前言

此前在阿里申请了免费的SSL证书，但每个人只有20个证书的额度，此额度是一次性、永久性的，也就是说，到期的证书也算；由于各种各样的原因，我的测试额度已经满了。于是转粉腾讯云，结果腾讯这边直接审核不通过，顿时心凉；猛然间想起咱们还有Let's Encrypt's，立马感觉生活又有了希望。

我一域名咋就不安全啦

Let's Encrypt's 介绍

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

Let's Encrypt's 是一个免费，自动化和开放的证书颁发机构（CA），为公众的利益而运行。它是由Internet Security Research Group（ISRG）提供的服务。

We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.

我们免费为人们提供数字证书，以帮助他们为网站启用HTTPS，使得他们的网站能更加的安全，数据的隐私能更加有效地得到保护。

The key principles behind Let’s Encrypt are:

• Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
• Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
• Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
• Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
• Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
• Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

我们的主旨是：免费、自动化、安全、透明、开放、合作

Certbot

Certbot是Let's Encrypt CA（或任何其他讲ACME协议的CA）的全功能，可扩展的客户端，可以自动完成获取证书和配置Web服务器以使用它们的任务。此客户端在基于Unix的操作系统上运行。

安装

Certbot打包在EPEL（企业Linux的额外包）中。 要使用Certbot，必须先启用EPEL存储库。 在RHEL或Oracle Linux上，还必须启用可选通道。

yum -y install yum-utils
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

安装certbot的nginx版插件

yum install python2-certbot-nginx

自动识别nginx配置文件中的域名，一步步获取证书，并自动修改配置文件

certbot --nginx

如果不希望修改配置文件，而只是获取证书可以使用下面这个命令

certbot --nginx certonly

自动续期

可以将Certbot配置为在证书过期之前自动续订证书。 由于Let's Encrypt证书持续90天，因此最好利用此功能。 您可以通过运行以下命令来测试证书的自动续订：

certbot renew --dry-run

如果这看起来工作正常，您可以通过添加运行以下命令的cron作业或systemd计时器来安排自动续订：

certbot renew

如果您正在设置cron或systemd作业，我们建议每天运行两次（在您的证书到期或续订之前，它将不会执行任何操作，但定期运行它会使您的站点有机会保持在线状态 案例a由于某种原因，我们发生了加密启动的撤销。 请在一小时内随机选择续订任务。

一个示例cron作业可能看起来像这样，它将在每天中午和午夜运行：

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew 

踩坑

无法找到模块 urllib3

[root@demo src]# certbot --nginx
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.14.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 564, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2662, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2316, in load
    return self.resolve()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2322, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 14, in <module>
    from certbot import account
  File "/usr/lib/python2.7/site-packages/certbot/account.py", line 17, in <module>
    from acme import messages
  File "/usr/lib/python2.7/site-packages/acme/messages.py", line 4, in <module>
    from acme import challenges
  File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 10, in <module>
    import requests
  File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in <module>
    from . import utils
  File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in <module>
    from .exceptions import InvalidURL
  File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in <module>
    from .packages.urllib3.exceptions import HTTPError as BaseHTTPError
  File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 95, in load_module
    raise ImportError("No module named '%s'" % (name,))
ImportError: No module named 'requests.packages.urllib3'

解决办法

pip install requests urllib3 pyOpenSSL --force --upgrade

属性错误 pyopenssl

[root@izwz9ad1jbc6fwnusxlv2cz conf.d]# certbot --nginx
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.27.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 570, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2751, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2405, in load
    return self.resolve()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2411, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 21, in <module>
    from certbot import client
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 16, in <module>
    from acme import client as acme_client
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 39, in <module>
    urllib3.contrib.pyopenssl.inject_into_urllib3()
AttributeError: 'module' object has no attribute 'pyopenssl'

解决方案

# 移除安装
yum remove certbot

# 下载certbot-auto
user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto

# 运行certbot-auto进行证书管理
user@webserver:~$ ./certbot-auto

引用

1.certbot on github
2.Certbot Installation Guide

续集

对于没有80端口的场景，可以参考《IT基础设施：使用acme.sh申请免费泛域名证书》进行申请。