certbot_certbot自动续期脚本 - CSDN
精华内容
参与话题
  • 使用 certbot 安装免费的安全证书

    千次阅读 2019-07-03 14:36:01
    一 、安装certbot 乌班图系统 : $ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install python-certbot-nginx =======...

    一 、安装certbot


    乌班图系统 :
    $ sudo apt-get install software-properties-common
    $ sudo add-apt-repository ppa:certbot/certbot
    $ sudo apt-get update
    $ sudo apt-get install python-certbot-nginx


    ========================================================================
    如果是CentOS 6、7,先执行:yum install epel-release


    cd /root/
    wget https://dl.eff.org/certbot-auto --no-check-certificate
    chmod a+x ./certbot-auto
    ./certbot-auto -n
    ./certbot-auto -n  是用来安装依赖包的,注意 :需要python2.7 以上


    注意 :国内有些用户反映会卡在Installing Python packages...这个地方不动,因为pip的默认源是国外的,国内可能会有点慢,可以执行下面命令来修改pip源为国内的:
    mkdir ~/.pip
    cat > ~/.pip/pip.conf <<EOF
    [global]
    index-url = https://pypi.doubanio.com/simple/


    [install]
    trusted-host=pypi.doubanio.com
    EOF






     二 、 获取证书
     
      2.1 、单域名 :
      
    乌班图 : certbot certonly --webroot -w /var/www/ssl -d alory198.com -d www.alory19x.com --agree-tos --email xxxxxx@163.com


    centos :  /root/certbot-auto certonly --webroot -w /usr/local/nginx/web/ssl -d alory19x.com -d www.alory19x.com --agree-tos --email xxxxxx@163.com


    --------------参数解释 :
    * certonly  只获取证书
    * --webroot  以webroot插件去获得证书
    * -w  需配合--webroot参数一起使用,用来指定网站根目录
    * -d   指定域名
    * --agree-tos  用意ACME用户协议(如果省略此项,则在命令执行过程中会询问是否同意)
    * --email 指定邮箱用来接收一些通知(如果省略此项,则在命令执行过程中会要求填写)




    2.2 、多域名:


    如果有多个域名,则按照一个 -w  /var/www/example  后接一个 -d example.com  的形式继续输入。


     范例: certbot certonly --webroot -w /var/www/ssl -d www.alory19x.com -d alory19x.com  -w /var/www/ssly -d alory19y.com -d alory19y.com
     
     
    2.3 、注意事项:


    因为默认LNMP的虚拟主机里是禁止 . 开头的隐藏文件及目录的,所以访问http://alory19x.com/.well-known/acme-challenge/**** 这个链接的话返回403错误,所以必须要将对应虚拟主机配置文件里的
    location ~ /\.
    {
    deny all;
    }
    这段配置删掉或注释掉或在这段配置前面加上
    location ~ /.well-known {
    allow all;
    }


    2.4、根目录不在本机的域名的获取方法


    2.4.1 配置certbot 需要验证的目录到本机的 某个目录,
    列如 配置 到/opt/ssl 目录


    location ~ /.well-known {
    root /opt/ssl;               
    ### 配置certbot 需要验证的目录到本机的/opt/ssl 目录
    }
    location ~ /.well-known {
    allow all;
    }


    2.4.2 使用 --standalone
       但是有些时候我们的一些服务并没有根目录,例如一些微服务,这时候使用 --webroot 就走不通了。certbot 还有另外一种模式 --standalone , 这种模式不需要指定网站根目录,他会自动启用服务器的443端口,来验证域名的归属。我们有其他服务(例如nginx)占用了443端口,就必须先停止这些服务,在证书生成完毕后,再启用。


    列如  :./certbot-auto certonly --standalone -dalory19x.com -d alory19x.com --agree-tos --email xxxxxx@163.com



    三、  配置nginx 


    证书生成成功后,会有 Congratulations 的提示,并告诉我们证书放在 /etc/letsencrypt/live/ 这个目录下面对应的位置,可以在nginx里面配置


    server
    {
        listen 443 ssl;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/alory19x.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/alory19x.com/privkey.pem;
    #这里 证书的位置会 有变化,要配置成自己的路径。

        root /home/guest/test;
        server_name alory19x.com;
        index index.html index.htm;
    }
    server
    {
        listen 80;
        server_name alory19x.com;
        return      301 https://$host$request_uri;


    }


    ===============================需注意:以上操作都是在一台服务器上进行,而不是执行命令是一台机,域名是另外一台机。=====================




