更新时间:2019-04-29
Let’ s Encrypt 是一个免费的 SSL/TLS 证书发行机构, 证书有效期为90天, 到期前30内可续期, 实现永久免费.
本次安装使用的服务器配置:
- 1CPU,1G, 优惠码
- CentOS 7.5
- nginx 1.15.3
Let’ s Encrypt SSL 证书的的获取并不是像其他网站一样, 在页面上填写资申请证书, 而是需要在域名所在的服务器上安装一个客户端(python写的)去获取证书和续期.
目前 Let’ s Encrypt 支持两种类型的证书,一种是必须显示指定域名的证书,另一种是通配符证书,两种证书的申请方式略有不同。
使用 Certbot 客户端
Certbot 客户端是现在官方推荐的客户端
客户端安装
|
1 |
yum install certbot |
运行 certbot,测试程序是否正常。
|
1 |
certbot |
如果运行正常,将出现类似下面的提示。
|
1 2 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate. |
如果某些依赖包版本过低或不匹配,则可能会出现类似下面的提示。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
Traceback (most recent call last): File "/usr/bin/certbot", line 9, in <module> load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')() File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 570, in load_entry_point return get_distribution(dist).load_entry_point(group, name) File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2751, in load_entry_point return ep.load() File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2405, in load return self.resolve() File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2411, in resolve module = __import__(self.module_name, fromlist=['__name__'], level=0) File "/usr/lib/python2.7/site-packages/certbot/main.py", line 18, in <module> from certbot import account File "/usr/lib/python2.7/site-packages/certbot/account.py", line 18, in <module> from acme import messages File "/usr/lib/python2.7/site-packages/acme/messages.py", line 7, in <module> from acme import challenges File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 11, in <module> import requests File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in <module> from . import utils File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in <module> from .exceptions import InvalidURL File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in <module> from .packages.urllib3.exceptions import HTTPError as BaseHTTPError File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 95, in load_module raise ImportError("No module named '%s'" % (name,)) ImportError: No module named 'requests.packages.urllib3' |
根据所缺少的依赖包的不同,提示内容可能不同,使用下面的命令尝试修复。
|
1 2 3 4 5 |
#升级pip pip install -U pip #升级相关包,指定 requests 包的版本为 2.6.0, 使用其它版本可能无法解决依赖问题。 pip install --upgrade --force-reinstall 'requests==2.6.0' urllib3 pyOpenSSL |
再次运行 certbot ,程序正常。
一. 申请固定域名证书
安装 nginx
参考《CentOS 7 配置 LNMP + FTP 环境》中的 “安装 nginx”, “配置 Nginx”,“允许通过防火墙” 章节。
获取证书
申请过程中要验证绑定的域名是否属于申请人, 其原理就是申请人在域名所在的服务器上申请证书, 然后 Let’ s Encrypt 会访问绑定的域名与客户端通信成功即可通过.
这 个验证的方法有两种, 一种需要停止当前的 web server 服务, 让出 80 端口, 由客户端内置的 web server 启动与 Let’ s Encrypt 通信. 另一种不需要停止当前 web server , 但需要在域名根目录下创建一个临时目录, 并要保证外网通过域名可以访问这个目录.
|
1 2 3 4 5 |
#在web根目录创建临时目录,可能要修改nginx rewrite 规则才能从外网访问 mkdir -p /usr/share/nginx/html/.well-known/acme-challenge #--webroot 参数:指定使用临时目录的方式. -w 参数:指定后面-d 域名所在的根目录, 如果一次申请多个域的, 可以附加更多 -w...-d... 这段. certbot certonly --webroot --email xxx@xxx.com -w /usr/share/nginx/html -d www.xxx.com -d xxx.com |
执行此命令后会生成证书, 保存在 /etc/letsencrypt/live 中对应的域名目录下面, 其实这里面并不是真正的证书文件,而是通过软连接的形式链到了 /etc/letsencrypt/archive 中对应的域名目录下.
