git地址如下
https://github.com/xdtianyu/scripts/tree/master/lets-encrypt
调用 acme_tiny.py 认证、获取、更新证书,不需要额外的依赖。
下载脚本和配置文件
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.conf
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.sh
chmod +x letsencrypt.sh
配置文件
只需要修改 DOMAIN_KEY
DOMAIN_DIR
DOMAINS
为你自己的信息(详尽解释联系 摘取天上星 即可)
ACCOUNT_KEY="letsencrypt-account.key"
DOMAIN_KEY="test.com.key"
DOMAIN_DIR="/data/wwwroot/test.com"
DOMAINS="DNS:test.com,DNS:api.test.com"
执行过程中会自动生成需要的 key 文件。
执行证书生成
(拥有不同虚拟站点目录以及不同域名生成证书时需要更改配置文件内容即文件名,根据不同配置文件重新执行生成新站点的证书操作即可)
./letsencrypt.sh letsencrypt.conf
注意(脚本会先下载一个lets-encrypt-x3-cross-signed.pem文件后依次执行生成证书过程,如果没有下载,请根据脚本示连接地址信息手动下载即可)
需要已经绑定域名到 /var/www/test.com
目录,即通过 http://test.com
http://api.test.com
可以访问到 /var/www/test.com
目录,用于域名的验证
如果出现如下错误信息(yum install python-argparse安装python-argparse再执行即可,如果yum安装不了请手动编译安装):
Traceback (most recent call last):
File "/tmp/acme_tiny.py", line 2, in <module>
import argparse, subprocess, json, os, sys, base64, binascii, time, hashlib, re, copy, textwrap, logging
ImportError: No module named argparse
1.yum install python-argparse
2.手动安装python-argparse:
wget https://pypi.python.org/packages/source/a/argparse/argparse-1.4.0.tar.gz#md5=08062d2ceb6596fcbc5a7e725b53746f
tar -xzvf argparse-1.4.0.tar.gz
cd argparse-1.4.0
python setup.py install
出现如下信息表示安装成功:
running install
running bdist_egg
running egg_info
writing argparse.egg-info/PKG-INFO
writing top-level names to argparse.egg-info/top_level.txt
writing dependency_links to argparse.egg-info/dependency_links.txt
reading manifest file 'argparse.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no previously-included files matching '*.pyc' found anywhere in distribution
warning: no previously-included files matching '*.pyo' found anywhere in distribution
warning: no previously-included files matching '*.orig' found anywhere in distribution
warning: no previously-included files matching '*.rej' found anywhere in distribution
no previously-included directories found matching 'doc/_build'
no previously-included directories found matching 'env24'
no previously-included directories found matching 'env25'
no previously-included directories found matching 'env26'
no previously-included directories found matching 'env27'
writing manifest file 'argparse.egg-info/SOURCES.txt'
installing library code to build/bdist.linux-x86_64/egg
running install_lib
running build_py
creating build
creating build/lib
copying argparse.py -> build/lib
creating build/bdist.linux-x86_64
creating build/bdist.linux-x86_64/egg
copying build/lib/argparse.py -> build/bdist.linux-x86_64/egg
byte-compiling build/bdist.linux-x86_64/egg/argparse.py to argparse.pyc
creating build/bdist.linux-x86_64/egg/EGG-INFO
copying argparse.egg-info/PKG-INFO -> build/bdist.linux-x86_64/egg/EGG-INFO
copying argparse.egg-info/SOURCES.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying argparse.egg-info/dependency_links.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying argparse.egg-info/top_level.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
zip_safe flag not set; analyzing archive contents...