    四 、证书续期


    乌班图 :certbot renew   证书只有90天有效期,使用此命令自动更新。
    centos /root/certbot-auto renew   证书只有90天有效期,使用此命令自动更新。


    这里当是反向代理的域名的时候会报错,因为我的域名生成证书的时候使用的是 --standalone 模式,验证域名的时候,需要启用443端口,这个错误的意思就是要启用的端口已经被占用了。这时候我必须把nginx先关掉,才可以成功。


    证书是90天才过期,我们只需要在过期之前执行更新操作就可以了。 这件事情就可以直接交给定时任务来完成。linux 系统上有 cron 可以来搞定这件事情。
    下面这段内容的意思就是 每隔 两个月的 凌晨 3:35 执行 更新操作。


    35 3 * */2 * /root/certbot-auto renew --pre-hook "/usr/local/nginx/sbin/nginx -s stop" --post-hook "/usr/local/nginx/sbin/nginx"


    35 3 * */2 * /root/certbot-auto renew --force-renew "/usr/local/nginx/sbin/nginx -s stop" --post-hook "/usr/local/nginx/sbin/nginx"   此命令为强制更新证书。

    参数解释:
    --pre-hook 这个参数表示执行更新操作之前要做的事情,因为我有 --standalone 模式的证书,所以需要 停止 nginx 服务,解除端口占用。
    --post-hook 这个参数表示执行更新操作完成后要做的事情,这里就恢复 nginx 服务的启用

    展开全文
  • certbot更新错误

    2019-09-26 20:59:58
    root@vultr:~/certbot# ./certbot-auto Upgrading certbot-auto 0.29.1 to 0.34.2... Couldn't verify signature of downloaded certbot-auto. Command '[u'openssl', u'dgst', u'-sha256',...

    自动更新老是提示这个错误。

    root@vultr:~/certbot# ./certbot-auto
    Upgrading certbot-auto 0.29.1 to 0.34.2...
    Couldn't verify signature of downloaded certbot-auto. Command '[u'openssl', u'dgst', u'-sha256', u'-verify', u'/tmp/tmp.7MOfNZ80uw/public_key.pem', u'-signature', u'/tmp/tmp.7MOfNZ80uw/letsencrypt-auto.sig', u'/tmp/tmp.7MOfNZ80uw/letsencrypt-auto']' returned non-zero exit status 1
    

      

    使用下面语句解决

    ./certbot-auto  --no-self-upgrade

    转载于:https://www.cnblogs.com/yangxiaodi/p/10933642.html

    展开全文
  • certbot客户端certbot-auto

    2020-07-29 14:20:20
    通过wget https://dl.eff.org/certbot-auto无法下载的用户可以使用此文件。本文件从官网下载,原封不动。
  • certbot [子命令] [选项] [-d 域名] [-d 域名] ... Certbot工具用于获取和安装 HTTPS/TLS/SSL 证书。默认情况下,Certbot会尝试为本地网页服务器 (如果不存在会默认安装一个到本地)获取并安装证书。最常用的子命令...
    用法:
      certbot [子命令] [选项] [-d 域名] [-d 域名] ...
    
    Certbot工具用于获取和安装 HTTPS/TLS/SSL 证书。默认情况下,Certbot会尝试为本地网页服务器
    (如果不存在会默认安装一个到本地)获取并安装证书。最常用的子命令和选项如下:
    
    获取, 安装, 更新证书:
        (默认) run       获取并安装证书到当前网页服务器
        certonly        获取或更新证书,但是不安装
        renew           更新已经获取但快过期的所有证书
       -d 域名列表        指定证书对应的域名列表,域名之间使用逗号分隔
    
      --apache          使用Apache插件进行身份认证和安装
      --standalone      运行一个独立的网页服务器用于身份认证
      --nginx           使用Nginx插件进行身份认证和安装
      --webroot         把身份认证文件放置在服务器的网页根目录下
      --manual          使用交互式或脚本钩子的方式获取证书
    
       -n               非交互式运行
      --test-cert       从预交付服务器上获取测试证书
      --dry-run         测试获取或更新证书,但是不存储到本地硬盘
    
    证书管理:
        certificates    显示使用Certbot生成的所有证书的信息
        revoke          撤销证书(supply --cert-path)
        delete          删除证书
    
    管理你的Let's Encrypt账户
        register        创建Let's Encrypt ACME账户
      --agree-tos       同意ACME服务器的订阅协议
       -m EMAIL         接收有关账户的重要通知的邮箱地址
    
