点击小箭头阅读更舒适 如果觉得卡顿,请点击小眼睛关闭蜘蛛网特效

Let's encrypt免费SSL证书相关问题

Let‘s encrypt证书相关问题

Let’s encrypt是一个免费的SSL授权机构,通过该授权可以使您的网站通过https进行连接,使用户和网站之间的通信更加安全。

常见问题

1、AttributeError: ‘X509’ object has no attribute ‘_x509’

在进行网站证书更新操作时:

[root@oldpan ~]# certbot renew --disable-hook-validation --renew-hook "/etc/init.d/nginx reload"
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
From cffi callback <function _verify_callback at 0x2202398>:
Traceback (most recent call last):
  File "/usr/lib64/python2.7/site-packages/OpenSSL/SSL.py", line 313, in wrapper
    _lib.X509_up_ref(x509)
AttributeError: 'module' object has no attribute 'X509_up_ref'
...

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/oldpan.me/fullchain.pem (failure)

原因以及解决办法

原因是OpenSSL版本号的问题,检查了一下我的OpenSSL,为pyOPenSSL-17.5.0,但是至于什么版本才可以使用,网上也没有准确的说法,不过以下方法可以解决:

pip uninstall pyOpenSSL cryptography
sudo pip install pyOpenSSL cryptography

卸载后重新安装以上两个模块后即可。

另外要注意在更新的时候要暂时关闭网站代码,更新完再重启即可。

2、AttributeError: ‘module’ object has no attribute ‘SSL_ST_INIT’

大概三个月前,通过let s encrypt来进行网站SSL证书的申请,现在算算也差不多是时间了,登上服务器,本来打算运行证书更新程序,没想到一执行便出现了问题:

pyOpenSSl的版本太低,按照网上的一些做法卸载了低版本的pyOpenSSl,重新安装了最新版的pyOpenSSl,但是再次执行certbot certifications还是出现了:

...
  File "/usr/lib/python2.7/site-packages/acme/jose/interfaces.py", line 9, in <module>
    from acme.jose import util
  File "/usr/lib/python2.7/site-packages/acme/jose/util.py", line 5, in <module>
    import OpenSSL
  File "/usr/lib/python2.7/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 118, in <module>
    SSL_ST_INIT = _lib.SSL_ST_INIT
AttributeError: 'module' object has no attribute 'SSL_ST_INIT'

网上查了下原因,好像是阿里云服务器问题,别家的服务器并没有这个情况,网上解决方案也是各式各样,这里采取了完全卸载之前的重新安装的方式:

[root@oldpan etc]# pip uninstall certbot

之前我是使用pip安装的所以用pip进行卸载,如果是用apt或者rpm安装的则需要相应的卸载命令。

[root@oldpan etc]# pip install certbot
 ...
[root@oldpan etc]# certbot certificates
Traceback (most recent call last):
  File "/usr/bin/certbot", line 7, in <module>
    from certbot.main import main
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 11, in <module>
    from acme import jose

[root@oldpan etc]# pip uninstall acme
Uninstalling acme-0.20.0:
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/DESCRIPTION.rst
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/INSTALLER
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/METADATA
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/RECORD
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/WHEEL
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/entry_points.txt
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/metadata.json
  /usr/lib/python2.7/site-packages/acme-0.20.0.dist-info/top_level.txt
Proceed (y/n)? y
  Successfully uninstalled acme-0.20.0

[root@oldpan etc]# pip install acme
 ...
/usr/lib/python2.7/site-packages (from cffi>=1.7; platform_python_
implementation != "PyPy"->cryptography>=0.8->acme)
Installing collected packages: acme
Successfully installed acme-0.20.0

[root@oldpan etc]# certbot certificates
/usr/lib/python2.7/site-packages/requests/__init__.py:80: RequestsDependencyWarning: urllib3 (1.22) or chardet
 (2.2.1) doesn't match a supported version!
  RequestsDependencyWarning)
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: oldpan.me
    Domains: oldpan.me www.oldpan.me
    Expiry Date: 2018-01-19 04:08:01+00:00 (VALID: 6 days)
    Certificate Path: /etc/letsencrypt/live/oldpan.me/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/oldpan.me/privkey.pem
-------------------------------------------------------------------------------

重新验证一下就可以了,注意因为重新激活证书的时候需要80端口与中间服务器进行通信,如果此时网站运行的时候是不可以的,暂时关闭网站后进行更新证书再开启网站即可。

  点赞
本篇文章采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
转载请务必注明来源: https://oldpan.me/archives/lets-encrypt-ssl-renew-problem

   欢迎关注Oldpan博客微信公众号,同步更新博客深度学习文章。


 猜你喜欢

发表评论

电子邮件地址不会被公开。 必填项已用*标注

评论审核已启用。您的评论可能需要一段时间后才能被显示。