准备
需要python版本为2.7以上,所以centos6需要把2.6升级成2.7
升级python
###安装python2.7 tar -xvf Python-2.7.5tar.bz2 cd Python2.7 ./configure --prefix=/usr/local/python2.7 && make && make install
###安装python2.7对应的pip wget --no-check-certificate https://pypi.python.org/packages/source/s/setuptools/setuptools-20.3.1.tar.gz tar -xvf setuptools-20.3.1.tar.gz cd setuptools-20.3.1 /usr/local/python2.7/bin/python2.7 setup.py install --prefix=/usr/local/python2.7 wget --no-check-certificate https://pypi.python.org/packages/source/p/pip/pip-8.0.1.tar.gz tar -xvf pip-8.0.1.tar.gz cd pip-8.0.1 /usr/local/python2.7/bin/python2.7 setup.py install --prefix=/usr/local/python2.7
迁移python
步骤:
把/usr/bin/python和pip改名为python2.6和pip2.6
mv /usr/bin/python /usr/bin/python2.6
mv /usr/bin/pip /usr/bin/pip2.6
修改yum配置文件指定python版本为python2.6
vim /usr/bin/yum #!/usr/bin/python 改为 #!/usr/bin/python2.6
把/usr/bin/python2.7和pip2.7改名为python和pip
ln -s /usr//local/python2.7/bin/python2.7 /usr/bin/python
ln -s /usr/local/python2.7/bin/pip2.7 /usr/bin/pip2.7
解释:因为yum需要依赖原来的python2.6
更改pip源
mkdir ~/.pip cat > ~/.pip/pip.conf << EOF [global] trusted-host=mirrors.aliyun.com index-url=http://mirrors.aliyun.com/pypi/simple/ EOF
利用Let's Encrypt 免费生成HTTPS证书
- 下载安装certbot(Let's Encrypt )
- 利用certbot生成证书
- 配置nginx的https证书
安装cerbot
[root@hz1 ~]# wget https://dl.eff.org/certbot-auto [root@hz1 ~]# chmod a+x certbot-auto [root@hz1 ~]#./certbot-auto
利用certbot生成证书
给一个域名生成证书
[root@hz1 certbot]# ./certbot-auto certonly --email zhai.junming@timecash.cn --agree-tos --webroot -w /alidata1/www/timecash22/api3 -d xxxx.zjm.cn /root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6 DeprecationWarning Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: http-01 challenge for xxx.zjm.cn Using the webroot path /alidata1/www/timecash22/api3 for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/xxx.zjm.cn/fullchain.pem. Your cert will expire on 2017-09-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
-w:指定域名的根目录 -d:指定域名
Note:证书已经生成到了/etc/letsencrypy/live/xxx.zjm.cn下
Nginx配置https证书
server { listen 443 ssl; .... ssl_certificate /etc/letsencrypt/live/xxx.zjm.cn/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/xxx.zjm.cn/privkey.pem; ssl_dhparam /etc/nginx/ssl/dhparam.pem; }
ssl_certificate和ssl_certificate_key分别对应fullchain.pem,privkey.pem
ssl_dhparam通过以下命令生成
$ sudo mkdir /etc/nginx/ssl $ sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
给多个域名生成一个证书,也就是多个域名使用一个ssl证书
./certbot-auto certonly --email admin@laobuluo.com --agree-tos --webroot -w /var/www/laozuo -d laozuo.org -d www.laozuo.org -w /var/www/laobuluo -d laobuluo.com -d www.laobuluo.com
迁移证书
需求:需要域名的解析IP变到另一台服务器了,需要把证书迁移过去
在原来服务器上吊销证书
./certbot-auto revoke --cert-path /etc/letsencrypt/live/app.wl.aaa.cn/fullchain.pem
#直接指定域名的证书路径就能吊销证书,千万不能直接删除
在新的服务器上重新申请证书
略
自动更新https证书
由于这个免费的证书只有90天的使用时间,所以遇到定时更新以下证书,这里是利用certbot每隔一段时间自动更新证书
手动执行更新
./certbot-auto renew --dry-run
结合crontab每隔一段时间自动更新证书
30 2 * * 1 ./certbot-auto renew >> /var/log/le-renew.log