    可选参数:
      -h, --help            显示帮助信息,然后退出
      -c 配置文件, --config 配置文件
                            配置文件的路径 (默认: /etc/letsencrypt/cli.ini
                            或 ~/.config/letsencrypt/cli.ini)
      -v, --verbose         当前参数可以重复使用多次来增加输出信息的详细程度,例如 -vvv.
                            (默认: -2)
      -n, --non-interactive, --noninteractive
                            非交互式运行,即运行过程中不需要询问用户输入,但需要额外的命令行
                            参数。当客户端发现参数缺失时会给出相应的说明。(默认: False)
      --force-interactive   无论Certbot是否以命令行的方式运行,强制交互式运行。当前参数不能
                            用于renew子命令。(默认: False)
      -d 域名列表, --domains 域名列表, --domain 域名列表
                            指定域名列表。如果有多个域名,可以多次使用-d参数,也可以在-d参数后
                            使用逗号分隔的域名列表。(默认: 询问)
      --cert-name 证书名称   指定证书名称。每次Certbot运行只使用一个证书名称。可以使用命令
                            'certbot certificates'查看已生成的证书名称。当创建新的证书时,
                            此选项用于指定证书的名称。(默认: 无)
      --dry-run             使用客户端执行一次试运行,获取测试证书(无效的证书)但不保存到磁盘。
                            当前选项仅用于'certonly'和'renew'子命令。
                            注: 尽管 --dry-run 选项试图阻止任何对系统的修改,但并不能做到
                            完全避免: 如果使用类似apache或nginx网页服务器来认证插件,
                            程序运行过程中,会尝试修改或恢复配置文件来获取测试证书,
                            也会重启网页服务器来部署和回滚这些修改。如果定义了 --pre-hook 和
                            --post-hook 选项它们会被同时执行,这两个选项有助于更精确地模拟
                            更新证书。--renew-hook 选项在这里不会被执行。(默认: False)
      --preferred-challenges PREF_CHALLS
                            A sorted, comma delimited list of the preferred
                            challenge to use during authorization with the most
                            preferred challenge listed first (Eg, "dns" or "tls-
                            sni-01,http,dns"). Not all plugins support all
                            challenges. See
                            https://certbot.eff.org/docs/using.html#plugins for
                            details. ACME Challenges are versioned, but if you
                            pick "http" rather than "http-01", Certbot will select
                            the latest version automatically. (default: [])
      --user-agent 用户代理
                            设置本客户端的用户代理信息。用户代理信息用于CA机构收集关于操作系统
                            和插件的使用成功率。如果你希望隐藏此信息,设置此选项为""。
                            (默认: CertbotACMEClient/0.12.0 (Ubuntu 16.04.2 LTS)
                            Authenticator/XXX Installer/YYY)
    
    自动化:
      用于自动运行或其他情况的参数
    
      --keep-until-expiring, --keep, --reinstall
                            如果被请求的证书已经存在,那么不执行更新操作直到证书将要过期
                            (如果使用了'run'子命令,无论是否过期证书都会被更新)。
                            (默认: 询问)
      --expand              如果请求的证书名字是已经存在的证书名字的子集,那么这个本地证书
                            会被重置并重命名。(默认: 询问)
      --version             显示程序和版本号,然后退出
      --force-renewal, --renew-by-default
                            如果请求的证书已经存在,无论是否快要到期,更新该证书。
                            (通常使用 --keep-until-expiring 选项)。
                            该选项默认包含了 --expand 选项的功能。(默认: False)
      --renew-with-new-domains
                            如果被请求的证书已经存在,但是域名变了,那么无论该证书是否将要过期
                            都会被更新。(默认: False)
      --allow-subset-of-names
                            When performing domain validation, do not consider it
                            a failure if authorizations can not be obtained for a
                            strict subset of the requested domains. This may be
                            useful for allowing renewals for multiple domains to
                            succeed even if some domains no longer point at this
                            system. This option cannot be used with --csr.
                            (default: False)
      --agree-tos           同意ACME订阅协议 (默认: 询问)
      --duplicate           Allow making a certificate lineage that duplicates an
                            existing one (both can be renewed in parallel)
                            (default: False)
      --os-packages-only    (仅用于 certbot-auto) 安装系统依赖包,然后停止 (默认: False)
      --no-self-upgrade     (仅用于 certbot-auto) 禁止 certbot-auto 脚本自动升级自己到
                            新的发布版本 (默认: 自动升级)
      -q, --quiet           程序运行只输出错误信息。这个选项对于 cron 等自动化工具很有用。
                            该选项默认包含了 --non-interactive 选项的功能。(默认: False)
    
