Let's Encrypt 安装配置教程，免费的 SSL 证书

摘要：官网安装安装非常简单直接克隆就可以了生成通配符证书期间需要根据提示设置记录用作你对判断你是否拥有域名使用权其中换成你的一级域名即可参数说明表示安装模式，有安装模式和验证模式两种类型的插件。

官网：https://letsencrypt.org/

安装非常简单直接克隆就可以了

git clone https://github.com/letsencrypt/letsencrypt

期间需要根据提示设置DNS TXT记录,用作你对判断你是否拥有域名使用权

 cd letsencrypt
./certbot-auto certonly  -d *.you.cn --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

其中"you.cn"换成你的一级域名即可

Dependency Installed:
  dwz.x86_64 0:0.11-3.el7             perl-srpm-macros.noarch 0:1-8.el7             tcl.x86_64 1:8.5.13-8.el7             tix.x86_64 1:8.4.3-12.el7             tk.x86_64 1:8.5.13-6.el7             tkinter.x86_64 0:2.7.5-69.el7_5            

Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter "c" to
cancel): 123@163.com

接下来需要输入些指令

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let"s Encrypt project and the non-profit
organization that develops Certbot? We"d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for kuaichuangkeji.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you"re running certbot in manual mode on a machine that is not
your server, please ensure you"re okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

这里有几个需交互的提示

是否同意 Let"s Encrypt 协议要求=>需要同意

是否分享你的邮箱

询问是否对域名和机器（IP）进行绑定=>需要同意

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.you.cn with the following value:

RYtObhDvEcXewZckknNQkBKIkvwIlbb4PNRel74LNwU

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

要求配置 DNS TXT 记录，从而校验域名所有权，也就是判断证书申请者是否有域名的所有权。

上面输出要求给 _acme-challenge.you.cn 配置一条 TXT 记录，在没有确认 TXT 记录生效之前不要回车执行。

我用的是阿里云的域名服务器，控制台具体操作如下图所示：

确认生效后，回车执行，输出如下

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/you.cn/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/you.cn/privkey.pem
   Your cert will expire on 2019-02-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let"s Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

看到这个界面内容的话，恭喜你，证书安装成功了。

注:证书在到期前30天才会续签成功,但为了确保证书在运行过程中不过期,官方建议每天自动执行续签两次;
使用crontab自动续期

crontab -e // 编辑定时任务
0 */12 * * * certbot renew --quiet --renew-hook "/etc/init.d/nginx reload"

需要注意"/etc/init.d/nginx reload"为nginx重启命令，需要根据自己服务器的重启命令重启即可；这里建议使用reload，不推荐使用restart，因为这样万一配错了，也不会影响服务器其他项目的运行

/etc/letsencrypt/live/you.cn/fullchain.pem
/etc/letsencrypt/live/you.cn/privkey.pem

证书生成完成后可以到 /etc/letsencrypt/live/ 目录下查看对应域名的证书文件。编辑 nginx 配置文件监听 443 端口，启用 SSL，并配置 SSL 的公钥、私钥证书路径：

server {
   listen   443 ssl;
   server_name  you.cn;
   root /home/www/you;
   index  index.html index.htm index.php;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/you.cn/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/you.cn/privkey.pem;
    ...
}

server {
    listen 80;
    server_name you.cn;
    location / {
        rewrite ^(.*)$  https://$host$1 permanent;
    }
}

配置好nginx后，重启nginx

证书安装成功后，该域名下的所有二级域名都可以使用噢

可以使用一下命令取消刚刚生成的密匙，也就是以上的反操作：

certbot revoke --cert-path /etc/letsencrypt/live/you.cn/cert.pem
certbot delete --cert-name you.cn

参考的网址有

https://sanonz.github.io/2017..."s-encrypt-free-ssl-https/

https://www.jianshu.com/p/c5c...

https://segmentfault.com/a/11...

https://www.jianshu.com/p/e32...

https://segmentfault.com/a/11...

https://segmentfault.com/a/11...

https://wp.wt629.com/archives...

https://www.yiichina.com/tuto...