证书自动续期
renew 参数是官方推荐的续期方式, 使用这个参数会遍历 /etc/letsencrypt/live 下所有的证书, 如果证书在可续期的时间范围内(过期前30天内), 就会申请新的证书并替换原有证书, 否则跳过.
|
1 2 3 4 5 |
#使用 --dry-run 参数测试续期命令, 使用这个参数并不会真正续期证书 certbot renew --dry-run #正式续期证书 certbot renew |
设置定时自动续期
可以将 certbot renew 命令加入到 cron 中定时执行
|
1 2 |
#--quiet 参数表示禁止输出除了错误信息以外的任何信息 certbot renew --quiet |
编辑定时任务
|
1 |
nano /etc/crontab |
我这里设置为每月28号23点执行此脚本. 更新证书后重启 nginx.
|
1 2 |
#分 时 日 月 星期 执行用户 执行命令 0 23 28 * * root certbot renew --quiet && systemctl restart nginx |
或使用官方方法
|
1 2 |
#分 时 日 月 星期 执行用户 执行命令 0 23 28 * * root certbot renew --quiet --deploy-hook "systemctl restart nginx" |
保存退出
|
1 2 3 4 5 |
#加载定时任务, 使之生效 crontab /etc/crontab #查看任务 crontab -l |
二. 申请通配符证书
申请通配符证书不需要nginx. 但需要验证域名的 dns, 原理就是在域名dns记录中写入一条txt类型的记录。
如果要实现自动化的申请和续期,certbot 所在的服务器必须能够访问域名dns服务,certbot 提供了一些国外的dns服务商的验证组件。国内的阿里云,腾讯云可以使用第三方提供的验证组件,如:https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au
下载此项目源码到指定目录
|
1 2 |
cd /root git clone https://github.com/ywdblog/certbot-letencrypt-wildcardcertificates-alydns-au |
修改 api 授权 token
|
1 2 |
cd /root/certbot-letencrypt-wildcardcertificates-alydns-au nano au.sh |
这里以阿里云为例,找到 ALY_KEY= 及 ALY_TOKEN= 参数,改为你申请的 key 和 token, 如果申请请参考该组件 github 上的说明。
|
1 2 |
ALY_KEY="xxxxxxxxxxx" ALY_TOKEN="xxxxxxxx" |
保存退出。
申请证书,如果想申请通配符证书,除根域名外,最多只能有一个二级域名,且二级为*号
|
1 2 3 4 5 |
#申请通配符证书,除根域名外,只能是 *.xxx.com, 其他任何二级域名都是多余的 certbot certonly --manual --preferred-challenges dns --manual-auth-hook "/root/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python aly add" --manual-cleanup-hook "/root/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python aly clean" --email xxx@xxx.com -d xxx.com -d *.xxx.com #申请指定域名证书,可以有多个 -d certbot certonly --manual --preferred-challenges dns --manual-auth-hook "/root/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python aly add" --manual-cleanup-hook "/root/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python aly clean" --email xxx@xxx.com -d xxx.com -d aa.xxx.com -d bb.xxx.com |
中途需要输入 y 确认, 等待一会就申请成功了。
自动续期
|
1 |
nano /etc/crontab |
输入以下内容
|
1 2 |
#分 时 日 月 星期 执行用户 执行命令 0 23 28 * * root certbot renew --quiet --manual --preferred-challenges dns --manual-auth-hook "/root/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python aly add" --manual-cleanup-hook "/root/certbot-letencrypt-wildcardcertificates-alydns-au/au.sh python aly clean" --deploy-hook "systemctl restart nginx | systemctl restart strongswan" |
保存退出
|
1 2 3 4 5 |
#加载定时任务, 使之生效 crontab /etc/crontab #查看任务 crontab -l |
三. 扩展部分
配置 Nginx SSL 证书
|
1 |
nano /etc/nginx/conf.d/default.conf |
找到 SSL 证书对应域名的 Server 段, 修改为如下设置(根据自身需求做调整)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
#设置非安全连接永久跳转到安全连接 server{ listen 80; server_name www.xxx.com xxx.com *.www.xxx.com; #告诉浏览器有效期内只准用 https 访问 add_header Strict-Transport-Security max-age=15768000; #永久重定向到 https 站点 return 301 https://$server_name$request_uri; } server { #启用 https, 使用 http/2 协议, nginx 1.9.11 启用 http/2 会有bug, 已在 1.9.12 版本中修复. listen 443 ssl http2; server_name www.xxx.com xxx.com *.www.xxx.com; #告诉浏览器当前页面禁止被frame add_header X-Frame-Options DENY; #告诉浏览器不要猜测mime类型 add_header X-Content-Type-Options nosniff; root /usr/share/nginx/html/wordpress; #证书路径 ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem; #私钥路径 ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem; #安全链接可选的加密协议 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #可选的加密算法,顺序很重要,越靠前的优先级越高. ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH; #在 SSLv3 或 TLSv1 握手过程一般使用客户端的首选算法,如果启用下面的配置,则会使用服务器端的首选算法. ssl_prefer_server_ciphers on; #储存SSL会话的缓存类型和大小 ssl_session_cache shared:SSL:10m; #缓存有效期 ssl_session_timeout 60m; #省略后面与证书无关的设置 } |
保存配置, 重新加载 Nginx 配置或重启.