    安全:
      有关安全的参数和服务器设置
    
      --rsa-key-size N      RSA密钥的大小。 (默认: 2048)
      --must-staple         为证书添加 OCSP Must Staple 扩展。当Apache版本高于2.3.3时,
                            自动配置 OCSP Stapling 支持。 (默认: False)
      --redirect            对于新认证的虚拟主机,自动重定向HTTP到HTTPS。 (默认: 询问)
      --no-redirect         对于新认证的虚拟主机,不要重定向HTTP到HTTPS。 (默认: 询问)
      --hsts                Add the Strict-Transport-Security header to every HTTP
                            response. Forcing browser to always use SSL for the
                            domain. Defends against SSL Stripping. (default:
                            False)
      --uir                 Add the "Content-Security-Policy: upgrade-insecure-
                            requests" header to every HTTP response. Forcing the
                            browser to use https:// for every http:// resource.
                            (default: None)
      --staple-ocsp         Enables OCSP Stapling. A valid OCSP response is
                            stapled to the certificate that the server offers
                            during TLS. (default: None)
      --strict-permissions  Require that all configuration files are owned by the
                            current user; only needed if your config is somewhere
                            unsafe like /tmp/ (default: False)
    
    测试:
      The following flags are meant for testing and integration purposes only.
    
      --test-cert, --staging
                            Use the staging server to obtain or revoke test
                            (invalid) certs; equivalent to --server https://acme-
                            staging.api.letsencrypt.org/directory (default: False)
      --debug               Show tracebacks in case of errors, and allow certbot-
                            auto execution on experimental platforms (default:
                            False)
      --no-verify-ssl       Disable verification of the ACME server's certificate.
                            (default: False)
      --tls-sni-01-port TLS_SNI_01_PORT
                            Port used during tls-sni-01 challenge. This only
                            affects the port Certbot listens on. A conforming ACME
                            server will still attempt to connect on port 443.
                            (default: 443)
      --http-01-port HTTP01_PORT
                            Port used in the http-01 challenge. This only affects
                            the port Certbot listens on. A conforming ACME server
                            will still attempt to connect on port 80. (default:
                            80)
      --break-my-certs      Be willing to replace or renew valid certs with
                            invalid (testing/staging) certs (default: False)
    
    路径:
      修改有关执行路径和服务器的参数
    
      --cert-path 证书路径
                            Path to where cert is saved (with auth --csr),
                            installed from, or revoked. (default: None)
      --key-path 密钥路径    Path to private key for cert installation or
                            revocation (if account key is missing) (default: None)
      --chain-path 钥匙链路径
                            Accompanying path to a certificate chain. (default:
                            None)
      --config-dir 配置文件目录
                            Configuration directory. (default: /etc/letsencrypt)
      --work-dir 工作目录    Working directory. (default: /var/lib/letsencrypt)
      --logs-dir 日志目录    Logs directory. (default: /var/log/letsencrypt)
      --server 服务器        ACME Directory Resource URI. (default:
                            https://acme-v01.api.letsencrypt.org/directory)
    
    管理:
      Various subcommands and flags are available for managing your
      certificates:
    
      certificates          List certificates managed by Certbot
      delete                Clean up all files related to a certificate
      renew                 Renew all certificates (or one specified with --cert-
                            name)
      revoke                Revoke a certificate specified with --cert-path
      update_symlinks       Recreate symlinks in your /etc/letsencrypt/live/
                            directory
    
    run:
      获取和安装证书的选项
    
    certonly:
      修改获取证书方式的选项
    
      --csr CSR             Path to a Certificate Signing Request (CSR) in DER or
                            PEM format. Currently --csr only works with the
                            'certonly' subcommand. (default: None)
    
    renew:
      The 'renew' subcommand will attempt to renew all certificates (or more
      precisely, certificate lineages) you have previously obtained if they are
      close to expiry, and print a summary of the results. By default, 'renew'
      will reuse the options used to create obtain or most recently successfully
      renew each certificate lineage. You can try it with `--dry-run` first. For
      more fine-grained control, you can renew individual lineages with the
      `certonly` subcommand. Hooks are available to run commands before and
      after renewal; see https://certbot.eff.org/docs/using.html#renewal for
      more information on these.
    
