-dnsmadeeasy dns-google dns-linode dns-luadns dns-nsone dns-ovh dns-rfc2136 dns-route53
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * remi-php72: mirrors.tuna.tsinghua.edu.cn
 * remi-safe: mirrors.tuna.tsinghua.edu.cn
 * webtatic: uk.repo.webtatic.com
======================================== N/S matched: dns-cloudflare =========================================
python2-certbot-dns-cloudflare.noarch : Cloudflare DNS Authenticator plugin for Certbot

========================================= N/S matched: dns-cloudxns ==========================================
python2-certbot-dns-cloudxns.noarch : CloudXNS DNS Authenticator plugin for Certbot

======================================= N/S matched: dns-digitalocean ========================================
python2-certbot-dns-digitalocean.noarch : DigitalOcean DNS Authenticator plugin for Certbot

========================================= N/S matched: dns-dnsimple ==========================================
python2-certbot-dns-dnsimple.noarch : DNSimple DNS Authenticator plugin for Certbot

======================================== N/S matched: dns-dnsmadeeasy ========================================
python2-certbot-dns-dnsmadeeasy.noarch : DNS Made Easy DNS Authenticator plugin for Certbot

========================================== N/S matched: dns-google ===========================================
python2-certbot-dns-google.noarch : Google Cloud DNS Authenticator plugin for Certbot

========================================== N/S matched: dns-linode ===========================================
python2-certbot-dns-linode.noarch : Linode DNS Authenticator plugin for Certbot

========================================== N/S matched: dns-luadns ===========================================
python2-certbot-dns-luadns.noarch : LuaDNS Authenticator plugin for Certbot

=========================================== N/S matched: dns-nsone ===========================================
python2-certbot-dns-nsone.noarch : NS1 DNS Authenticator plugin for Certbot

============================================ N/S matched: dns-ovh ============================================
python2-certbot-dns-ovh.noarch : OVH DNS Authenticator plugin for Certbot

========================================== N/S matched: dns-rfc2136 ==========================================
python2-certbot-dns-rfc2136.noarch : RFC 2136 DNS Authenticator plugin for Certbot

========================================== N/S matched: dns-route53 ==========================================
python2-certbot-dns-route53.noarch : Route53 DNS Authenticator plugin for Certbot

  Name and summary matches mostly, use "search all" for everything.

或 pip 查找

[root@izwz9dnfbgdn5tleje5eitz ~]# pip search certbot | grep "certbot-dns-"
certbot-dns-luadns (0.27.1)              - LuaDNS Authenticator plugin for Certbot
certbot-dns-alwaysdata (0.24.0)          - Alwaysdata DNS Authenticator plugin for Certbot
certbot-dns-cloudflare (0.27.1)          - Cloudflare DNS Authenticator plugin for Certbot
certbot-dns-cloudxns (0.27.1)            - CloudXNS DNS Authenticator plugin for Certbot
certbot-dns-conoha (0.1.0)               - ConoHa DNS Authenticator plugin for certbot.
certbot-dns-digitalocean (0.27.1)        - DigitalOcean DNS Authenticator plugin for Certbot
certbot-dns-dnsimple (0.27.1)            - DNSimple DNS Authenticator plugin for Certbot
certbot-dns-dnspod (0.1.0)               - DNSPOD DNS Authenticator plugin for Certbot
certbot-dns-linode (0.27.1)              - Linode DNS Authenticator plugin for Certbot
certbot-dns-netcup (0.27.0.dev4)         - netcup DNS Authenticator plugin for Certbot
certbot-dns-nsone (0.27.1)               - NS1 DNS Authenticator plugin for Certbot
certbot-dns-openstack (0.0.1)            - OpenStack DNS Authenticator plugin for Certbot
certbot-dns-ovh (0.27.1)                 - OVH DNS Authenticator plugin for Certbot
certbot-dns-route53 (0.27.1)             - Route53 DNS Authenticator plugin for Certbot
certbot-dns-google (0.27.1)              - Google Cloud DNS Authenticator plugin for Certbot
certbot-dns-rfc2136 (0.27.1)             - RFC 2136 DNS Authenticator plugin for Certbot
certbot-dns-sakuracloud (0.27.1)         - Sakura Cloud DNS Authenticator plugin for Certbot
certbot-dns-dnsmadeeasy (0.27.1)         - DNS Made Easy DNS Authenticator plugin for Certbot
certbot-dns-gehirn (0.27.1)              - Gehirn Infrastracture Service DNS Authenticator plugin for Certbot
certbot-dns-cpanel (0.2.0)               - certbot plugin to allow acme dns-01 authentication of a name managed in cPanel.

