UPD<\/b>
\nВышло обновление openssl-1.0.2k и даное руководство больше не актуально.<\/b>
\n_____________________________________________________________________<\/p>\n
Решил включить HTTP\/2.0 в Nginx. В процессе тестирование, при прохождении теста<\/a> выяснилось, что не активно ALPN<\/a> (Application-Layer Protocol Negotiation).<\/p>\n Для полноценной работы HTTP\/2.0, Nginx должен быть собран с OpenSSL<\/a> версии не ниже чем 1.0.2. В репах CentOS есть только OpenSSL версии 1.0.1. Так что ничего патчить не нужно, а просто собираем openssl<\/a> из FC23. Дополнительно потребуется пересобрать еще один пакет из FC23 crypto-policies<\/a>.<\/p>\n Устанавливаем получившиеся crypto-policies<\/a>, openssl<\/a>, openssl-libs<\/a> , nginx<\/a>.<\/p>\n",
"date_published": "2017-07-12T12:03:18+03:00",
"date_modified": "2017-10-19T18:05:37+03:00",
"_date_published_rfc2822": "Wed, 12 Jul 2017 12:03:18 +0300",
"_rss_guid_is_permalink": "true",
"_rss_guid": "https:\/\/aschernyshev.ru\/all\/http-2-0-v-nginx-na-centos-7\/",
"_e2_data": {
"is_favourite": false,
"links_required": [
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css"
],
"og_images": []
}
},
{
"id": "15",
"url": "https:\/\/aschernyshev.ru\/all\/poluchaem-ssl-sertifikat-lets-encrypt\/",
"title": "Получаем SSL сертификат Let’s Encrypt.",
"content_html": " В конфигурационном файле хоста, секцию server<\/b>, include-ом добавляем конфиг.<\/p>\n Изменяем группу и выставляем права.<\/p>\n Получаем сертификат.<\/p>\n Сертификат действует 90 дней<\/b>, после чего его необходимо продлить. Для автоматизации этой процедуры создаем systemd.service<\/b> и systemd.timer<\/b>.<\/p>\n Timer будет запускать основной сервис ежедневно в 12<\/b> и 00<\/b> часов.<\/p>\n Активируем timer.<\/p>\n
\nРешить эту проблему можно двумя способами: собрать Nginx с флагом —with-openssl<\/a> или собрать OpenSSL 1.0.2 для CentOS.
\nПервый вариант у меня не взлетел, сборка пакета завершалась неудачно, поэтому я остановился на втором варианте.
\nВ интернет нашел сайт<\/a>, где автор предлагает пачтить сорцы OpenSSL, но недавно в CentOS прилетело обновление glibc-2.17.<\/p>\nrpm -qa | grep glibc\r\nglibc-common-2.17-157.el7_3.4.x86_64\r\nglibc-2.17-157.el7_3.4.x86_64\r\nglibc-devel-2.17-157.el7_3.4.x86_64\r\nglibc-headers-2.17-157.el7_3.4.x86_64<\/code><\/pre>readelf -s \/usr\/lib64\/libc.so.6 | grep secure_getenv<\/code><\/pre>614: 0000000000038950 27 FUNC WEAK DEFAULT 12 __libc_secure_getenv@@GLIBC_PRIVATE\r\n857: 0000000000038950 27 FUNC WEAK DEFAULT 12 __secure_getenv@GLIBC_2.2.5\r\n1715: 0000000000038950 27 FUNC WEAK DEFAULT 12 secure_getenv@@GLIBC_2.17\r\n5228: 0000000000038950 27 FUNC LOCAL DEFAULT 12 __GI___libc_secure_getenv\r\n6506: 0000000000038950 27 FUNC WEAK DEFAULT 12 __secure_getenv@GLIBC_2.2\r\n6529: 0000000000038950 27 FUNC WEAK DEFAULT 12 secure_getenv\r\n6918: 0000000000038950 27 FUNC WEAK DEFAULT 12 __libc_secure_getenv<\/code><\/pre>yum install epel-release && yum update && yum install mock<\/code><\/pre>mkdir -p ~\/rpmbuild\/{SPECS,SOURCES,SRPMS}<\/code><\/pre>wget http:\/\/nginx.org\/packages\/centos\/7\/SRPMS\/nginx-1.12.1-1.el7.ngx.src.rpm<\/code><\/pre>rpm -ivh ~\/nginx-1.12.1-1.el7.ngx.src.rpm<\/code><\/pre>grep 'Requires: openssl >= 1.0.1' -P -R -I -l ~\/rpmbuild\/SPECS\/nginx.spec | xargs sed -i 's\/Requires: openssl >= 1.0.1\/Requires: openssl >= 1.0.2\/g'<\/code><\/pre>grep 'BuildRequires: openssl-devel >= 1.0.1' -P -R -I -l ~\/rpmbuild\/SPECS\/nginx.spec | xargs sed -i 's\/BuildRequires: