前言
此前在阿里申请了免费的SSL证书,但每个人只有20个证书的额度,此额度是一次性、永久性的,也就是说,到期的证书也算;由于各种各样的原因,我的测试额度已经满了。于是转粉腾讯云,结果腾讯这边直接审核不通过,顿时心凉;猛然间想起咱们还有Let's Encrypt's
,立马感觉生活又有了希望。
Let's Encrypt's 介绍
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
Let's Encrypt's 是一个免费,自动化和开放的证书颁发机构(CA),为公众的利益而运行。它是由Internet Security Research Group(ISRG)提供的服务。
We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.
我们免费为人们提供数字证书,以帮助他们为网站启用HTTPS,使得他们的网站能更加的安全,数据的隐私能更加有效地得到保护。
The key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
- Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
- Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
- Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
- Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
- Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
我们的主旨是:免费、自动化、安全、透明、开放、合作
Certbot
Certbot是Let's Encrypt CA(或任何其他讲ACME协议的CA)的全功能,可扩展的客户端,可以自动完成获取证书和配置Web服务器以使用它们的任务。此客户端在基于Unix的操作系统上运行。
安装
Certbot打包在EPEL(企业Linux的额外包)中。 要使用Certbot,必须先启用EPEL存储库。 在RHEL或Oracle Linux上,还必须启用可选通道。
yum -y install yum-utils
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
安装certbot的nginx版插件
yum install python2-certbot-nginx
自动识别nginx配置文件中的域名,一步步获取证书,并自动修改配置文件
certbot --nginx
如果不希望修改配置文件,而只是获取证书可以使用下面这个命令
certbot --nginx certonly
自动续期
可以将Certbot配置为在证书过期之前自动续订证书。 由于Let's Encrypt证书持续90天,因此最好利用此功能。 您可以通过运行以下命令来测试证书的自动续订:
certbot renew --dry-run
如果这看起来工作正常,您可以通过添加运行以下命令的cron作业或systemd计时器来安排自动续订:
certbot renew
如果您正在设置cron或systemd作业,我们建议每天运行两次(在您的证书到期或续订之前,它将不会执行任何操作,但定期运行它会使您的站点有机会保持在线状态 案例a由于某种原因,我们发生了加密启动的撤销。 请在一小时内随机选择续订任务。
一个示例cron作业可能看起来像这样,它将在每天中午和午夜运行:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
踩坑
无法找到模块 urllib3
[root@demo src]# certbot --nginx
Traceback (most recent call last):
File "/usr/bin/certbot", line 9, in
load_entry_point('certbot==0.14.1', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 564, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2662, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2316, in load
return self.resolve()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2322, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 14, in
from certbot import account
File "/usr/lib/python2.7/site-packages/certbot/account.py", line 17, in
from acme import messages
File "/usr/lib/python2.7/site-packages/acme/messages.py", line 4, in
from acme import challenges
File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 10, in
import requests
File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in
from . import utils
File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in
from .exceptions import InvalidURL
File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in
from .packages.urllib3.exceptions import HTTPError as BaseHTTPError
File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 95, in load_module
raise ImportError("No module named '%s'" % (name,))
ImportError: No module named 'requests.packages.urllib3'
解决办法
pip install requests urllib3 pyOpenSSL --force --upgrade
属性错误 pyopenssl
[root@izwz9ad1jbc6fwnusxlv2cz conf.d]# certbot --nginx
Traceback (most recent call last):
File "/usr/bin/certbot", line 9, in
load_entry_point('certbot==0.27.1', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 570, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2751, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2405, in load
return self.resolve()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2411, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 21, in
from certbot import client
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 16, in
from acme import client as acme_client
File "/usr/lib/python2.7/site-packages/acme/client.py", line 39, in
urllib3.contrib.pyopenssl.inject_into_urllib3()
AttributeError: 'module' object has no attribute 'pyopenssl'
解决方案
# 移除安装
yum remove certbot
# 下载certbot-auto
user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
# 运行certbot-auto进行证书管理
user@webserver:~$ ./certbot-auto
引用
1.certbot on github
2.Certbot Installation Guide
续集
对于没有80端口的场景,可以参考《IT基础设施:使用acme.sh申请免费泛域名证书》进行申请。