查看 certbot 的插件表

[root@~]# certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

安装方案一: yum

yum 安装 certbot-dns-cloudflare

[root@~]# yum -y install python2-certbot-dns-cloudflare
......
Total                                                                         1.7 MB/s | 281 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : python2-zope-interface-4.0.5-0.el7.noarch                                                  1/5 
  Installing : libyaml-0.1.4-11.el7_0.x86_64                                                              2/5 
  Installing : PyYAML-3.10-11.el7.x86_64                                                                  3/5 
  Installing : python2-cloudflare-2.1.0-2.el7.noarch                                                      4/5 
  Installing : python2-certbot-dns-cloudflare-0.26.1-1.el7.noarch                                         5/5 
  Verifying  : python2-cloudflare-2.1.0-2.el7.noarch                                                      1/5 
  Verifying  : libyaml-0.1.4-11.el7_0.x86_64                                                              2/5 
  Verifying  : PyYAML-3.10-11.el7.x86_64                                                                  3/5 
  Verifying  : python2-certbot-dns-cloudflare-0.26.1-1.el7.noarch                                         4/5 
  Verifying  : python2-zope-interface-4.0.5-0.el7.noarch                                                  5/5 

Installed:
  python2-certbot-dns-cloudflare.noarch 0:0.26.1-1.el7                                                        

Dependency Installed:
  PyYAML.x86_64 0:3.10-11.el7                         libyaml.x86_64 0:0.1.4-11.el7_0                        
  python2-cloudflare.noarch 0:2.1.0-2.el7             python2-zope-interface.noarch 0:4.0.5-0.el7            

Complete!

重新查看 Certbot 的插件列表会报错

[root@site-packages]# certbot plugins
An unexpected error occurred:
DistributionNotFound: The 'cloudflare>=1.5.1' distribution was not found and is required by the application
Please see the logfile '/tmp/tmpdXjGyi' for more details.

错误信息提示找不到 cloudflare,去除报错

[root@~]# yum -y install python2-cloudflare 

重新查看 Certbot 的插件列表

[root@~]# certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT

* dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using
Cloudflare for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-cloudflare =
certbot_dns_cloudflare.dns_cloudflare:Authenticator

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

安装方案二:pip

使用 pip 安装 certbot-dns-cloudflare

[root@~]# pip search certbot-dns-cloudflare | grep "certbot-dns-cloudflare"
certbot-dns-cloudflare (0.27.1)                       - Cloudflare DNS Authenticator plugin for Certbot

[root@~]# pip install certbot-dns-cloudflare
......
Installing collected packages: jsonlines, cloudflare, certbot-dns-cloudflare
  Running setup.py install for cloudflare ... done
Successfully installed certbot-dns-cloudflare-0.27.1 cloudflare-2.1.0 jsonlines-1.2.0

安装完成后重新查看 Certbot 的插件列表

[root@~]# certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT

* dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using
Cloudflare for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-cloudflare =
certbot_dns_cloudflare.dns_cloudflare:Authenticator

