CertBot 快速let's encrypt證書安裝

由於一些開發的緣由，不得不把網站換https，目前免費的ssl證書有 let's encrypt。

通過一番的實踐，終於把證書正確安裝上，這裏記錄下過程和遇到的問題，方便須要的朋友。

環境

個人環境是阿里雲ubuntu-16.04

下載工具

下載 certbot 工具

git clone https://github.com/certbot/certbot

生成ssl證書

按照這個certbot文檔的說明操做

cd certbot
./letsencrypt-auto certonly --standalone --email your@qq.com -d your.domain.com

記得修改 your.domain.com 爲你的域名

可是並無如意，報了以下錯誤：

Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
Hit:1 http://mirrors.cloud.aliyuncs.com/ubuntu xenial InRelease
Hit:2 http://mirrors.cloud.aliyuncs.com/ubuntu xenial-updates InRelease
Hit:3 http://mirrors.cloud.aliyuncs.com/ubuntu xenial-security InRelease
Reading package lists... Done                     
Reading package lists... Done
Building dependency tree       
Reading state information... Done
augeas-lenses is already the newest version (1.4.0-0ubuntu1).
ca-certificates is already the newest version (20160104ubuntu1).
gcc is already the newest version (4:5.3.1-1ubuntu1).
libaugeas0 is already the newest version (1.4.0-0ubuntu1).
libffi-dev is already the newest version (3.2.1-4).
python is already the newest version (2.7.11-1).
python-dev is already the newest version (2.7.11-1).
libssl-dev is already the newest version (1.0.2g-1ubuntu4.8).
openssl is already the newest version (1.0.2g-1ubuntu4.8).
python-virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
0 upgraded, 0 newly installed, 0 to remove and 37 not upgraded.
Creating virtual environment...
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in <module>
    main()
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
    symlink=options.symlink)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
    download=download,
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
    call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
    % (cmd_desc, proc.returncode))
OSError: Command /root/.local/share/letsencrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2

經過搜索，找到了certbot的issue #issuecomment-273014451

緣由是說，系統安裝了多個版本的python，那麼怎麼刪除呢？
我按照這裏的方法解決了。

解決方法：

apt-get purge python-virtualenv python3-virtualenv virtualenv
pip install virtualenv

而後再次執行ssl證書生成命令：

cd certbot
./letsencrypt-auto certonly --standalone --email your@qq.com -d your.domain.com

這裏可能須要等待幾分鐘，出現相似的信息，則生成成功了。

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.lanyueos.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.lanyueos.com/privkey.pem
   Your cert will expire on 2017-11-14. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

配置nginx

在nginx配置文件的server中增長下面代碼：

listen 443 ssl;
listen [::]:443 ssl ipv6only=on;

ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem;

記得修改 your.domain.com 爲你的域名

重啓nginx

service nginx start

若是出現啓動失敗，請執行以下命令檢查測配置文件

nginx -t

打開網站：https://your.domain.com 若是看到瀏覽器的綠色標誌，恭喜你設置成功！

自動更新證書

能夠新建一個任務 certbot-auto-renew-cron， 這個是一個 cron 計劃，這段內容的意思就是 每隔 兩個月的 凌晨 2:15 執行 更新操做。

./certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start"

--pre-hook 這個參數表示執行更新操做以前要作的事情，由於我有 --standalone 模式的證書，因此須要 中止 nginx 服務，解除端口占用。
--post-hook 這個參數表示執行更新操做完成後要作的事情，這裏就恢復 nginx 服務的啓用

crontab certbot-auto-renew-cron