Let’s Encrypt是一个免费、自动化、开放的证书颁发机构,由网络安全研究小组(Internet Security Research Group,简称ISRG)运作。
ISRG是一个关注网络安全的公益组织,主要赞助商包括Mozilla基金会、Akamai、思科、电子前哨基金会(Electronic Frontier Foundation,简称EFF)、Facebook、IdenTrust、互联网协会(Internet Society)等,参与者还有密歇根大学、斯坦福法学院、Linux基金会等。
Let’s Encrypt致力于扫除资金、服务器配置等障碍,以使加密连接成为互联网的标配。
Let’s Encrypt的关键原则是:
- 免费:任何拥有域名的人都能免费得到一个受信任的证书
- 自动化:运行在Web服务器上的软件(即官方提供的客户端)能与Let’s Encrypt交互,毫不费力地获取一个证书,安全地配置使用它,自动处理续期
- 安全:Let’s Encrypt将会作为高级TLS安全最佳实践的一个平台,不论是在证书颁发机构方面还是帮助网络维护者正确地保护他们的服务器方面
- 透明:所有颁发和撤回的证书都有公开记录,任何人都可以检查
- 开放:自动颁发和续期协议将会公开为一个开放的标准,其他人也可以采用
- 合作:就像底层的网络那样,Let’s Encrypt是一次使社区受益的共同努力,不受任何一个组织的控制
客户端安装过程(官方),安装是在CentOS7.2 系统下进行,及其间遇到的问题_openssl.so: undefined symbol: EC_GROUP_new_curve_GF2m处理。
- 下载客户端
[root@SIG ~]# git clone https://github.com/letsencrypt/letsencrypt
- 安装客户端
[root@SIG ~]# cd letsencrypt/ [root@SIG letsencrypt]# ./letsencrypt-auto
其会自动安装在用户宿主目录~/.local/下,这里安装完后其会自动尝试运行,不过会产生报错:
Creating virtual environment... Installing Python packages... Installation succeeded. Requesting root privileges to run letsencrypt... /root/.local/share/letsencrypt/bin/letsencrypt Traceback (most recent call last): File "/root/.local/share/letsencrypt/bin/letsencrypt", line 7, in <module> from letsencrypt.main import main File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/main.py", line 13, in <module> from acme import jose File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/jose/__init__.py", line 37, in <module> from acme.jose.interfaces import JSONDeSerializable File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/jose/interfaces.py", line 9, in <module> from acme.jose import util File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/jose/util.py", line 5, in <module> import OpenSSL File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import rand, crypto, SSL File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/OpenSSL/rand.py", line 11, in <module> from OpenSSL._util import ( File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/OpenSSL/_util.py", line 6, in <module> from cryptography.hazmat.bindings.openssl.binding import Binding File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 14, in <module> from cryptography.hazmat.bindings._openssl import ffi, lib ImportError: /root/.local/share/letsencrypt/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: undefined symbol: EC_GROUP_new_curve_GF2m这个原因是因为pip编译安装相应模块时调用到系统的openssl库,而系统openssl不支持EC_xx,可以查看其连接的动态库即知:
[root@SIG letsencrypt]# ldd ~/.local/share/letsencrypt/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so linux-vdso.so.1 => (0x00007fff6bb09000) libssl.so.10 => /lib64/libssl.so.10 (0x00007f0af21e7000) libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f0af1dff000) libpython2.7.so.1.0 => /lib64/libpython2.7.so.1.0 (0x00007f0af1a38000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0af181c000) libc.so.6 => /lib64/libc.so.6 (0x00007f0af145b000) libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f0af120e000) libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f0af0f29000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f0af0d25000) libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f0af0af2000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f0af08ee000) libz.so.1 => /usr/local/lib/libz.so.1 (0x00007f0af06d5000) libutil.so.1 => /lib64/libutil.so.1 (0x00007f0af04d1000) libm.so.6 => /lib64/libm.so.6 (0x00007f0af01cf000) /lib64/ld-linux-x86-64.so.2 (0x00007f0af273a000) libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f0aeffc0000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f0aefdbb000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f0aefba1000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f0aef97b000) libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f0aef71a000) liblzma.so.5 => /lib64/liblzma.so.5 (0x00007f0aef4f5000) [root@SIG letsencrypt]#可以看到其使用的是系统库,知道原因就有办法解决,我之前已经编译过新版的openssl放在/usr/local/openssl下,将第一步自动安装上的openssl-devel包删除,然后pip重新安装cryptography、pyopenssl即可。注意:需先清除安装缓存目录,否则安装时不会重新编译。
