Fecshop 2017-04-08 16:22:16 10597次浏览 4条评论 5 0 0

原文地址:centos 下安装 Let’s Encrypt 永久免费 SSL 证书

lets encrypt github地址为:https://github.com/certbot/certbot

1.

    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
    chmod +x letsencrypt-auto

安装证书:

./letsencrypt-auto certonly  --email 2358269014@qq.com -d fecshop.appfront.fancyecommerce.com -d fecshop.appfront.es.fancyecommerce.com    

d参数后面对应的是域名,在执行的过程中,我遭遇了下面的报错:

    Total size: 44 M
    Downloading Packages:
    Running rpm_check_debug
    ERROR with rpm_check_debug vs depsolve:
    libgdbm.so.2()(64bit) is needed by python-libs-2.6.6-66.el6_8.x86_64
    ** Found 7 pre-existing rpmdb problem(s), 'yum check' output follows:
    4:perl-5.10.1-141.el6_7.1.x86_64 has missing requires of libgdbm.so.2()(64bit)
    4:perl-devel-5.10.1-141.el6_7.1.x86_64 has missing requires of gdbm-devel
    polkit-0.96-5.el6_4.x86_64 has missing requires of libeggdbus-1.so.0()(64bit)
    2:postfix-2.6.6-6.el6_5.x86_64 has missing requires of libmysqlclient.so.16()(64bit)
    2:postfix-2.6.6-6.el6_5.x86_64 has missing requires of libmysqlclient.so.16(libmysqlclient_16)(64bit)
    2:postfix-2.6.6-6.el6_5.x86_64 has missing requires of mysql-libs
    python-libs-2.6.6-52.el6.x86_64 has missing requires of libgdbm.so.2()(64bit)
    Your transaction was saved, rerun it with: yum load-transaction /tmp/yum_save_tx-2017-04-07-22-1798AqLE.yumtx
    Could not install OS dependencies. Aborting bootstrap!

centos 6 需要安装 libgdbm.so.2

    wget http://mirror.centos.org/centos/6/os/x86_64/Packages/gdbm-1.8.0-39.el6.x86_64.rpm
    yum localinstall gdbm-1.8.0-39.el6.x86_64.rpm

完成后,重新执行上面的命令行:

    ./letsencrypt-auto certonly --standalone  --email 2358269014@qq.com -d fecshop.appfront.fancyecommerce.com -d fecshop.appfront.es.fancyecommerce.com -d img.appfront.fancyecommerce.com -d img.apphtml5.fancyecommerce.com -d img.fancyecommerce.com

下面的安装就比较顺利了,下面是我的log

    [root@iZ942k2d5ezZ certbot-master]# ./letsencrypt-auto certonly   --email 2358269014@qq.com -d fecshop.appfront.fancyecommerce.com -d fecshop.appfront.es.fancyecommerce.com
    /root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
      DeprecationWarning
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Failed to find executable apachectl in PATH: /usr/local/mysql/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
    How would you like to authenticate with the ACME CA?
    -------------------------------------------------------------------------------
    1: Place files in webroot directory (webroot)
    2: Spin up a temporary webserver (standalone)
    -------------------------------------------------------------------------------
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
    Obtaining a new certificate
    Performing the following challenges:
    tls-sni-01 challenge for fecshop.appfront.fancyecommerce.com
    tls-sni-01 challenge for fecshop.appfront.es.fancyecommerce.com
    -------------------------------------------------------------------------------
    Could not bind TCP port 443 because it is already in use by another process on
    this system (such as a web server). Please stop the program in question and then
    try again.
    -------------------------------------------------------------------------------
    (R)etry/(C)ancel: R
    -------------------------------------------------------------------------------
    Could not bind TCP port 443 because it is already in use by another process on
    this system (such as a web server). Please stop the program in question and then
    try again.
    -------------------------------------------------------------------------------
    (R)etry/(C)ancel: R
    Waiting for verification...
    Cleaning up challenges
    Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
    Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/fecshop.appfront.fancyecommerce.com/fullchain.pem.
       Your cert will expire on 2017-07-06. To obtain a new or tweaked
       version of this certificate in the future, simply run
       letsencrypt-auto again. To non-interactively renew *all* of your
       certificates, run "letsencrypt-auto renew"
     - If you like Certbot, please consider supporting our work by:
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    [root@iZ942k2d5ezZ certbot-master]# ls

在nginx中添加代码:

    listen 443 ssl;
            ssl on;
            ssl_certificate /etc/letsencrypt/live/fecshop.appfront.fancyecommerce.com/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/fecshop.appfront.fancyecommerce.com/privkey.pem;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

注意上面的文件路径 ,将 fecshop.appfront.fancyecommerce.com 替换成您的文件路径。因为不同的域名生成的文件名字不同,
nginx填写完的代码如下:

    server {
            listen     80  ;
            listen 443 ssl;
            ssl on;
            ssl_certificate /etc/letsencrypt/live/fecshop.appfront.fancyecommerce.com/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/fecshop.appfront.fancyecommerce.com/privkey.pem;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    server_name fecshop.appfront.fancyecommerce.com fecshop.appfront.es.fancyecommerce.com;
        root  /www/web/develop/fecshop/appfront/web;
            server_tokens off;
        include none.conf;
        index index.php index.html index.htm;
        access_log /www/web_logs/access.log wwwlogs;
        error_log  /www/web_logs/error.log  notice;
        location ~ \.php$ {
                            fastcgi_pass   127.0.0.1:9000;
                            fastcgi_index  index.php;
                            include fcgi.conf;
            }
            location ~ /sitemap.xml
            {
                    if ($host  ~ .*appfront.es.fancyecommerce.com) {
                            rewrite ^/sitemap\.xml /sitemap_es.xml last;
                    }
            }
             location /fr/ {
                    index index.php;
                    if (!-e $request_filename){
                            rewrite . /fr/index.php last;
                      }
            }
             location /es/ {
                    index index.php;
                    if (!-e $request_filename){
                            rewrite . /es/index.php last;
                    }
            }
             location /cn/ {
                    index index.php;
                    if (!-e $request_filename){
                            rewrite . /cn/index.php last;
                    }
            }
             location /de/ {
                    index index.php;
                    if (!-e $request_filename){
                            rewrite . /de/index.php last;
                    }
            }
            location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
                    expires      30d;
            }
            location ~ .*\.(js|css)?$ {
                    expires      12h;
            }
            location /api {
                    rewrite /api/([a-z][0-9a-z_]+)/?$ /api.php?type=$1;
            }
    }

重启nginx,就可以放了https了

  • 评论于 2017-04-11 12:14 举报

    lets encrypt证书有三个月的到期时间。可以自动renew,步骤如下:

    官方资料:https://certbot.eff.org/docs/using.html?highlight=renew#renewing-certificates

    1.改写到期更新时间

    vim /etc/letsencrypt/renewal/fecshop.appfront.fancyecommerce.com.conf
    

    fecshop.appfront.fancyecommerce.com.conf是您生成的名字,这个根据您自己域名,不是我的这个名字,打开这个文件,
    将第一行的注释去掉,修改为89days

    renew_before_expiry = 89 days
    version = 0.13.0
    

    89days代表,多少天之前算过期,证书过期时间为90天,如果我设置了89,那么第二天就需要renew了,
    如果您设置了30天,那么就是2个月后需要renew,如果时间没到,renew会提示失败。

    改好文件后,进入letsencrypt 文件夹,执行

    ./certbot-auto renew   --force-renewal   --pre-hook "/etc/init.d/nginx stop" --post-hook "/etc/init.d/nginx start" 
    

    --force-renewal: 代表强制renew
    --pre-hook: 是nginx关闭的命令,因为renew需要关闭nginx
    --post-hook: 是nginx开启的命令,搞完证书后,开启nginx

    自动续签可以使用crontab来完成,在linux中执行 crontab -e
    添加代码:(www/web_logs/letsencry.log 为日志文件,您需要新建这个文件并设置可写)

    06 06 * * * /www/web/test/lets/certbot-master/certbot-auto renew   --force-renewal   --pre-hook "/etc/init.d/nginx stop" --post-hook "/etc/init.d/nginx start" >> /www/web_logs/letsencry.log 2>&1
    
    

    下面是我的日志:

    [root@iZ942k2d5ezZ certbot-master]# ./certbot-auto renew   --force-renewal   --pre-hook "/etc/init.d/nginx stop" --post-hook "/etc/init.d/nginx start" 
    
    
    /root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
      DeprecationWarning
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    -------------------------------------------------------------------------------
    Processing /etc/letsencrypt/renewal/fecshop.appfront.fancyecommerce.com.conf
    -------------------------------------------------------------------------------
    Running pre-hook command: /etc/init.d/nginx stop
    Renewing an existing certificate
    Performing the following challenges:
    tls-sni-01 challenge for fecshop.appfront.fancyecommerce.com
    tls-sni-01 challenge for fecshop.appfront.es.fancyecommerce.com
    tls-sni-01 challenge for img.appfront.fancyecommerce.com
    tls-sni-01 challenge for img.apphtml5.fancyecommerce.com
    tls-sni-01 challenge for img.fancyecommerce.com
    Waiting for verification...
    Cleaning up challenges
    Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
    Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem
    
    -------------------------------------------------------------------------------
    new certificate deployed without reload, fullchain is
    /etc/letsencrypt/live/fecshop.appfront.fancyecommerce.com/fullchain.pem
    -------------------------------------------------------------------------------
    
    Congratulations, all renewals succeeded. The following certs have been renewed:
      /etc/letsencrypt/live/fecshop.appfront.fancyecommerce.com/fullchain.pem (success)
    Running post-hook command: /etc/init.d/nginx start
    [root@iZ942k2d5ezZ certbot-master]# 
    
    
  • 评论于 2017-04-14 14:04 举报

    最后可以参看网站https了,看我的示例(fecshop),哈哈, https://fecshop.appfront.fancyecommerce.com/

  • 评论于 2017-04-17 16:06 举报

    最后,推荐一下我的开源商城:Fecshop。

    Github地址:https://github.com/fancyecommerce/yii2_fecshop

    Fecshop 全称为Fancy ECommerce Shop,是基于php Yii2框架之上开发的一款优秀的开源电商系统,遵循OSL3.0协议, Fecshop支持多语言,多货币,架构上支持pc,手机web,手机app,和erp对接等入口,您可以免费快速的定制和部署属于您的电商系统。

    FecShop English Demo:http://fecshop.appfront.fancyecommerce.com/

    FecShop 中文演示地址:http://fecshop.appfront.fancyecommerce.com/cn

    FecShop QQ群:186604851 ,入群验证:fecshop

  • 评论于 2017-07-15 17:31 举报

    Fecshop 已经更改开源协议,遵循BSD开源协议,和Yii2框架一个开源协议。

您需要登录后才可以评论。登录 | 立即注册