|
1 2 3 4 |
#重新加载配置 systemctl reload nginx #或重启nginx systemctl restart nginx |
到这步, Nginx 的 SSL 证书就配置完成了, 打开浏览器访问网站就会启用 https, 看到绿色安全锁的图标.
规范页面中的链接
如果你发现浏览器中的安全锁上带有叹号, 说明页面中引用到了非 https 的链接, 你可能要花上一点时间来修改这些链接, 如果是本站资源, 可以使用相对地址, 如果是外部资源, 要先看外部资源是否支持 https, 如果支持改为 https 地址即可,如果不支持则要想办法替换为 https 资源或将资源保存到本地并使用相对地址.
你好,博主,我想请教下,为什么我一旦运行./letsencrypt-auto certonly –webroot –renew-by-default –email admin@itnmg.net -w /usr/share/nginx/html -d blog.itnmg.net -d itnmg.net -d http://www.itnmg.net 这条命令时,一直报错
Failed authorization procedure. ceshi.cssnj.com.cn (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for ceshi.cssnj.com.cn
IMPORTANT NOTES:
– The following errors were reported by the server:
Domain: ceshi.cssnj.com.cn
Type: connection
Detail: DNS problem: NXDOMAIN looking up A for ceshi.cssnj.com.cn
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
后面的域名,DNS问题出在哪啦?请指导一下,谢谢
certbot certonly –webroot –email 391324323@qq.com -w /usr/share/nginx/html -d ceshi.cssnj.com.cn 我的命令是这么写的,-d后面是我配置在nginx里的域名。
你的域名无效, 当然不可能通过验证.
nginx配置那里,第一个server的return 301应该改成443吧?要与下面的ssl监听端口一致。
301是 http 响应码, 不是端口号. 这个是返回一个跳转, 重定向到 https 连接.
写的真够好的,多谢!
写的好细致啊!
博主您好,我按照你的文章中的方法配置之后,提示不是私密连接是为啥呢,麻烦帮忙看一下!https://www.iwwenbo.com
www.iwwenbo.com 使用了无效的安全证书。 该证书仅对 iwwenbo.com 有效。 错误代码: SSL_ERROR_BAD_CERT_DOMAIN你申请的证书只对根域名有效. 加了 www 就不行了.
这个是上面部分,到了Installing Python packages…会卡住几分钟,然后出问题
Bootstrapping dependencies for RedHat-based OSes…
yum is /usr/bin/yum
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.iweb.ca
* epel: mirrors.kernel.org
* extras: centos.mirror.iweb.ca
* updates: centos.mirror.iweb.ca
Package python-2.7.5-34.el7.x86_64 already installed and latest version
Package python-devel-2.7.5-34.el7.x86_64 already installed and latest version
Package python-virtualenv-1.10.1-2.el7.noarch already installed and latest version
Package python-tools-2.7.5-34.el7.x86_64 already installed and latest version
Package python-pip-7.1.0-1.el7.noarch already installed and latest version
Nothing to do
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.iweb.ca
* epel: mirror.sfo12.us.leaseweb.net
* extras: centos.mirror.iweb.ca
* updates: centos.mirror.iweb.ca
Package gcc-4.8.5-4.el7.x86_64 already installed and latest version
Package dialog-1.2-4.20130523.el7.x86_64 already installed and latest version
Package augeas-libs-1.4.0-2.el7.x86_64 already installed and latest version
Package 1:openssl-1.0.1e-51.el7_2.4.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.1e-51.el7_2.4.x86_64 already installed and latest version
Package libffi-devel-3.0.13-16.el7.x86_64 already installed and latest version
Package redhat-rpm-config-9.1.0-68.el7.centos.noarch already installed and latest version
Package ca-certificates-2015.2.6-70.1.el7_2.noarch already installed and latest version
Nothing to do
Checking for new version…
Creating virtual environment…
Installing Python packages…
我也是这个问题
同上, 要安装 CA 根证书.
