环境：

免费通配符HTTPS证书网址：

https://letsencrypt.org/

1.下载证书申请工具

[root@centos ~]# mkdir /opt/letsencrypt -p

[root@centos ~]# cd /opt/letsencrypt

[root@centos ~]# wget https://dl.eff.org/certbot-auto

[root@centos ~]# chmod u+x certbot-auto

2.申请证书 （注意提供的域名 *.domain.com）

[root@centos ~]# ./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns-01 certonly -d "*.domain.com"

需要下载多个依赖包,完成后，需要根据提示提供信息

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): user@mail.com

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for jooylife.cn

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.domain.com with the following value:

GcOWiMJRp7DjbG0m855SU1dWxwgL16zDiqQjOJwKNdY

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

到这里，先不要继续，必须先到域名解析平台，添加DNS TXT记录

域名解析设置

记录类型：TXT
主机记录:_acme-challenge.domain.com
解析线路：
记录值：GcOWiMJRp7DjbG0m855SU1dWxwgL16zDiqQjOJwKNdY
TTL值：10分钟

设置后，需要确认更新成功 (dig命令需要安装 bind-utils)

[root@centos ~]# yum install bind-utils -y
[root@centos ~]# dig _acme-challenge.domain.com txt

如果成功读取到值，则代表设置成功

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

回车继续证书生成

查看证书信息

[root@centos ~]# cd /opt/letsencrypt

[root@centos ~]# ./certbot-auto certificates

查看生成证书文件

[root@centos ~]# ll /etc/letsencrypt/live/domain.com

查看证书更新到期信息

[root@centos ~]# cat /etc/letsencrypt/renewal/domain.com.conf

复制证书到指定目录

[root@centos ~]#mkdir /data/ssl -p

[root@centos ~]#cp /etc/letsencrypt/live/domain.com/fullchain.pem /data/ssl

[root@centos ~]#cp /etc/letsencrypt/live/domain.com/privkey.pem /data/ssl

[root@centos ~]#chown -R www:www fullchain.pem

[root@centos ~]#chown -R www:www privkey.pem

设置NGINX，让网站使用https证书

[root@centos ~]#cd /opt/nginx/conf/vhosts/

[root@centos ~]#vim www.domain.com.conf

server {
    server_name www.domain.com;
    listen 443 ssl;
    ssl on;
    ssl_certificate /data/ssl/fullchain.pem;
    ssl_certificate_key /data/ssl/privkey.pem;
 
    location / {
      proxy_pass http://www.baidu.com;
    }
}

证书手动更新 (30天内到期才可以更新)

[root@centos ~] cd /opt/letsencrypt

[root@centos ~] certbot-auto renew

配置证书自动更新

[root@centos ~] cd /opt/letsencrypt

[root@centos ~] vim renew-hook.sh

#
##! /bin/bash
##

mv /data/ssl/fullchain.pem /data/ssl/fullchain.pem.old
mv /data/ssl/privkey.pem /data/ssl/privkey.pem.old
cp /etc/letsencrypt/live/domain.com/fullchain.pem /data/ssl
cp /etc/letsencrypt/live/domain.com/privkey.pem /data/ssl
chown -R www:www /data/ssl/fullchain.pem
chown -R www:www /data/ssl/privkey.pem
systemctl restart nginx
echo "At $(date +%D) $(date +%T) Finish renew https certs && restart nginx."

保存

[root@centos ~] chmod +x renew-hook.sh

[root@centos ~] crontab -e

# 每月1日的凌晨3点就会执行一次所有域名的续期操作
00 03 01 * * /opt/letsencrypt/certbot-auto renew --renew-hook "/opt/letsencrypt/renew-hook.sh" 1>>/data/crond/ntpdate.log 2>&1

*********************************************************************************************************************************************

# 每月1号5时执行执行一次更新，并重启nginx服务器
00 05 01 * * /opt/letsencrypt/certbot-auto renew ---quiet && systemctl restart nginx

#/bin/sh
#续期说明：只用renew的话，会先检查证书是否需要更新，大概是距离到期还有三天或者十几天之内才会执行更新，否则会提示不需要更新。（昨天更新了证书，今天直接用renew，提示不允许更新）
#这里方便测试，增加参数--force-renew，能够强制立即更新（但好像也会有检查，时间会变短，比如我刚才更新过了，马上再次执行会报错并提示不需要更新）。
./certbot-auto renew --force-renew

*********************************************************************************************************************************************

HTTPS性能评估网站：

https://www.ssllabs.com/ssltest/

https://www.upyun.com/https