域名添加HTTPS

準備

須要python版本爲2.7以上,因此centos6須要把2.6升級成2.7

升級python

###安裝python2.7
tar -xvf Python-2.7.5tar.bz2
cd Python2.7
./configure --prefix=/usr/local/python2.7 &&  make && make install


###安裝python2.7對應的pip
wget --no-check-certificate https://pypi.python.org/packages/source/s/setuptools/setuptools-20.3.1.tar.gz
tar -xvf setuptools-20.3.1.tar.gz
cd setuptools-20.3.1
/usr/local/python2.7/bin/python2.7 setup.py install --prefix=/usr/local/python2.7
wget --no-check-certificate https://pypi.python.org/packages/source/p/pip/pip-8.0.1.tar.gz
tar -xvf pip-8.0.1.tar.gz
cd pip-8.0.1
/usr/local/python2.7/bin/python2.7 setup.py install --prefix=/usr/local/python2.7

遷移python

步驟:

把/usr/bin/python和pip更名爲python2.6和pip2.6

mv /usr/bin/python /usr/bin/python2.6
mv /usr/bin/pip /usr/bin/pip2.6

修改yum配置文件指定python版本爲python2.6

vim /usr/bin/yum
 #!/usr/bin/python 改成 #!/usr/bin/python2.6

把/usr/bin/python2.7和pip2.7更名爲python和pip

ln -s  /usr//local/python2.7/bin/python2.7 /usr/bin/python
ln -s  /usr/local/python2.7/bin/pip2.7 /usr/bin/pip2.7

解釋:由於yum須要依賴原來的python2.6

更改pip源

mkdir ~/.pip
cat > ~/.pip/pip.conf << EOF
[global]
trusted-host=mirrors.aliyun.com
index-url=http://mirrors.aliyun.com/pypi/simple/
EOF

利用Let's Encrypt 免費生成HTTPS證書

1. 下載安裝certbot(Let's Encrypt )
2. 利用certbot生成證書
3. 配置nginx的https證書

安裝cerbot

[root@hz1 ~]# wget https://dl.eff.org/certbot-auto
[root@hz1 ~]# chmod a+x certbot-auto
[root@hz1 ~]#./certbot-auto　　

利用certbot生成證書

給一個域名生成證書

[root@hz1 certbot]# ./certbot-auto certonly --email  zhai.junming@timecash.cn --agree-tos --webroot -w  /alidata1/www/timecash22/api3  -d  xxxx.zjm.cn
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxx.zjm.cn
Using the webroot path /alidata1/www/timecash22/api3 for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/xxx.zjm.cn/fullchain.pem. Your
   cert will expire on 2017-09-06. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot-auto again.
   To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le



-w:指定域名的根目錄
-d:指定域名

Note:證書已經生成到了/etc/letsencrypy/live/xxx.zjm.cn下

Nginx配置https證書

server {  
    listen 443 ssl;
    ....
    ssl_certificate /etc/letsencrypt/live/xxx.zjm.cn/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xxx.zjm.cn/privkey.pem;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

   

}

ssl_certificate和ssl_certificate_key分別對應fullchain.pem,privkey.pem

ssl_dhparam經過如下命令生成

$ sudo mkdir /etc/nginx/ssl
$ sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

給多個域名生成一個證書,也就是多個域名使用一個ssl證書

./certbot-auto certonly --email admin@laobuluo.com --agree-tos --webroot -w /var/www/laozuo -d laozuo.org -d www.laozuo.org -w /var/www/laobuluo -d laobuluo.com -d www.laobuluo.com

遷移證書

需求:須要域名的解析IP變到另外一臺服務器了,須要把證書遷移過去

在原來服務器上吊銷證書

 ./certbot-auto    revoke   --cert-path /etc/letsencrypt/live/app.wl.aaa.cn/fullchain.pem

#直接指定域名的證書路徑就能吊銷證書,千萬不能直接刪除

在新的服務器上從新申請證書

略

自動更新https證書

因爲這個免費的證書只有90天的使用時間,因此遇到定時更新如下證書,這裏是利用certbot每隔一段時間自動更新證書

手動執行更新

./certbot-auto  renew --dry-run

結合crontab每隔一段時間自動更新證書

30 2 * * 1 ./certbot-auto  renew  >> /var/log/le-renew.log