openssl-devel >= 1.0.1\/BuildRequires: openssl-devel >= 1.0.2\/g'<\/code><\/pre>grep 'define main_release 1' -P -R -I -l ~\/rpmbuild\/SPECS\/nginx.spec | xargs sed -i 's\/define main_release 1\/define main_release 2\/g'<\/code><\/pre>grep '%changelog' -P -R -I -l \/root\/rpmbuild\/SPECS\/nginx.spec | xargs sed -i 's\/%changelog\/%changelog\\n* Wed Jul 12 2017 Aleksandr Chernyshev <mail@aschernyshev.ru>\\n- 1.12.1 \\n- Rebuild with openssl-1.0.2d\\n\/g'<\/code><\/pre>\/usr\/bin\/mock -r epel-7-x86_64 --spec=~\/rpmbuild\/SPECS\/nginx.spec --sources=~\/rpmbuild\/SOURCES\/ --resultdir=~\/rpmbuild\/SRPMS\/ --no-clean --buildsrpm<\/code><\/pre>wget https:\/\/aschernyshev.ru\/repository\/rhel\/7\/noarch\/crypto-policies-20150518-3.gitffe885e.el7.centos.noarch.rpm\r\nwget https:\/\/aschernyshev.ru\/repository\/rhel\/7\/x86_64\/openssl-libs-1.0.2d-2.el7.centos.x86_64.rpm\r\nwget https:\/\/aschernyshev.ru\/repository\/rhel\/7\/x86_64\/openssl-1.0.2d-2.el7.centos.x86_64.rpm\r\nwget https:\/\/aschernyshev.ru\/repository\/rhel\/7\/x86_64\/openssl-devel-1.0.2d-2.el7.centos.x86_64.rpm<\/code><\/pre>\/usr\/bin\/mock -r epel-7-x86_64 --init\r\n\/usr\/bin\/mock -r epel-7-x86_64 --install ~\/crypto-policies-20150518-3.gitffe885e.el7.centos.noarch.rpm\r\n\/usr\/bin\/mock -r epel-7-x86_64 --install ~\/openssl-libs-1.0.2d-2.el7.centos.x86_64.rpm\r\n\/usr\/bin\/mock -r epel-7-x86_64 --install ~\/openssl-1.0.2d-2.el7.centos.x86_64.rpm\r\n\/usr\/bin\/mock -r epel-7-x86_64 --install ~\/openssl-devel-1.0.2d-2.el7.centos.x86_64.rpm\r\n\/usr\/bin\/mock -r epel-7-x86_64 --no-clean ~\/rpmbuild\/SRPMS\/nginx-1.12.1-2.el7.centos.ngx.src.rpm<\/code><\/pre>sudo yum install epel-release\r\nsudo yum install certbot<\/code><\/pre>vi \/etc\/nginx\/letsencrypt.conf<\/code><\/pre>location ^~ \/.well-known\/acme-challenge {\r\n alias \/var\/lib\/letsencrypt\/.well-known\/acme-challenge;\r\n default_type "text\/plain";\r\n try_files $uri =404;\r\n}<\/code><\/pre>vi \/etc\/nginx\/conf.d\/$HOST.conf<\/code><\/pre>server {\r\n ...\r\n\r\n include letsencrypt.conf;\r\n}<\/code><\/pre>chgrp nginx \/var\/lib\/letsencrypt && chmod g+s \/var\/lib\/letsencrypt<\/code><\/pre>certbot certonly --webroot --email mail@example.com -w \/var\/lib\/letsencrypt -d example.com -d www.example.com<\/code><\/pre>\/etc\/systemd\/system\/certbot.service<\/code><\/pre>[Unit]\r\nDescription=Renew Certbot certificate (nginx)\r\nAfter=network-online.target\r\n\r\n[Service]\r\nType=oneshot\r\nExecStart=\/usr\/bin\/certbot renew --renew-hook "\/usr\/bin\/systemctl reload nginx.service"<\/code><\/pre>\/etc\/systemd\/system\/certbot.timer<\/code><\/pre>[Unit]\r\nDescription=Daily renewal of Let's Encrypt's certificates\r\n\r\n[Timer]\r\nOnCalendar=*-*-* 00,12:00:00\r\nPersistent=true\r\n\r\n[Install]\r\nWantedBy=timers.target<\/code><\/pre>sudo systemctl daemon-reload\r\nsystemctl start certbot.timer\r\nsystemctl enable certbot.timer<\/code><\/pre>",
"date_published": "2016-11-05T16:35:21+03:00",
"date_modified": "2016-10-12T10:53:54+03:00",
"_date_published_rfc2822": "Sat, 05 Nov 2016 16:35:21 +0300",
"_rss_guid_is_permalink": "true",
"_rss_guid": "https:\/\/aschernyshev.ru\/all\/poluchaem-ssl-sertifikat-lets-encrypt\/",
"_e2_data": {
"is_favourite": false,
"links_required": [
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css",
"system\/library\/highlight\/highlight.js",
"system\/library\/highlight\/highlight.css"
],
"og_images": []
}
}
],
"_e2_version": 3576,
"_e2_ua_string": "E2 (v3576; Aegea)"
}