Certbot是Let's Encrypt发布的一个傻瓜式的一键部署https脚本,python编写,Let’s Encrypt多多少少都有听过,他帮助了不少穷苦站长给他们的小站上了绿锁.うふ♪(* ̄ω ̄)v
官网传送门

第一步直接yum下载包安装

sudo yum install python2-certbot-apache

注意这个2,centos许多工具都是依赖python2的,自带的python也是2.7

然后会一路安装......
当然如果顺利的话......
不过如果你是阿里云的机子,那你十有八九会撞见如下问题

安装失败
python-urllib3.nonarch 0:1.10.2-2.el7_1

当你试图sudo certbot --apache强行启动时,不出意外又会报错

ImportError: No module named 'requests.packages.urllib3'

没有名为*的模块,这时自然会想到卸载安装升级三连

pip uninstall urllib3
pip install urllib3
pip install -U urllib3

当再次启动certbot时,ok,接着报错

pkg_resources.DistributionNotFound: The 'urllib3<1.23,>=1.21.1' distribution was not found and is required by requests

再往上看看你会发现Successfully installed urllib3-1.23确是是正常安装了,但如果你再细细看看
'urllib3<1.23,>=1.21.1'
<1.23,真尼玛坑.卸载urllib3然后安装1.22版本

pip uninstall urllib3
pip install urllib3==1.22

安装成功后接再次打开certbot,然后,再次报错...

ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

提示很明显了,升级pyOpenSSL到0.14以上,而我发现我服务器上的pyOpenSSL只有0.13
当你使用pip install -U pyopenssl试图升级pyOpenSSL时,不出意外还是会报错

Cannot uninstall 'pyOpenSSL'. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead to only a partial uninstall.

升级失败,使用pip show pyopenssl查看改模块的Location,找到它并删掉,然后再次安装pyOpenSSL

pip install pyOpenSSL

此时安装成功,版本18.0.0.

如果还是报错,执行下面命令

pip install --upgrade --force-reinstall 'requests==2.6.0'

OK,到这里99%不会再出现环境配置问题了。。。
使用sudo certbot --apache启动certbot,会出现

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

让你填写邮箱

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory

是否遵守合约?

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.

是否订阅什么鬼新闻?

Which names would you like to activate HTTPS for?

这里脚本会扫描你监听80端口的域名,然后列举在这里,选择你要部署https的域名就行

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

选择2
看到Congratulations! You have successfully enabled后大功告成,你的证书已经配置好了

Let's Encrypt的证书只持续90天,如果你需要自动续订的话,使用crontab -e编辑定时任务,添加以下命令

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

之后就不用担心证书过期的问题了。


https部署好了之后记得打开443端口(。-∀-)ニヒッ
关于https的443端口监听配置文件会出现在/etc/httpd/conf.d里,如果默认安装的apache的话,名为*-le-ssl.conf.
除此之外,你的监听80端口配置下会多出

RewriteEngine on
RewriteCond %{SERVER_NAME} =sapi.sakuradon.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

用于http跳转https.

关于同一ip下多个站点部署https的话,参考Apache下同ip配置多站点80端口绑定多个地址,照此方法配置好后运行certbot,选择需要的域名即可.其他配置会帮你自动解决.