      --pre-hook PRE_HOOK   Command to be run in a shell before obtaining any
                            certificates. Intended primarily for renewal, where it
                            can be used to temporarily shut down a webserver that
                            might conflict with the standalone plugin. This will
                            only be called if a certificate is actually to be
                            obtained/renewed. When renewing several certificates
                            that have identical pre-hooks, only the first will be
                            executed. (default: None)
      --post-hook POST_HOOK
                            Command to be run in a shell after attempting to
                            obtain/renew certificates. Can be used to deploy
                            renewed certificates, or to restart any servers that
                            were stopped by --pre-hook. This is only run if an
                            attempt was made to obtain/renew a certificate. If
                            multiple renewed certificates have identical post-
                            hooks, only one will be run. (default: None)
      --renew-hook RENEW_HOOK
                            Command to be run in a shell once for each
                            successfully renewed certificate. For this command,
                            the shell variable $RENEWED_LINEAGE will point to the
                            config live subdirectory containing the new certs and
                            keys; the shell variable $RENEWED_DOMAINS will contain
                            a space-delimited list of renewed cert domains
                            (default: None)
      --disable-hook-validation
                            Ordinarily the commands specified for --pre-hook
                            /--post-hook/--renew-hook will be checked for
                            validity, to see if the programs being run are in the
                            $PATH, so that mistakes can be caught early, even when
                            the hooks aren't being run just yet. The validation is
                            rather simplistic and fails if you use more advanced
                            shell constructs, so you can use this switch to
                            disable it. (default: False)
    
    certificates:
      列出由Certbot管理的所有证书信息
    
    delete:
      用于删除证书的选项
    
    revoke:
      用于撤销证书的选项
    
      --reason {keycompromise,affiliationchanged,superseded,unspecified,cessationofoperation}
                            Specify reason for revoking certificate. (default: 0)
    
    register:
      用于账户注册和更新的选项
    
      --register-unsafely-without-email
                            Specifying this flag enables registering an account
                            with no email address. This is strongly discouraged,
                            because in the event of key loss or account compromise
                            you will irrevocably lose access to your account. You
                            will also be unable to receive notice about impending
                            expiration or revocation of your certificates. Updates
                            to the Subscriber Agreement will still affect you, and
                            will be effective 14 days after posting an update to
                            the web site. (default: False)
      --update-registration
                            With the register verb, indicates that details
                            associated with an existing registration, such as the
                            e-mail address, should be updated, rather than
                            registering a new account. (default: False)
      -m EMAIL, --email EMAIL
                            Email used for registration and recovery contact.
                            (default: Ask)
      --eff-email           Share your e-mail address with EFF (default: None)
      --no-eff-email        Don't share your e-mail address with EFF (default:
                            None)
    
    unregister:
      用于注销账户的选项
    
      --account 账户ID       需要注销的账户ID (默认: 无)
    
    install:
      用于修改证书部署路径的选项
    
      --fullchain-path 完整钥匙链的路径
                            Accompanying path to a full certificate chain (cert
                            plus chain). (default: None)
    
    config_changes:
      Options for controlling which changes are displayed
    
      --num NUM             How many past revisions you want to be displayed
                            (default: None)
    
    rollback:
      Options for rolling back server configuration changes
    
      --checkpoints N       Revert configuration N number of checkpoints.
                            (default: 1)
    
    plugins:
      Options for for the "plugins" subcommand
    
      --init                Initialize plugins. (default: False)
      --prepare             Initialize and prepare plugins. (default: False)
      --authenticators      Limit to authenticator plugins only. (default: None)
      --installers          Limit to installer plugins only. (default: None)
    
    update_symlinks:
      Recreates cert and key symlinks in /etc/letsencrypt/live, if you changed
      them by hand or edited a renewal configuration file
    
    plugins:
      Plugin Selection: Certbot client supports an extensible plugins
      architecture. See 'certbot plugins' for a list of all installed plugins
      and their names. You can force a particular plugin by setting options
      provided below. Running --help <plugin_name> will list flags specific to
      that plugin.
    