你好,我在运行./letsencrypt-auto –help的时候出了问题,最下面我更新了pip,还是会有版本提示,这是什么原因呢,我是在root目录下拉的letsencrypt
Installing Python packages…
Had a problem while installing Python packages:
Collecting argparse==1.4.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 5))
Downloading argparse-1.4.0-py2.py3-none-any.whl
Collecting pycparser==2.14 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 11))
Downloading pycparser-2.14.tar.gz (223kB)
Collecting cffi==1.4.2 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 14))
Downloading cffi-1.4.2.tar.gz (365kB)
Collecting ConfigArgParse==0.10.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 31))
Downloading ConfigArgParse-0.10.0.tar.gz
Collecting configobj==5.0.6 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 33))
Downloading configobj-5.0.6.tar.gz
Collecting cryptography==1.2.3 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 35))
Downloading cryptography-1.2.3.tar.gz (373kB)
Collecting enum34==1.1.2 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 57))
Downloading enum34-1.1.2.tar.gz (46kB)
Collecting funcsigs==0.4 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 60))
Downloading funcsigs-0.4-py2.py3-none-any.whl
Collecting idna==2.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 63))
Downloading idna-2.0-py2.py3-none-any.whl (61kB)
Collecting ipaddress==1.0.16 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 66))
Downloading ipaddress-1.0.16-py27-none-any.whl
Collecting linecache2==1.0.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 69))
Downloading linecache2-1.0.0-py2.py3-none-any.whl
Collecting ndg-httpsclient==0.4.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 72))
Downloading ndg_httpsclient-0.4.0.tar.gz
Collecting ordereddict==1.1 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 74))
Downloading ordereddict-1.1.tar.gz
Collecting parsedatetime==2.1 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 76))
Downloading parsedatetime-2.1-py2-none-any.whl
Collecting pbr==1.8.1 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 79))
Downloading pbr-1.8.1-py2.py3-none-any.whl (89kB)
Collecting psutil==3.3.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 82))
Downloading psutil-3.3.0.tar.gz (261kB)
Collecting pyasn1==0.1.9 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 104))
Downloading pyasn1-0.1.9-py2.py3-none-any.whl
Collecting pyOpenSSL==0.15.1 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 116))
Downloading pyOpenSSL-0.15.1-py2.py3-none-any.whl (102kB)
Collecting pyRFC3339==1.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 119))
Downloading pyRFC3339-1.0-py2.py3-none-any.whl
Collecting python-augeas==0.5.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 122))
Downloading python-augeas-0.5.0.tar.gz (90kB)
Collecting python2-pythondialog==3.3.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 124))
Downloading python2-pythondialog-3.3.0.tar.bz2 (1.8MB)
Collecting pytz==2015.7 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 127))
Downloading pytz-2015.7-py2.py3-none-any.whl (476kB)
Collecting requests==2.9.1 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 141))
Downloading requests-2.9.1-py2.py3-none-any.whl (501kB)
Collecting six==1.10.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 144))
Downloading six-1.10.0-py2.py3-none-any.whl
Collecting traceback2==1.4.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 147))
Downloading traceback2-1.4.0-py2.py3-none-any.whl
Collecting unittest2==1.1.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 150))
Downloading unittest2-1.1.0-py2.py3-none-any.whl (96kB)
Collecting zope.component==4.2.2 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 153))
Downloading zope.component-4.2.2.tar.gz (546kB)
Collecting zope.event==4.1.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 155))
Downloading zope.event-4.1.0.tar.gz (476kB)
Collecting zope.interface==4.1.3 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 157))
Downloading zope.interface-4.1.3.tar.gz (141kB)
Collecting mock==1.0.1 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 175))
Downloading mock-1.0.1.zip (861kB)
Collecting acme==0.5.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 181))
Downloading acme-0.5.0-py2.py3-none-any.whl (91kB)
Collecting letsencrypt==0.5.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 184))
Downloading letsencrypt-0.5.0-py2-none-any.whl (208kB)
Collecting letsencrypt-apache==0.5.0 (from -r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 187))
Downloading letsencrypt_apache-0.5.0-py2-none-any.whl (100kB)
Requirement already satisfied (use –upgrade to upgrade): setuptools>=1.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography==1.2.3->-r /tmp/tmp.q0RJfFNDgB/letsencrypt-auto-requirements.txt (line 35))
Installing collected packages: argparse, pycparser, cffi, ConfigArgParse, six, configobj, idna, pyasn1, enum34, ipaddress, cryptography, funcsigs, linecache2, pyOpenSSL, ndg-httpsclient, ordereddict, parsedatetime, pbr, psutil, pytz, pyRFC3339, python-augeas, python2-pythondialog, requests, traceback2, unittest2, zope.interface, zope.event, zope.component, mock, acme, letsencrypt, letsencrypt-apache
Running setup.py install for pycparser: started
Running setup.py install for pycparser: finished with status ‘done’
