关于使用 certbot 给网站增加 ssl

yum -y install yum-utils
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
yum install certbot python2-certbot-nginx

然后关闭 nginx

certbot --nginx

最后，systemctl restart nginx 

增加自动更新证书

echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null

===============================================================

方法2：

获取代码

git clone https://github.com/letsencrypt/letsencrypt

执行

cd letsencrypt
./certbot-auto certonly -d domain.com --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

--preferred-challenges：以dns域名验证该域名是你的，所以中间会产生一个主机和值，需要配置一条 TXT 类型的域名验证
-d 后面是生成的域名， 可以用类似 *.domain.com 包括泛域名

执行自动续费 

crontab -e
0 */12 * * * certbot renew --quiet --renew-hook "systemctl reload nginx"

更改 nginx

        listen       443 ssl;
        listen       [::]:443 ssl ipv6only=on;
        ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

    server {
        if ($host = domain.com) {
            return 301 https://$host$request_uri;
        }

        listen 80;
        listen [::]:80;
        server_name domain.com;
        return 404;
        }