我有一个带有单个ec2实例的弹性beanstalk,我需要在部署期间安装SSL证书,此时无法通过DNS上A记录给出的ip地址访问服务器。我想使用LetsEncrypt和certbot-dns-cloudflare插件自动获取并安装证书。我创建了一个包含cloudflare api密钥的cloudflare凭证文件,以便插件可以请求cloudflare创建DNS TXT记录并使用它来进行域名所有权验证。
尝试使用此处描述的方法安装certbot时遇到了许多问题https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html#letsencrypt(不包含certbot的EPEL库),并且使用cerbot-auto安装方法https://medium.com/@mohan08p/install-and-renew-lets-encrypt-ssl-on-amazon-ami-6d3e0a61693似乎有更好的运气。
所以到目前为止我的流程是:
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ sudo ./certbot-auto --debug --install-only
这似乎安装了certbot,我没有看到任何错误消息。接下来我这样做:
$ cd /opt/eff.org/certbot/venv
$ source bin/activate
$ sudo pip install certbot-dns-cloudflare
... cut short for brevity ...
Collecting zope.event (from zope.component->certbot>=0.21.1->certbot-dns-cloudflare)
Downloading https://files.pythonhosted.org/packages/c5/96/361edb421a077a4c208b4a5c212737d78ae03ce67fbbcd01621c49f332d1/zope.event-4.4-py2.py3-none-any.whl
Collecting pycparser (from cffi!=1.11.3,>=1.7->cryptography>=0.8->acme>=0.21.1->certbot-dns-cloudflare)
Downloading https://files.pythonhosted.org/packages/68/9e/49196946aee219aead1290e00d1e7fdeab8567783e83e1b9ab5585e6206a/pycparser-2.19.tar.gz (158kB)
100% |################################| 163kB 7.9MB/s
Collecting zope.proxy (from zope.deferredimport>=4.2.1->zope.component->certbot>=0.21.1->certbot-dns-cloudflare)
Downloading https://files.pythonhosted.org/packages/7c/f5/e9ed65cdf8c93d24d7512ef89e21b241bc9ae75d90bc8608cc142f4c26f9/zope.proxy-4.3.1.tar.gz (43kB)
100% |################################| 51kB 12.1MB/s
Installing collected packages: funcsigs, pbr, six, mock, zope.interface, chardet, idna, certifi, urllib3, asn1crypto, enum34, pycparser, cffi, ipaddress, cryptography, PyOpenSSL, requests, requests-toolbelt, pytz, pyrfc3339, josepy, acme, future, parsedatetime, ConfigArgParse, zope.hookable, zope.proxy, zope.deferredimport, zope.deprecation, zope.event, zope.component, certbot, jsonlines, cloudflare, certbot-dns-cloudflare
Found existing installation: six 1.8.0
Uninstalling six-1.8.0:
Successfully uninstalled six-1.8.0
Found existing installation: chardet 2.0.1
DEPRECATION: Uninstalling a distutils installed project (chardet) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
Uninstalling chardet-2.0.1:
Successfully uninstalled chardet-2.0.1
Found existing installation: urllib3 1.8.2
Uninstalling urllib3-1.8.2:
Successfully uninstalled urllib3-1.8.2
Running setup.py install for pycparser ... done
Found existing installation: requests 1.2.3
Uninstalling requests-1.2.3:
Successfully uninstalled requests-1.2.3
Running setup.py install for future ... done
Running setup.py install for ConfigArgParse ... done
Running setup.py install for zope.hookable ... done
Running setup.py install for zope.proxy ... done
Running setup.py install for cloudflare ... done
Successfully installed ConfigArgParse-0.13.0 PyOpenSSL-18.0.0 acme-0.29.1 asn1crypto-0.24.0 certbot-0.29.1 certbot-dns-cloudflare-0.29.1 certifi-2018.11.29 cffi-1.11.5 chardet-3.0.4 cloudflare-2.1.0 cryptography-2.4.2 enum34-1.1.6 funcsigs-1.0.2 future-0.17.1 idna-2.8 ipaddress-1.0.22 josepy-1.1.0 jsonlines-1.2.0 mock-2.0.0 parsedatetime-2.4 pbr-5.1.1 pycparser-2.19 pyrfc3339-1.1 pytz-2018.7 requests-2.21.0 requests-toolbelt-0.8.0 six-1.12.0 urllib3-1.24.1 zope.component-4.5 zope.deferredimport-4.3 zope.deprecation-4.4.0 zope.event-4.4 zope.hookable-4.2.0 zope.interface-4.6.0 zope.proxy-4.3.1
You are using pip version 9.0.3, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
在列表中,我看到有迹象表明cloudflare插件已成功安装。但是,当我列出插件时,我没有看到它:
$ sudo ./certbot-auto plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
* nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
尝试使用插件运行certbot-auto失败如下:
$ sudo ./certbot-auto certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini --dns-cloudflare-propagation-seconds 60 -d my-domain.com
usage:
certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --dns-cloudflare-credentials /home/ec2-user/.secrets/certbot/cloudflare.ini --dns-cloudflare-propagation-seconds 60
任何人都可以建议吗?谢谢
这最终对我有用:
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ sudo ./certbot-auto --debug --install-only
$ whereis certbot
certbot: /usr/local/bin/certbot
$ cd /opt/eff.org/certbot/venv
$ source bin/activate
$ sudo pip install certbot-dns-cloudflare
$ deactivate
$ sudo /usr/local/bin/certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using
Cloudflare for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-cloudflare =
certbot_dns_cloudflare.dns_cloudflare:Authenticator
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
如果将其合并到将在root下运行的.ebextensions / 01-packages / install-packages.conf中,则需要添加一些内容以在/root/.secrets/certbot创建包含cloudflare电子邮件和api密钥的以下文件/cloudflare.ini
$ sudo mkdir /root/.secrets/certbot
$ sudo chmod 700 /.secrets
$ sudo su
# printf 'dns_cloudflare_email = <your-cf-email>\ndns_cloudflare_api_key = <your-cf-api-key' > /root/.secrets/certbot/cloudflare.ini
# printf 'A\nn\nn\n' | /usr/local/bin/certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini --dns-cloudflare-propagation-seconds 60 -d my-domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for my-domain.com
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/my-domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/my-domain.com/privkey.pem
Your cert will expire on 2019-03-17. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
对我来说,certbot安装在两个位置/usr/local/bin/certbot工作和默认的/usr/bin/certbot找不到新安装的插件。
我正在使用which certbot,certbot plugins和/usr/local/bin/certbot plugins来调试这个。
希望这有助于某人。