[Linux] 使用certbot为域名生成免费证书(apache版)


本文总阅读量

1、下载certbot

1
2
3
cd /data/soft
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

2、生成证书

/data/soft/certbot-auto –apache certonly

1
2
3
4
5
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError('Cannot find Apache executable apachectl',)
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError('Cannot find Apache executable apachectl',)

3、上面报错提示找不到执行路径,需要指定apache的路径

sudo env PATH=$PATH:/usr/local/apache2/bin ./certbot-auto –apache certonly

1
2
3
4
5
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError('Could not find configuration root',)
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError('Could not find configuration root',)

4、上面报错提示找不到配置目录,需要指定–apache-server-root

sudo env PATH=$PATH:/usr/local/apache2/bin ./certbot-auto –apache –apache-server-root /usr/local/apache2

1
2
3
4
5
6
7
8
9
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): www.test.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.test.com
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

5、使用certbot申请申请域名免费证书,默认会访问80端口,如果80端口不存在,会报以上错误,修改httpd.conf配置文件,添加上80端口,并重启apache

1
2
3
4
5
6
7
8
Listen 80

<VirtualHost *:80>  
    ServerAdmin test@test.example.com
    ServerName  www.test.com
    ServerAlias test
    DocumentRoot /var/www/html 
</VirtualHost>

6、重新生成证书,成功之后会在/etc/letsencrypt/live/ebank.cbibank.com目录下生成四个文件.pem文件和一个README文件

1
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

7、修改conf/httpd.conf文件

1
2
#Include conf/extra/httpd-ssl.conf
#LoadModule ssl_module modules/mod_ssl.so

将这两行的#去掉

8、配置conf/extra/httpd-ssl.conf文件,修改对应的域名和证书路径:

1
2
3
4
5
6
7
8
<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName ebank.cbibank.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/ebank.cbibank.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ebank.cbibank.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/ebank.cbibank.com/chain.pem
</VirtualHost>

9、修改完成后重启apache:

1
/usr/local/apache2/bin/apachectl restart

重启过程报错,无法关闭apache提示以下错误:

1
httpd: Syntax error on line 434 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/local/apache2/modules/mod_ssl.so into server: /usr/local/apache2/modules/mod_ssl.so: cannot open shared object file: No such file or directory

在/usr/lib64/下面没有httpd的模块,yum安装mod_ssl:

1
yum install mod_ssl

安装完成之后在/usr/lib64/httpd/modules/下面会有mod_ssl.so

1
2
/usr/lib64/httpd/modules/mod_ssl.so
ln -s /usr/lib64/httpd/modules/mod_ssl.so /usr/local/apache2/modules/mod_ssl.so

再次尝试重启apache,报错:

1
httpd: Syntax error on line 434 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/local/apache2/modules/mod_ssl.so into server: /usr/local/apache2/modules/mod_ssl.so:undefined symbol: ap_global_mutex_create

google了一下,有说yum安装的mod_ssl与apache的安装版本不兼容的问题,因此尝试使用对应版本的tar包将模块文件拷过去:
拷贝modules目录下的ssl目录和loggers的内容到/usr/local/apache2/modules/ssl目录下、拷贝include目录下的内容到/usr/local/apache2/modules/ssl目录下,拷贝完之后,在/usr/local/apache2/modules/ssl目录下执行以下命令:

1
/usr/local/apache2/bin/apxs -a -i -c mod_ssl.c

执行完成之后再次重启apache,依旧报错:

1
httpd: Syntax error on line 434 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/local/apache2/modules/mod_ssl.so into server: /usr/local/apache2/modules/mod_ssl.so: undefined symbol: ssl_cmd_SSLPassPhraseDialog

需要指定openssl路径,执行以下命令:

1
/usr/local/apache2/bin/apxs -a -i -c -L/usr/lib/openssl/engines/lib -c *.c -lcrypto -lssl -ldl

再次重启apache

1
httpd: Syntax error on line 434 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/local/apache2/modules/mod_ssl.so into server: /usr/local/apache2/modules/mod_ssl.so:undefined symbol: ap_global_mutex_create

重启apache依旧报错undefinedsymbol:ap_global_mutex_create,没找到任何解决办法,最后只能添加-enable-ssl参数,重新编译安装apache。

linux
目录
  1. 1. 1、下载certbot
  2. 2. 2、生成证书
  3. 3. 3、上面报错提示找不到执行路径,需要指定apache的路径
  4. 4. 4、上面报错提示找不到配置目录,需要指定–apache-server-root
  5. 5. 5、使用certbot申请申请域名免费证书,默认会访问80端口,如果80端口不存在,会报以上错误,修改httpd.conf配置文件,添加上80端口,并重启apache
  6. 6. 6、重新生成证书,成功之后会在/etc/letsencrypt/live/ebank.cbibank.com目录下生成四个文件.pem文件和一个README文件
  7. 7. 7、修改conf/httpd.conf文件
  8. 8. 8、配置conf/extra/httpd-ssl.conf文件,修改对应的域名和证书路径:
  9. 9. 9、修改完成后重启apache:

Proudly powered by Hexo and Theme by Lap
本站访客数人次
© 2020 zeven0707's blog