      --configurator CONFIGURATOR
                            Name of the plugin that is both an authenticator and
                            an installer. Should not be used together with
                            --authenticator or --installer. (default: Ask)
      -a AUTHENTICATOR, --authenticator AUTHENTICATOR
                            Authenticator plugin name. (default: None)
      -i INSTALLER, --installer INSTALLER
                            Installer plugin name (also used to find domains).
                            (default: None)
      --apache              Obtain and install certs using Apache (default: False)
      --nginx               Obtain and install certs using Nginx (default: False)
      --standalone          运行一个独立的网页服务器用于获取证书。(默认: False)
      --manual              Provide laborious manual instructions for obtaining a
                            cert (default: False)
      --webroot             把身份认证文件放置在服务器的网页根目录下用于获取证书。
                            (默认: False)
    
    nginx:
      Nginx网页服务器插件 - Alpha版本
    
      --nginx-server-root NGINX_SERVER_ROOT
                            Nginx server root directory. (default: /etc/nginx)
      --nginx-ctl NGINX_CTL
                            Path to the 'nginx' binary, used for 'configtest' and
                            retrieving nginx version number. (default: nginx)
    
    standalone:
      启动一个临时的网页服务器
    
    manual:
      Authenticate through manual configuration or custom shell scripts. When
      using shell scripts, an authenticator script must be provided. The
      environment variables available to this script are $CERTBOT_DOMAIN which
      contains the domain being authenticated, $CERTBOT_VALIDATION which is the
      validation string, and $CERTBOT_TOKEN which is the filename of the
      resource requested when performing an HTTP-01 challenge. An additional
      cleanup script can also be provided and can use the additional variable
      $CERTBOT_AUTH_OUTPUT which contains the stdout output from the auth
      script.
    
      --manual-auth-hook MANUAL_AUTH_HOOK
                            Path or command to execute for the authentication
                            script (default: None)
      --manual-cleanup-hook MANUAL_CLEANUP_HOOK
                            Path or command to execute for the cleanup script
                            (default: None)
      --manual-public-ip-logging-ok
                            Automatically allows public IP logging (default: Ask)
    
    webroot:
      Place files in webroot directory
    
      --webroot-path WEBROOT_PATH, -w WEBROOT_PATH
                            public_html / webroot path. This can be specified
                            multiple times to handle different domains; each
                            domain will have the webroot path that preceded it.
                            For instance: `-w /var/www/example -d example.com -d
                            www.example.com -w /var/www/thing -d thing.net -d
                            m.thing.net` (default: Ask)
      --webroot-map WEBROOT_MAP
                            JSON dictionary mapping domains to webroot paths; this
                            implies -d for each entry. You may need to escape this
                            from your shell. E.g.: --webroot-map
                            '{"eg1.is,m.eg1.is":"/www/eg1/", "eg2.is":"/www/eg2"}'
                            This option is merged with, but takes precedence over,
                            -w / -d entries. At present, if you put webroot-map in
                            a config file, it needs to be on a single line, like:
                            webroot-map = {"example.com":"/var/www"}. (default:
                            {})
    
    apache:
      Apache网页服务器插件 - Beta版本
    
      --apache-enmod APACHE_ENMOD
                            Path to the Apache 'a2enmod' binary. (default:
                            a2enmod)
      --apache-dismod APACHE_DISMOD
                            Path to the Apache 'a2dismod' binary. (default:
                            a2dismod)
      --apache-le-vhost-ext APACHE_LE_VHOST_EXT
                            SSL vhost configuration extension. (default: -le-
                            ssl.conf)
      --apache-server-root APACHE_SERVER_ROOT
                            Apache server root directory. (default: /etc/apache2)
      --apache-vhost-root APACHE_VHOST_ROOT
                            Apache server VirtualHost configuration root (default:
                            /etc/apache2/sites-available)
      --apache-logs-root APACHE_LOGS_ROOT
                            Apache server logs directory (default:
                            /var/log/apache2)
      --apache-challenge-location APACHE_CHALLENGE_LOCATION
                            Directory path for challenge configuration. (default:
                            /etc/apache2)
      --apache-handle-modules APACHE_HANDLE_MODULES
                            Let installer handle enabling required modules for
                            you.(Only Ubuntu/Debian currently) (default: True)
      --apache-handle-sites APACHE_HANDLE_SITES
                            Let installer handle enabling sites for you.(Only
                            Ubuntu/Debian currently) (default: True)
    
    null:
      Null Installer
    展开全文
  • 1、ImportError: /usr/lib64/python2.7/site-packages/OpenSSL/crypto.so: symbol X509_REVOKED_dup, version libcrypto.so.10 not defined in file libcrypto.so.10 with link time reference ...