Running setup.py install for cffi: started
Running setup.py install for cffi: finished with status ‘done’
Running setup.py install for ConfigArgParse: started
Running setup.py install for ConfigArgParse: finished with status ‘done’
Running setup.py install for configobj: started
Running setup.py install for configobj: finished with status ‘done’
Running setup.py install for enum34: started
Running setup.py install for enum34: finished with status ‘done’
Running setup.py install for cryptography: started
Running setup.py install for cryptography: still running…
Running setup.py install for cryptography: finished with status ‘error’
Complete output from command /root/.local/share/letsencrypt/bin/python2.7 -u -c “import setuptools, tokenize;__file__=’/tmp/pip-build-uYHFZD/cryptography/setup.py’;exec(compile(getattr(tokenize, ‘open’, open)(__file__).read().replace(‘rn’, ‘n’), __file__, ‘exec’))” install –record /tmp/pip-mldWY_-record/install-record.txt –single-version-externally-managed –compile –install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography:
running install
running build
running build_py
creating build
creating build/lib.linux-x86_64-2.7
creating build/lib.linux-x86_64-2.7/cryptography
copying src/cryptography/__init__.py -> build/lib.linux-x86_64-2.7/cryptography
copying src/cryptography/__about__.py -> build/lib.linux-x86_64-2.7/cryptography
copying src/cryptography/fernet.py -> build/lib.linux-x86_64-2.7/cryptography
copying src/cryptography/exceptions.py -> build/lib.linux-x86_64-2.7/cryptography
copying src/cryptography/utils.py -> build/lib.linux-x86_64-2.7/cryptography
creating build/lib.linux-x86_64-2.7/cryptography/x509
copying src/cryptography/x509/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/x509
copying src/cryptography/x509/name.py -> build/lib.linux-x86_64-2.7/cryptography/x509
copying src/cryptography/x509/general_name.py -> build/lib.linux-x86_64-2.7/cryptography/x509
copying src/cryptography/x509/base.py -> build/lib.linux-x86_64-2.7/cryptography/x509
copying src/cryptography/x509/extensions.py -> build/lib.linux-x86_64-2.7/cryptography/x509
copying src/cryptography/x509/oid.py -> build/lib.linux-x86_64-2.7/cryptography/x509
creating build/lib.linux-x86_64-2.7/cryptography/hazmat
copying src/cryptography/hazmat/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat
creating build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
copying src/cryptography/hazmat/backends/multibackend.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
copying src/cryptography/hazmat/backends/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
copying src/cryptography/hazmat/backends/interfaces.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends
creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/keywrap.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/cmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/hashes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/constant_time.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/hmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/serialization.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
copying src/cryptography/hazmat/primitives/padding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives
creating build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings
copying src/cryptography/hazmat/bindings/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings
creating build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/ciphers.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/cmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/hashes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/x509.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/dsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/hmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/ec.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/backend.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/rsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
copying src/cryptography/hazmat/backends/openssl/utils.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/openssl
creating build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
copying src/cryptography/hazmat/backends/commoncrypto/ciphers.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
copying src/cryptography/hazmat/backends/commoncrypto/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
copying src/cryptography/hazmat/backends/commoncrypto/hashes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
copying src/cryptography/hazmat/backends/commoncrypto/hmac.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
copying src/cryptography/hazmat/backends/commoncrypto/backend.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/backends/commoncrypto
creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
copying src/cryptography/hazmat/primitives/twofactor/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
copying src/cryptography/hazmat/primitives/twofactor/totp.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
copying src/cryptography/hazmat/primitives/twofactor/utils.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
copying src/cryptography/hazmat/primitives/twofactor/hotp.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/twofactor
creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
copying src/cryptography/hazmat/primitives/asymmetric/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
copying src/cryptography/hazmat/primitives/asymmetric/dsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
copying src/cryptography/hazmat/primitives/asymmetric/dh.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
copying src/cryptography/hazmat/primitives/asymmetric/ec.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
copying src/cryptography/hazmat/primitives/asymmetric/padding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
copying src/cryptography/hazmat/primitives/asymmetric/rsa.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
copying src/cryptography/hazmat/primitives/asymmetric/utils.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/asymmetric
creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
copying src/cryptography/hazmat/primitives/kdf/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
copying src/cryptography/hazmat/primitives/kdf/x963kdf.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
copying src/cryptography/hazmat/primitives/kdf/concatkdf.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
copying src/cryptography/hazmat/primitives/kdf/hkdf.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
copying src/cryptography/hazmat/primitives/kdf/pbkdf2.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/kdf
creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
copying src/cryptography/hazmat/primitives/ciphers/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
copying src/cryptography/hazmat/primitives/ciphers/algorithms.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
copying src/cryptography/hazmat/primitives/ciphers/modes.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
copying src/cryptography/hazmat/primitives/ciphers/base.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/ciphers
creating build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/interfaces
copying src/cryptography/hazmat/primitives/interfaces/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/primitives/interfaces
creating build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
copying src/cryptography/hazmat/bindings/openssl/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
copying src/cryptography/hazmat/bindings/openssl/_conditional.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
copying src/cryptography/hazmat/bindings/openssl/binding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/openssl
creating build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/commoncrypto
copying src/cryptography/hazmat/bindings/commoncrypto/__init__.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/commoncrypto
copying src/cryptography/hazmat/bindings/commoncrypto/binding.py -> build/lib.linux-x86_64-2.7/cryptography/hazmat/bindings/commoncrypto
running egg_info
writing requirements to src/cryptography.egg-info/requires.txt
writing src/cryptography.egg-info/PKG-INFO
writing top-level names to src/cryptography.egg-info/top_level.txt
writing dependency_links to src/cryptography.egg-info/dependency_links.txt
writing entry points to src/cryptography.egg-info/entry_points.txt
warning: manifest_maker: standard file ‘-c’ not found
reading manifest file ‘src/cryptography.egg-info/SOURCES.txt’
reading manifest template ‘MANIFEST.in’
no previously-included directories found matching ‘docs/_build’
warning: no previously-included files matching ‘*’ found under directory ‘vectors’
writing manifest file ‘src/cryptography.egg-info/SOURCES.txt’
running build_ext
generating cffi module ‘build/temp.linux-x86_64-2.7/_padding.c’
creating build/temp.linux-x86_64-2.7
generating cffi module ‘build/temp.linux-x86_64-2.7/_constant_time.c’
generating cffi module ‘build/temp.linux-x86_64-2.7/_openssl.c’
building ‘_openssl’ extension
creating build/temp.linux-x86_64-2.7/build
creating build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7
gcc -pthread -fno-strict-aliasing -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/usr/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o
{standard input}: Assembler messages:
{standard input}:107153: Warning: partial line at end of file ignored
{standard input}: Error: open CFI at the end of file; missing .cfi_endproc directive
gcc: internal compiler error: Killed (program cc1)
Please submit a full bug report,
with preprocessed source if appropriate.
See for instructions.
error: command ‘gcc’ failed with exit status 4
—————————————-
Command “/root/.local/share/letsencrypt/bin/python2.7 -u -c “import setuptools, tokenize;__file__=’/tmp/pip-build-uYHFZD/cryptography/setup.py’;exec(compile(getattr(tokenize, ‘open’, open)(__file__).read().replace(‘rn’, ‘n’), __file__, ‘exec’))” install –record /tmp/pip-mldWY_-record/install-record.txt –single-version-externally-managed –compile –install-headers /root/.local/share/letsencrypt/include/site/python2.7/cryptography” failed with error code 1 in /tmp/pip-build-uYHFZD/cryptography
You are using pip version 8.0.3, however version 8.1.1 is available.
You should consider upgrading via the ‘pip install –upgrade pip’ command.
看下更新的过程中内存是不是够用. 先停掉占内存的服务再更新.