[root@SIG ~]# yum remove openssl-devel [root@SIG ~]# cd ~/.local/share/letsencrypt/bin/ [root@SIG bin]# ./pip uninstall cryptography pyopenssl -y Uninstalling cryptography-1.2.3: Successfully uninstalled cryptography-1.2.3 Uninstalling pyOpenSSL-0.15.1: Successfully uninstalled pyOpenSSL-0.15.1 You are using pip version 8.0.3, however version 8.1.1 is available. You should consider upgrading via the 'pip install --upgrade pip' command. [root@SIG bin]# ./pip install --upgrade pip Collecting pip Downloading pip-8.1.1-py2.py3-none-any.whl (1.2MB) 100% |████████████████████████████████| 1.2MB 318kB/s Installing collected packages: pip Found existing installation: pip 8.0.3 Uninstalling pip-8.0.3: Successfully uninstalled pip-8.0.3 Successfully installed pip-8.1.1 [root@SIG bin]# rm -rf ~/.cache/ [root@SIG bin]# ./pip install cryptography pyopenssl Collecting cryptography Downloading cryptography-1.3.2.tar.gz (383kB) 100% |████████████████████████████████| 389kB 1.7MB/s Collecting pyopenssl Downloading pyOpenSSL-16.0.0-py2.py3-none-any.whl (45kB) 100% |████████████████████████████████| 51kB 6.1MB/s Successfully built cryptography Installing collected packages: cryptography, pyopenssl Successfully installed cryptography-1.3.2 pyopenssl-16.0.0 [root@SIG bin]# ldd ~/.local/share/letsencrypt/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so linux-vdso.so.1 => (0x00007ffda79a1000) libssl.so.1.0.0 => /usr/local/lib/libssl.so.1.0.0 (0x00007fedf768b000) libcrypto.so.1.0.0 => /usr/local/lib/libcrypto.so.1.0.0 (0x00007fedf723c000) libpython2.7.so.1.0 => /lib64/libpython2.7.so.1.0 (0x00007fedf6e76000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fedf6c5a000) libc.so.6 => /lib64/libc.so.6 (0x00007fedf6899000) libdl.so.2 => /lib64/libdl.so.2 (0x00007fedf6694000) libz.so.1 => /usr/local/lib/libz.so.1 (0x00007fedf647b000) libutil.so.1 => /lib64/libutil.so.1 (0x00007fedf6278000) libm.so.6 => /lib64/libm.so.6 (0x00007fedf5f75000) /lib64/ld-linux-x86-64.so.2 (0x00007fedf7be6000) [root@SIG bin]#完成之后,其已经链接到编译的openssl库上,这样再执行命令便不会报错。
- 申请证书
使用letsencrypt certonly命令,默认生成的密钥长度为2048位。[root@SIG bin]# ./letsencrypt certonly --webroot -w /var/www/html/ -d www.xvcat.com -m [email protected] --agree-tos IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.xvcat.com/fullchain.pem. Your cert will expire on 2016-08-08. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le [root@SIG bin]#
提示已经成功!证书有效期90天。
- 续期证书
使用letsencrypt renew命令,此命令需证书有效期小于30天[root@SIG bin]# ./letsencrypt renew ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/www.xvcat.com.conf ------------------------------------------------------------------------------- The following certs are not due for renewal yet: /etc/letsencrypt/live/www.xvcat.com/fullchain.pem (skipped) No renewals were attempted.
将其添加到计划任务,使其自动执行。
0 0 1 */2 * /root/.local/share/letsencrypt/bin/letsencrypt renew && /bin/systemctl restart httpd
[email protected] test
要的就是那个openssl的库啊亲,你编译过,在哪里下载啊亲。。。
OpenSSL官网:https://www.openssl.org/,编译安装前好先编译安装zlib库:http://zlib.net
感谢,很有用,升级openssl到1.1.0e后不能续证书,参考你的方法更新系统库文件链接,成功续期。
提示 OPENSSL_sk_num 错误的可以用这个方法解决。
謝謝您的經驗分享,幫我解決了一部分難題,感恩 💡
Thank you very much for the invitation :). Best wishes.
PS: How are you? I am from France 🙂
Hi, I’m glace my post can help you.