     1、ImportError: /usr/lib64/python2.7/site-packages/OpenSSL/crypto.so: symbol X509_REVOKED_dup, version libcrypto.so.10 not defined in file libcrypto.so.10 with link time reference

    大致的意思就是crypto.so有问题,也查了很多版本又说OpenSSL的问题,但是我机器是环境变量的问题

    [root@izufok5hmn78z ~]# certbot -version
    Traceback (most recent call last):
      File "/usr/bin/certbot", line 9, in <module>
        load_entry_point('certbot==1.3.0', 'console_scripts', 'certbot')()
      File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 564, in load_entry_point
        return get_distribution(dist).load_entry_point(group, name)
      File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2662, in load_entry_point
        return ep.load()
      File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2316, in load
        return self.resolve()
      File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2322, in resolve
        module = __import__(self.module_name, fromlist=['__name__'], level=0)
      File "/usr/lib/python2.7/site-packages/certbot/main.py", line 2, in <module>
        from certbot._internal import main as internal_main
      File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 10, in <module>
        import josepy as jose
      File "/usr/lib/python2.7/site-packages/josepy/__init__.py", line 41, in <module>
        from josepy.interfaces import JSONDeSerializable
      File "/usr/lib/python2.7/site-packages/josepy/interfaces.py", line 7, in <module>
        from josepy import errors, util
      File "/usr/lib/python2.7/site-packages/josepy/util.py", line 7, in <module>
        import OpenSSL
      File "/usr/lib64/python2.7/site-packages/OpenSSL/__init__.py", line 36, in <module>
        from OpenSSL import crypto
    ImportError: /usr/lib64/python2.7/site-packages/OpenSSL/crypto.so: symbol X509_REVOKED_dup, version libcrypto.so.10 not defined in file libcrypto.so.10 with link time reference
    [root@izufok5hmn78z ~]# 

    查找原因:找到这个外连接,是有个LD_LIBRARY_PATH 环境变量在控制,libssl.so.10已经指向了其他位置。

    正确位置应该是:libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007ff603c7f000)

    [root@izufok5hmn78z OpenSSL]# cd /usr/lib64/python2.7/site-packages/OpenSSL/
    [root@izufok5hmn78z OpenSSL]# ldd crypto.so 
            linux-vdso.so.1 =>  (0x00007fff3875e000)
            libssl.so.10 => /xxxxxxxxxxxxxx/4.1.1/lib/libssl.so.10 (0x00007f2050486000)
            libcrypto.so.10 => /xxxxxxxxxxxx/4.1.1/lib/libcrypto.so.10 (0x00007f205009b000)
            libpython2.7.so.1.0 => /lib64/libpython2.7.so.1.0 (0x00007f204fcc6000)
            libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f204faaa000)
            libc.so.6 => /lib64/libc.so.6 (0x00007f204f6e8000)
            libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f204f49b000)
            libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f204f1b3000)
            libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f204efae000)
            libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f204ed7b000)
            libdl.so.2 => /lib64/libdl.so.2 (0x00007f204eb77000)
            libz.so.1 => /lib64/libz.so.1 (0x00007f204e960000)
            libutil.so.1 => /lib64/libutil.so.1 (0x00007f204e75d000)
            libm.so.6 => /lib64/libm.so.6 (0x00007f204e45b000)
            /lib64/ld-linux-x86-64.so.2 (0x00007f205090d000)
            libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f204e24c000)
            libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f204e048000)
            libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f204de2e000)
            libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f204dc06000)
            libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f204d9a4000)
    [root@izufok5hmn78z OpenSSL]# echo $LD_LIBRARY_PATH 
    /xxxxxxxxxxxxxxxxxxxx/4.1.1/lib/

    解决办法:每个人环境不同可能改变方式不同,我的是因为LD_LIBRARY_PATH 环境变量控制,临时用的话直接设置为空即可

    [root@izufok5hmn78z OpenSSL]# export LD_LIBRARY_PATH=""
    [root@izufok5hmn78z OpenSSL]# echo $LD_LIBRARY_PATH 
    
    [root@izufok5hmn78z OpenSSL]# 

    2、ImportError: cannot import name UnrewindableBodyError,借用别人一张图

    解决办法:重装urllib3库

    pip uninstall urllib3
    pip install urllib3

    3、certbot pkg_resources.DistributionNotFound: The 'urllib3<1.23,>=1.21.1' distribution was not found and is required by requests 

    解决办法:直接运行 # easy_install urllib3==1.21.1

    4、ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

    应该是pyOpenSSL版本和依赖有问题。参考https://github.com/certbot/certbot/issues/5534

    pip install --upgrade --force-reinstall 'requests==2.6.0'

    如果执行失败,那先安装依赖包,因为我百度都试了一遍,最终成功的是上面这句

    yum install -y python-devel
    yum install -y openssl-devel
    pip install pyOpenSSL