creating dist
creating 'dist/argparse-1.4.0-py2.6.egg' and adding 'build/bdist.linux-x86_64/egg' to it
removing 'build/bdist.linux-x86_64/egg' (and everything under it)
Processing argparse-1.4.0-py2.6.egg
Copying argparse-1.4.0-py2.6.egg to /usr/lib/python2.6/site-packages
Adding argparse 1.4.0 to easy-install.pth file
Installed /usr/lib/python2.6/site-packages/argparse-1.4.0-py2.6.egg
Processing dependencies for argparse==1.4.0
Finished processing dependencies for argparse==1.4.0
如果执行python setup.py install安装python-argparse时出现错误如下错误时是因为setuptools没有安装,请安装setuptools
Traceback (most recent call last):
File "setup.py", line 3, in <module>
from setuptools import setup, find_packages
ImportError: No module named setuptools
红色部分错误提示的表面意思是:没有setuptools的模块,说明python缺少这个模块,那我们只要安装这个模块即可解决此问题
安装setuptools:
方法一:
wget http://pypi.python.org/packages/source/s/setuptools/setuptools-0.6c11.tar.gz
tar zxvf setuptools-0.6c11.tar.gz
cd setuptools-0.6c11
python setup.py build
python setup.py install
方法二:
在http://pypi.python.org/pypi/setuptools这个地方下载setuptools-0.6c11-py2.7.egg文件到本地,使用chmod +x setuptools-0.6c11-py2.7.egg命令使文件成为可执行文件。然后运行sudo sh setuptools-0.6c11-py2.7.egg命令完成安装。
方法三:
到http://pypi.python.org/pypi/setuptools,按照对应说明下载安装setuptools模块!
证书生成过程中如果出现如下情况(尤其红色部分)则表示证书“DNS query timed out”,由于域名DNS解析的问题导致无法验证域名从而获取SSL证书不成功
(对比发现国内的DNSPOD、阿里云DNS、CloudXNS等都会时不时的出现Let's Encrypt 验证域名超时的情况,国外的Namecheap DNS、Linode DNS、Domain.com DNS等都是没有问题,出现证书DNS超时时,选择网络空闲的时候重新执行命令生成证书即可!)
Generate account key...
Generating RSA private key, 4096 bit long modulus
......................................++
.....................................................................++
e is 65537 (0x10001)
Generate domain key...
Generating RSA private key, 2048 bit long modulus
........+++
................................................................................................................+++
e is 65537 (0x10001)
Generate CSR...app.csr
Parsing account key...
Parsing CSR...
Registering account...
Registered!
Verifying app.lebaoedu.com...
Traceback (most recent call last):
File "/tmp/acme_tiny.py", line 198, in <module>
main(sys.argv[1:])
File "/tmp/acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File "/tmp/acme_tiny.py", line 140, in get_crt
e.code, json.loads(e.read().decode('utf8'))))
AttributeError: 'URLError' object has no attribute 'code'
生成证书时如果出现如下信息证明没有生成成功(本例是因为目录没有+wx权限但没有报权限错直接出现如下信息的)
Generate CSR...lebao.csr
New cert: xxx.chained.crt has been generated
真正执行证书生成成功后的提示信息如下(有更详细的证书生成成功信息):
Generate CSR...lebao.csr
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying test.api.xxx.com...
test.api.xxx.com verified!
Signing certificate...
Certificate signed!
New cert: xxx.chained.crt has been generated
生成后的证书目录会有类似如下文件:
test.chained.crt test.com.key letsencrypt-account.key test.crt test.csr ...
cron 定时任务
每个月自动更新一次证书,可以在脚本最后加入 service nginx reload
等重新加载服务(具体根据自己的实际路径修改要执行的定时文件地址即可)
0 0 1 * * /data/cron/ssl/letsencrypt.sh /data/cron/ssl/letsencrypt.conf >> /var/log/lets-encrypt.log 2>&1
证书生成后记得修改nginx.conf配置文件,并重新加载(service nginx reload)
红色部分为证书必须配置项目,请指定自己的实际证书地址
server {
#listen 443;
listen 443 ssl;
server_name test.com;
access_log /data/wwwlogs/test_nginx.log main;
index index.html index.htm index.php;
root /data/wwwroot/test.com;
#ssl on; #新版该指令已废弃 请用 listen 443 ssl 替代
ssl_certificate /data/cron/ssl/test.chained.crt;
ssl_certificate_key /data/cron/ssl/test.com.key;
location ~ \.php {
#fastcgi_pass remote_php_ip:9000;
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
include fastcgi_params;
set $real_script_name $fastcgi_script_name;
if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
set $real_script_name $1;
#set $path_info $2;
}
fastcgi_param SCRIPT_FILENAME $document_root$real_script_name;
fastcgi_param SCRIPT_NAME $real_script_name;
#fastcgi_param PATH_INFO $path_info;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
}