Let‘s encrypt证书相关问题

Let’s encrypt是一个免费的SSL授权机构，通过该授权可以使您的网站通过https进行连接，使用户和网站之间的通信更加安全。

常见问题

1、AttributeError: ‘X509’ object has no attribute ‘_x509’

在进行网站证书更新操作时：

[root@oldpan ~]# certbot renew --disable-hook-validation --renew-hook "/etc/init.d/nginx reload"
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
From cffi callback <function _verify_callback at 0x2202398>:
Traceback (most recent call last):
  File "/usr/lib64/python2.7/site-packages/OpenSSL/SSL.py", line 313, in wrapper
    _lib.X509_up_ref(x509)
AttributeError: 'module' object has no attribute 'X509_up_ref'
...

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/oldpan.me/fullchain.pem (failure)

原因以及解决办法

原因是OpenSSL版本号的问题，检查了一下我的OpenSSL，为pyOPenSSL-17.5.0，但是至于什么版本才可以使用，网上也没有准确的说法，不过以下方法可以解决：

pip uninstall pyOpenSSL cryptography
sudo pip install pyOpenSSL cryptography

卸载后重新安装以上两个模块后即可。

另外要注意在更新的时候要暂时关闭网站代码，更新完再重启即可。

2、AttributeError: ‘module’ object has no attribute ‘SSL_ST_INIT’

大概三个月前，通过let s encrypt来进行网站SSL证书的申请，现在算算也差不多是时间了，登上服务器，本来打算运行证书更新程序，没想到一执行便出现了问题：

pyOpenSSl的版本太低，按照网上的一些做法卸载了低版本的pyOpenSSl，重新安装了最新版的pyOpenSSl，但是再次执行certbot certifications还是出现了：

...
  File "/usr/lib/python2.7/site-packages/acme/jose/interfaces.py", line 9, in <module>
    from acme.jose import util
  File "/usr/lib/python2.7/site-packages/acme/jose/util.py", line 5, in <module>
    import OpenSSL
  File "/usr/lib/python2.7/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 118, in <module>
    SSL_ST_INIT = _lib.SSL_ST_INIT
AttributeError: 'module' object has no attribute 'SSL_ST_INIT'

网上查了下原因，好像是阿里云服务器问题，别家的服务器并没有这个情况，网上解决方案也是各式各样，这里采取了完全卸载之前的重新安装的方式：

[root@oldpan etc]# pip uninstall certbot

之前我是使用pip安装的所以用pip进行卸载，如果是用apt或者rpm安装的则需要相应的卸载命令。

[root@oldpan etc]# pip install certbot
 ...
[root@oldpan etc]# certbot certificates
Traceback (most recent call last):
  File "/usr/bin/certbot", line 7, in <module>
    from certbot.main import main
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 11, in <module>
    from acme import jose

[root@oldpan etc]# pip uninstall acme
Uninstalling acme-0.20.0:
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/DESCRIPTION.rst
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/INSTALLER
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/METADATA
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/RECORD
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/WHEEL
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/entry_points.txt
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/metadata.json
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/top_level.txt
Proceed (y/n)? y
  Successfully uninstalled acme-0.20.0

[root@oldpan etc]# pip install acme
 ...
/usr/lib/python2.7/site-packages (from cffi>=1.7; platform_python_
implementation != "PyPy"->cryptography>=0.8->acme)
Installing collected packages: acme
Successfully installed acme-0.20.0

[root@oldpan etc]# certbot certificates
/usr/lib/python2.7/site-packages/requests/__init__.py:80: RequestsDependencyWarning: urllib3 (1.22) or chardet
 (2.2.1) doesn't match a supported version!
  RequestsDependencyWarning)
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: oldpan.me
    Domains: oldpan.me www.oldpan.me
    Expiry Date: 2018-01-19 04:08:01+00:00 (VALID: 6 days)
    Certificate Path: /etc/letsencrypt/live/oldpan.me/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/oldpan.me/privkey.pem
-------------------------------------------------------------------------------

重新验证一下就可以了，注意因为重新激活证书的时候需要80端口与中间服务器进行通信，如果此时网站运行的时候是不可以的，暂时关闭网站后进行更新证书再开启网站即可。