     

    最后,certbot运行成功

    [root@izufok5hmn78z OpenSSL]# certbot --version
    certbot 1.3.0
    [root@izufok5hmn78z OpenSSL]# 

     

    展开全文
  • CentOS6安装certbot

    千次阅读 2019-07-10 19:04:00
    方法 现在比以前好安装多了,英文教程:https://certbot.eff.org/lets-encrypt/centos6-apache.html 几行代码: wget ... sudo mv certbot-auto /usr/local/bin/certbot-auto sudo chown root /usr...
  • Certbot 生成 ssl 证书

    千次阅读 2019-06-17 20:45:27
    certbot 是用来申请 Let's Encrypt 免费 SSL 证书 一般的免费 SSL 证书,好像都是使用 Let's Encrypt 颁发的证书。官网地址: https://letsencrypt.org/ Let's Encrypt 使用 ACME 协议来认证我们域名,并颁发证书...
  • 前言 自己做了一个博客,需要访问自己的网站...因此,研究如何启用https,本文即是介绍如何在CentOS上配合Nginx使用CertBot。 环境 ...安装CertBot 命令行,键入: sudo apt-get update sudo apt-get install...
  • CertBot

    2018-04-17 18:05:42
    CertBot是一个ACME代理, ACME协议是一个证书自动管理环境的协议。以下引自维基百科:The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating ...
  • Certbot 一键升级你的网站为 Https

    千次阅读 2017-09-25 14:39:28
    前几天终于被 Chrome 报不安全了,于是换成了 Let’s Encrypt。 但是 Let’s Encrypt 证书只有90天的有效期,有没有什么便捷的方法一键...答案是 CertbotCertbot 真的是便捷,不用去 Let’s Encrypt 注册账号
  • 在CentOS7上安装Certbot有三种方式: 使用Certbot官方提供的对应平台的RPM包安装 使用Certbot官方的提供的certbot-auto安装 使用pip安装Certbot,因为Certbot是Python程序 参考文章 ...
  • ./certbot-auto --nginx --nginx-server-root=/usr/local/nginx/conf
  • Centos7 certbot自动续期

    千次阅读 2020-04-16 09:09:27
    Centos7 certbot自动续期前言解决方案 前言 Let’s Encrypt 是一个免费 SSL 证书发行项目,自动化发行证书,证书有 90 天的有效期。于是有了另外一个项目可以自动安装,自动续期。 解决方案 #手动测试,查看证书过期...
  • 使用Certbot为Nginx添加HTTPS

    千次阅读 2018-07-13 20:21:53
    安装环境腾讯云CentOS7工具Windows10 + Putty安装Certbotyum install python2-certbot-nginx部署HTTPS证书certbot --nginx选择需要添加证书的域名,比如这里选1,回车(这里由于Certbot是基于Python2开发的,所以...
  • Certbot-auto 免费 SSL 证书实现 HTTPS

    千次阅读 2018-02-28 18:01:03
    把这块做个整理,具体如下 简单写写。1.准备前提一台服务器,...我在实际开发中用的certbot-auto可以在服务器通过已下命令下载 certbot-autowget https://dl.eff.org/certbot-autochmod a+x certbot-auto3.配置ngi...
  • 阿里云安装certbot-auto

    千次阅读 2017-12-05 16:56:31
    安装certbot-auto就是被各种折腾, 好不容易来到这一步: Reading package lists... Done Building dependency tree Reading state information... Done dialog is already the newest version. gcc is already the...
  • 原创作品,允许转载,转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。否则将追究法律责任。... 遇到的问题如下:IMPORTANT NOTES:  - The following errors were reported by the server: ...
  • Centos7使用certbot部署https

    千次阅读 2019-06-14 13:32:59
    yum install certbot python2-certbot-nginx 安装证书 // 自动安装证书 certbot --nginx // 手动设置一些信息进行证书安装 certbot --nginx certonly 自动续订 certbot自动安装的let’s encrypt证书有效期只有三...
  • 今天安装Certbot 时遇到各种问题,踩了各种坑,记录下来,分享给大家 我的Linux系统是CentOS7(cat /etc/redhat-release #查看Linux版本),所以安装官网给的安装过程为: yum install epel-release sudo yum ...
  • 终结CA收费时代,让互联网更安全 ...On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you'll need to do is apt-get the following packages. $ sud
1 2 3 4 5 ... 20
收藏数 1,957
精华内容 782
关键字:

certbot