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

还有 pip 的问题,我一开始的时候用 pip 可以安装成功,为了演示我删除了,重新安装的时候提示 TypeError: cannot concatenate 'str' and 'NoneType' objects 就是很奇怪的问题,python 本身没有问题,所以我重新移除了 pip , 再安装 pip ,用 pip 安装 certbot-dns-cloudflare 就可以了。【可能是因为我的 pip 是从低版本直接升级引起的问题,这个错误信息官方提示已经修复过了,还有的话,肯定是 pip 自己的问题了】

移除 pip,并重新安装

[root@~]# yum list installed | grep "pip"
yum list installed *pip
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * remi-php72: mirrors.tuna.tsinghua.edu.cn
 * remi-safe: mirrors.tuna.tsinghua.edu.cn
 * webtatic: uk.repo.webtatic.com
Installed Packages
python2-pip.noarch                                                                 8.1.2-6.el7                                                                  @epel
[root@~]# yum remove python2-pip
[root@~]# yum search pip | grep 'python.*\-pip'
python-django-pipeline.noarch : An asset packaging library for Django
python2-pip.noarch : A tool for installing and managing Python 2 packages
python34-pip.noarch : A tool for installing and managing Python3 packages

选择相应的 Python 版本,安装即可

[root@~]# yum -y install python2-pip

如果 pip 安装 cloudflare 最后的安装信息是

......
Installing collected packages: certbot-dns-cloudflare
Successfully installed certbot-dns-cloudflare-0.27.1

证明还没有安装完成,还需要安装一些依赖

[root@~]# pip install cloudflare jsonlines

安装方案三:python [不推荐]

直接使用 git 下载到本地,再使用 python 安装

[root@~]# git clone https://github.com/certbot/certbot/
[root@~]# cd certbot/certbot-dns-cloudflare
[root@~]# python setup.py install

如果你上面没有安装成功,就要检查一下 Certbot 使用的版本啦!

[root@~]# head /usr/bin/certbot
#!/usr/bin/python2
......

我这边是 Python 2.x ,所以没有问题,如果检查出来是 Python 3 要注意版本问题,反过来道理也是一样的,反正就要用同一个版本的 Python 。

利用 API Keys 构建 ini 文件,首先创建一个隐藏的文件夹方便管理,再构建文件

[root@~]# mkdir -p ~/.secrets/certbot

[root@~]# vim ~/.secrets/certbot/cloudflare.ini

ini 文件中输入以下内容

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = [email protected] // 你注册 Cloudflare 的邮箱
dns_cloudflare_api_key = API Keys    // 上面得到的 API Keys

使用 Certbot 进行配置和安装

[root@~]# certbot -a dns-cloudflare -i apache --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini --dns-cloudflare-propagation-seconds 60 -d "*.deepppixel.com" -d deepppixel.com --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/deepppixel.com.conf)

It contains these names: deepppixel.com

You requested these names for the new certificate: *.deepppixel.com,
deepppixel.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: 

由于我们有了 ACME 的证书,所以会有覆盖和扩展的问题。

先解释一下先(可以直接复制下面的指令粘贴运行的)

[root@~]# certbot \
  -a dns-cloudflare \
  -i apache \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
  --dns-cloudflare-propagation-seconds 60 \
  -d "*.deepppixel.com" \
  -d deepppixel.com \
  --server https://acme-v02.api.letsencrypt.org/directory

-a dns-cloudflare: 使用 certbot-dns-cloudflare DNS 插件,要改成你安装的 DNS 哦;

-i apache: 因为我们使用的是 Apache HTTP Server , 所以使用 Apache;

--dns-cloudflare-credentials: API Keys 的文件路径;

--dns-cloudflare-propagation-seconds 60: DNS 超时时间,默认就是 10s 可以不写;

-d "*.deepppixel.com":添加的域名,这个就是通配符的域名;

-d deepppixel.com: 裸域名;

--server https://acme-v02.api.letsencrypt.org/directory: 指定使用 ACME v2 ,如果不写就是 ACME (v1) 。

