一、系统环境

1、系统：Ubuntu 16.04.2 LTS

2、WEB服务器：Openresty11.2.5

二、开始配置

1、获取certbot客户端

wget https://dl.eff.org/certbot-autochmod a+x certbot-auto

2、停止Nginx服务

sudo systemctl stop nginx.service

3、生成证书

./certbot-auto certonly --standalone --email `你的邮箱地址` -d `你的域名地址`

当前网站有多个域名时需在后面增加，例如：

./certbot-auto certonly --standalone --email `你的邮箱地址` -d `你的域名1` -d `你的域名2`

sudo ./certbot-auto  certonly --standalone --email "yourEmail@qq.com" -d "www.tinywan.com"  -d "live.tinywan.com" -d "vod.tinywan.com" -d "livecdn.tinywan.com"  -d "nginx-vod.tinywan.com" -d "hls-auth.tinywan.com" -d "hls.tinywan.com" -d "auth.tinywan.com"

可能会出现错误1：OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2

通过搜索，找到了certbot的issue  ，原因是说，系统安装了多个版本的python，那么怎么删除呢？

解决办法：

apt-get purge python-virtualenv python3-virtualenv virtualenvpip install virtualenv

可能会出现错误2：

Cleaning up challengesProblem binding to port 443: Could not bind to IPv4 or IPv6.

解决：说明你的Nginx服务还在运行啊！赶紧的kill掉啊

成功生成证书的输出结果：

Saving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator standalone, Installer NoneObtaining a new certificatePerforming the following challenges:tls-sni-01 challenge for www.tinywan.comtls-sni-01 challenge for live.tinywan.comtls-sni-01 challenge for vod.tinywan.comtls-sni-01 challenge for livecdn.tinywan.comtls-sni-01 challenge for nginx-vod.tinywan.comtls-sni-01 challenge for hls-auth.tinywan.comtls-sni-01 challenge for hls.tinywan.comtls-sni-01 challenge for auth.tinywan.comWaiting for verification...Cleaning up challengesIMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at:   /etc/letsencrypt/live/www.tinywan.com-0001/fullchain.pem   Your key file has been saved at:   /etc/letsencrypt/live/www.tinywan.com-0001/privkey.pem   Your cert will expire on 2018-02-22. To obtain a new or tweaked   version of this certificate in the future, simply run certbot-auto   again. To non-interactively renew *all* of your certificates, run   "certbot-auto renew" - If you like Certbot, please consider supporting our work by:   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate   Donating to EFF:                    https://eff.org/donate-le

4、查看生产的证书

tree /etc/letsencrypt/live/

www@TinywanAliYun:~$ sudo tree /etc/letsencrypt/live//etc/letsencrypt/live/└── www.tinywan.top    ├── cert.pem -> ../../archive/www.tinywan.top/cert1.pem    ├── chain.pem -> ../../archive/www.tinywan.top/chain1.pem    ├── fullchain.pem -> ../../archive/www.tinywan.top/fullchain1.pem    ├── privkey.pem -> ../../archive/www.tinywan.top/privkey1.pem    └── README1 directory, 5 files

5、编辑Nginx配置文件和开启SSL服务

sudo vim /usr/local/openresty/nginx/conf/nginx.conf

配置虚拟主机

... 　　# 配置HTTP请求重定向    server {        listen       80;        server_name  www.tinywan.top;        rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https    }     #  配置SSL证书    server {        listen       443 ssl; 　　　 　server_name  www.tinywan.top;

ssl_certificate /etc/letsencrypt/live/www.tinywan.top/fullchain.pem;         ssl_certificate_key /etc/letsencrypt/live/www.tinywan.top//privkey.pem; 　　　　 #禁止在header中出现服务器版本，防止黑客利用版本漏洞攻击     　　　　 server_tokens off; set $root_path /home/www/web/golang;        root $root_path;        location / {            if (!-e $request_filename) {                rewrite  ^(.*)$  /index.php?s=/$1  last;                break;            }        }}...

6、重启Nginx服务

sudo systemctl restart nginx.service

 7、Let’s Encrypt 生成的免费证书为3个月时间，使用Crontab可以无限次续签证书

# 每星期1的2点30分执行更新操作 30 2 * * 1 /home/www/bin/certbot-auto renew  >>/home/www/bin/logs/encrypt_auto_update.log  2>&1

 遇到的坑，查边所有的地方都不能够解决，最后是内存不够用的问题？

OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2File "/usr/local/lib/python2.7/dist-packages/virtualenv.py", line 945, in create_environment

如何解决：

user@webserver:~$ sudo fallocate -l 1G /tmp/swapfileuser@webserver:~$ sudo chmod 600 /tmp/swapfileuser@webserver:~$ sudo mkswap /tmp/swapfileuser@webserver:~$ sudo swapon /tmp/swapfile

 最后记得释放掉分配的交换分区

user@webserver:~$ sudo swapoff /tmp/swapfileuser@webserver:~$ sudo rm /tmp/swapfile

 Ubuntu 16.04更新遇到的错误：

Reading package lists... Done                     Reading package lists... DoneBuilding dependency tree       Reading state information... Doneaugeas-lenses is already the newest version (1.4.0-0ubuntu1).ca-certificates is already the newest version (20160104ubuntu1).gcc is already the newest version (4:5.3.1-1ubuntu1).libaugeas0 is already the newest version (1.4.0-0ubuntu1).libffi-dev is already the newest version (3.2.1-4).python is already the newest version (2.7.11-1).python-dev is already the newest version (2.7.11-1).libssl-dev is already the newest version (1.0.2g-1ubuntu4.5).openssl is already the newest version (1.0.2g-1ubuntu4.5).python-virtualenv is already the newest version (15.0.1+ds-3ubuntu1).virtualenv is already the newest version (15.0.1+ds-3ubuntu1).0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.Creating virtual environment...Traceback (most recent call last):  File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in 
     
          main()  File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main    symlink=options.symlink)  File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment    download=download,  File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel    call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)  File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess    % (cmd_desc, proc.returncode))OSError: Command /root/.local/share/letsencrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2
     

解决办法：sudo apt install letsencrypt

 

国外教程：