RTFM.WIKI

Ordnung muß sein. Ordnung über alles (18+)

Инструменты пользователя

Инструменты сайта


Боковая панель


Навигация

Линкшэринг

ALARM!

Добавить новую страницу

You are not allowed to add pages
linux:letsencrypt_ispmanager4


Let's Encypt + ISPmanager 4

CentOS 6 (6.10, 2.6.32-642.15.1.el6.x86_64), ISPmanager 4 (4.4.10.23), nginx+apache

Подготовка. Certbot.

Скачиваем certbot

# wget https://dl.eff.org/certbot-auto
# mv certbot-auto /usr/local/bin/certbot-auto
# chown root /usr/local/bin/certbot-auto
# chmod 0755 /usr/local/bin/certbot-auto

Получаем сертификат, но сначала python3

Я использовал плагин nginx

# /usr/local/bin/certbot-auto certonly --nginx

Т.к. CentOS 6 старый, и его старый python27 уже EOL, а certbot'у нужен новый python3, то сначала подключается SCL

Bootstrapping dependencies for Legacy RedHat-based OSes that will use Python3... (you can skip this with --no-bootstrap)
yum is hashed (/usr/bin/yum)
To use Certbot on this operating system, packages from the SCL repository need to be installed.

---CUT---

==========================================================================================
 Package                           Arch      Version                 Repository      Size
==========================================================================================
Installing:
 centos-release-scl                noarch    10:7-4.el6.centos       extras          12 k
Installing for dependencies:
 centos-release-scl-rh             noarch    2-4.el6.centos          extras          12 k

и далее устанавливается новый python3

===========================================================================================
 Package                           Arch      Version                 Repository      Size
===========================================================================================
Installing:
 augeas-libs                       x86_64    1.0.0-10.el6            base            314 k
 gcc                               x86_64    4.4.7-23.el6            base            10 M
 libffi-devel                      x86_64    3.0.5-3.2.el6           base            18 k
 mod_ssl                           x86_64    1:2.2.15-69.el6.centos  base            99 k
 openssl-devel                     x86_64    1.0.1e-58.el6_10        updates         1.2 M
 redhat-rpm-config                 noarch    9.0.3-51.el6.centos     base            60 k
 rh-python36-python                x86_64    3.6.9-2.el6             centos-sclo-rh  55 k
 rh-python36-python-devel          x86_64    3.6.9-2.el6             centos-sclo-rh  918 k
 rh-python36-python-virtualenv     noarch    15.1.0-2.el6            centos-sclo-rh  1.8 M
Installing for dependencies:
 cloog-ppl                         x86_64    0.15.7-1.2.el6          base            93 k
 cpp                               x86_64    4.4.7-23.el6            base            3.7 M
 glibc-devel                       x86_64    2.12-1.212.el6_10.3     updates         991 k
 glibc-headers                     x86_64    2.12-1.212.el6_10.3     updates         620 k
 iso-codes                         noarch    3.16-2.el6              base            2.4 M
 kernel-headers                    x86_64    2.6.32-754.27.1.el6     updates         4.6 M
 keyutils-libs-devel               x86_64    1.4-5.el6               base            29 k
 krb5-devel                        x86_64    1.10.3-65.el6           base            504 k
 libcom_err-devel                  x86_64    1.41.12-24.el6          base            33 k
 libgomp                           x86_64    4.4.7-23.el6            base            135 k
 libkadm5                          x86_64    1.10.3-65.el6           base            143 k
 libselinux-devel                  x86_64    2.0.94-7.el6            base            137 k
 libsepol-devel                    x86_64    2.0.41-4.el6            base            64 k
 mpfr                              x86_64    2.4.1-6.el6             base            157 k
 ppl                               x86_64    0.10.2-11.el6           base            1.3 M
 rh-python36-python-libs           x86_64    3.6.9-2.el6             centos-sclo-rh  7.5 M
 rh-python36-python-pip            noarch    9.0.1-2.el6             centos-sclo-rh  1.8 M
 rh-python36-python-setuptools     noarch    36.5.0-1.el6            centos-sclo-rh  584 k
 rh-python36-runtime               x86_64    2.0-1.el6               centos-sclo-rh  1.0 M
 scl-utils-build                   x86_64    20120927-29.el6_9       base            17 k
 xml-common                        noarch    0.6.3-33.el6            base            18 k
 zlib-devel                        x86_64    1.2.3-29.el6            base            44 k

После установки RPM пакетов уже привычный процесс получения сертификата

Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): admin@foobar.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: foobar.com
2: www.foobar.com
3: city17.org
4: www.city17.org

ISPmanager

В свойствах WWW-домена создаем новый самоподписанный сертификат.

Делаем симлинки

# ln -sf /etc/letsencrypt/live/foobar.com/fullchain.pem /var/www/httpd-cert/isp_user/foobar.com.crt 
# ln -sf /etc/letsencrypt/live/foobar.com/privkey.pem /var/www/httpd-cert/isp_user/foobar.com.key

Автообновление

Этот пункт оказался единственным где возникли проблемы.

Вручную через терминал сертификат обновлялся успешно, а через cron была ошибка

Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly

По советам с форума LE сначала попробовал добавить –nginx-ctl и –nginx-server-root для явного указания на директорию с бинарником и на директорию с конфигурационными файлами.

--nginx-server-root NGINX_SERVER_ROOT
                        Nginx server root directory. (default: /etc/nginx or
                        /usr/local/etc/nginx)
  --nginx-ctl NGINX_CTL
                        Path to the 'nginx' binary, used for 'configtest' and
                        retrieving nginx version number. (default: nginx)

Вот так

0 */12 * * * /usr/local/bin/certbot-auto renew --nginx --nginx-ctl /usr/sbin/nginx --nginx-server-root /etc/nginx && /etc/init.d/nginx reload

Это не помогло. Проблема была в $PATH. Еще раз все проверяю

# which nginx
/usr/sbin/nginx
# echo $PATH
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

Нунжо установить переменную PATH для cron. Значение по-умолчанию для cron PATH=/usr/bin:/bin. Именно поэтому cron не смог найти мой nginx.

Добавляем в crontab

# EDITOR=nano crontab -e

перед строкой MAILTO""

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

Всё готово!

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies

Discussion

Enter your comment. Wiki syntax is allowed:
 
linux/letsencrypt_ispmanager4.txt · Последнее изменение: 2020/11/12 01:48 — dx