OK ! 继续,选择 e

......
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate
Resetting dropped connection: acme-v02.api.letsencrypt.org
Performing the following challenges:
dns-01 challenge for deepppixel.com
dns-01 challenge for deepppixel.com
Unsafe permissions on credentials configuration file: /root/.secrets/certbot/cloudflare.ini
Starting new HTTPS connection (1): api.cloudflare.com
Starting new HTTPS connection (1): api.cloudflare.com
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
Starting new HTTPS connection (1): api.cloudflare.com
Starting new HTTPS connection (1): api.cloudflare.com

Which VirtualHosts would you like to install the wildcard certificate for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/httpd/conf/vhost/deepppixel.com-le-ssl.conf
Addresses: xxx:443
Names: deepppixel.com, *.deepppixel.com
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 

看到这个信息 Waiting 60 seconds for DNS changes to propagate 不要胡乱操作,等就行了。

喜提新坑 Unsafe permissions on credentials configuration file: /root/.secrets/certbot/cloudflare.ini

先键入 c 取消操作

......
blank to select all options shown (Enter 'c' to cancel): c
No vhost exists with servername or alias for domain *.deepppixel.com. No vhost was selected. Please specify ServerName or ServerAlias in the Apache config.
No vhost selected

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/deepppixel.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/deepppixel.com/privkey.pem
   Your cert will expire on 2018-12-13. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

需要修改 ini 的文件权限,修改权限

[root@~]# chmod 600 ~/.secrets/certbot/cloudflare.ini

重新运行指令

[root@~]# certbot -a dns-cloudflare -i apache --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini --dns-cloudflare-propagation-seconds 60 -d "*.deepppixel.com" -d deepppixel.com --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/deepppixel.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
// 用已经存在的证书重新安装
2: Renew & replace the cert (limit ~5 per 7 days)
// 更新或替换证书(只保存5~7天)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 

我们选择 2,又回到上面取消的步骤

......
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for deepppixel.com
dns-01 challenge for deepppixel.com
Starting new HTTPS connection (1): api.cloudflare.com
Starting new HTTPS connection (1): api.cloudflare.com
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
Starting new HTTPS connection (1): api.cloudflare.com
Starting new HTTPS connection (1): api.cloudflare.com

Which VirtualHosts would you like to install the wildcard certificate for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/httpd/conf/vhost/deepppixel.com-le-ssl.conf
Addresses: xxx:443
Names: deepppixel.com, *.deepppixel.com
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 

如果有两个以上的话,如:1:Filexxx 2:Filexxx 3: Filexxx ... 可以使用 1 空格 3 的方式只安装 1 和 3 ,如果想全部安装就直接 Enter 回车就可以了。因为我只有一个,所以我选择 1 并回车。

继续

......
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Deploying Certificate to VirtualHost /etc/httpd/conf/vhost/deepppixel.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/vhost/deepppixel.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 

上面的提示信息是不是很熟悉啊,直接选择 2 就可以啦

......
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enhancement redirect was already set.
Enhancement redirect was already set.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://*.deepppixel.com and
https://deepppixel.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=*.deepppixel.com
https://www.ssllabs.com/ssltest/analyze.html?d=deepppixel.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/deepppixel.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/deepppixel.com/privkey.pem
   Your cert will expire on 2018-12-13. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

直接刷新你的 https://www.deepppixel.com 网页,就可以啦!

重新查看一下证书

2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第15张图片
acme v2.jpg

当然也可以使用上面提到的网址 https://www.ssllabs.com/ssltest/analyze.html?d=你的的域名 去测试 SSL ,可以看到更多的信息。

2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第16张图片
SSL Server Test (Powered by Qualys SSL Labs)
2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL_第17张图片
SSL Server Test_ www.deepppixel.com (Powered by Qualys SSL Labs)

要等待它 100% complete 之后就会出现,下面还有很多信息的。

你可能感兴趣的:(2018-09-22阿里云 ECS 服务器 CentOS 7.4 搭建 LAMP WordPress 环境:SSL)