Let's Encrypt + nginx 配置https

wget https://dl.eff.org/certbot-auto // 获取certbot-auto 客户端 

chmod a+x certbot-auto

mv certbot-auto /usr/local/bin/ // 移动到这个目录方便全局调用 sudo certbot-auto [options]

certbot-auto   // 安装各种依赖和配置

  生成证书 

certbot-auto certonly --webroot -w 网站根目录 -d 网站域名

 出现以下信息表示成功

- Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/xxx.com/fullchain.pem. Your cert
   will expire on 2018-11-15. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

配置nginx

server {
    listen 443 ssl;
    server_name xxx.com;
    root /var/www/html/af/web;
    index index.php;
    ssl_certificate      /etc/letsencrypt/live/af.opfansu.top/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/af.opfansu.top/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/af.opfansu.top/chain.pem;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        index index.php;
    }
    #php解析
    location ~ \.php {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_split_path_info ^(.+\.php)(.*)$;     #增加这一句
         fastcgi_param PATH_INFO $fastcgi_path_info;    #增加这一句
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

}

监听80端口跳转到https 

server {
    listen       80;
    server_name  af.opfansu.top;
    root         /var/www/html/af/web;
    index        index.php;
   

    location / {

       rewrite ^(.*) https://$server_name$1 permanent;
    }

}

ps:重启nginx报错 nginx:[emerg]unknown directive "ssl" ，这是nginx缺少ssl模块，要重新编译

nginx编译ssl

免费证书90天会过期

手动续签

certbot renew --agree-tos --dry-run // --agree-tos 表示同意默认 --dry-run 表示模拟 真实续签去掉 --dry-run 即可 

自动续签

crontab -e

0 0 1 * * /usr/local/bin/certbot renew --renew-hook "service nginx reload"

回收证书

//revoke 撤销证书
certbot-auto revoke --cert-path /etc/letsencrypt/live/XXX.com/cert.pem

//删除证书
certbot-auto delete --cert-name xxx.com