SSL证书这么贵,自签名证书这么不受浏览器待见,为什么不用Let’s encrypt免费证书呢?而且这个证书基本上一键生成,下面是方法。
下载let’s encrypt客户端
git clone https://github.com/certbot/certbot
进入下载的目录,执行自动脚本:
./certbot-auto --apache -d abc.com -d www.abc.com
2021 更新:
certbot-auto 命令已经废除,使用新命令:
certbot --nginx -d abc.com -d www.abc.com
输入email之类的信息,就可以完成了!!!
检测一下看看:https://www.ssllabs.com/ssltest/analyze.html?d=abc.com&latest
是最高等级的评级!
IMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at:/etc/letsencrypt/live/abc.com/fullchain.pemYour key file has been saved at:/etc/letsencrypt/live/abc.com/privkey.pemYour cert will expire on 2018-02-02. To obtain a new or tweakedversion of this certificate in the future, simply run certbot-autoagain with the "certonly" option. To non-interactively renew *all*of your certificates, run "certbot-auto renew"- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal.- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donateDonating to EFF: https://eff.org/donate-le证书更新
先切换到Python2,切换python2/3,点这里。
./certbot-auto certonly --apache --renew-by-default -d abc.com -d www.abc.com
转发一个自动更新的脚本:
#!/bin/bash
#================================================================
# Let's Encrypt renewal script for Apache on Ubuntu/Debian
# @author Erika Heidi<erika@do.co>
# Usage: ./le-renew.sh [base-domain-name]
#================================================================
domain=$1
le_path='/opt/letsencrypt'
le_conf='/etc/letsencrypt'
exp_limit=30;get_domain_list(){
certdomain=$1config_file="$le_conf/renewal/$certdomain.conf"if [ ! -f $config_file ] ; thenecho "[ERROR] The config file for the certificate $certdomain was not found."exit 1;fidomains=$(grep --only-matching --perl-regex "(?<=domains \= ).*" "${config_file}")last_char=$(echo "${domains}" | awk '{
print substr($0,length,1)}')if [ "${last_char}" = "," ]; thendomains=$(echo "${domains}" |awk '{
print substr($0, 1, length-1)}')fiecho $domains;
}if [ -z "$domain" ] ; thenecho "[ERROR] you must provide the domain name for the certificate renewal."exit 1;
ficert_file="/etc/letsencrypt/live/$domain/fullchain.pem"if [ ! -f $cert_file ]; thenecho "[ERROR] certificate file not found for domain $domain."exit 1;
fiexp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
datenow=$(date -d "now" +%s)
days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)echo "Checking expiration date for $domain..."if [ "$days_exp" -gt "$exp_limit" ] ; thenecho "The certificate is up to date, no need for renewal ($days_exp days left)."exit 0;
elseecho "The certificate for $domain is about to expire soon. Starting renewal request..."domain_list=$( get_domain_list $domain )"$le_path"/letsencrypt-auto certonly --apache --renew-by-default --domains "${domain_list}"echo "Restarting Apache..."/usr/sbin/service apache2 reloadecho "Renewal process finished for domain $domain"exit 0;
fi
两个问题:
- 一键生成SSL证书的脚本是用python 2写的,然后oj需要python3的支持。如何在SSL证书到期自动生成的脚本中加入python2 、3之间的自动转换(即生成证书前把python3转到python2,生成自动转3)
- http强制跳转https有何潜在问题
第一个问题:
certbot脚本基于python2,当系统里有python2 和python3时,会报错:
OSError: Command /root/.local/share/letsencrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2
Let's Encrypt returned an error status. Aborting.
解决方法1是升级pip,参考前3步:
https://github.com/interbrite/letsencrypt-vesta/issues/46#issuecomment-273014451
解决方法2,3是更新系统语言或者apt按照letsencrypt,更新语言尝试了但是没用。apt安装?~看着太混乱,没试:
https://github.com/certbot/certbot/issues/4062#issuecomment-273236106
解决办法4,重新安装virtualenv环境(有效):
先卸载:
apt-get purge python-virtualenv python3-virtualenv virtualenv
再安装:
pip install virtualenv
注意,安装在python2环境下,运行certbot命令后又会安装virtualenv环境
切换python2/3,点这里。