Nginx+certbot 免费Https证书

1.安装Certbot

$ sudo apt install certbot python3-certbot-nginx

2.生成证书

$ sudo certbot --nginx -d 子域名.主域名.cn --agree-tos  -n --email wsw@qq.com

SSL证书具体位置：/etc/letsencrypt/live下

IMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at:/etc/letsencrypt/live/子域名.主域名.cn/fullchain.pemYour key file has been saved at:/etc/letsencrypt/live/子域名.主域名.cn/privkey.pemYour cert will expire on 2018-09-29. To obtain a new or tweakedversion of this certificate in the future, simply run certbot againwith the "certonly" option. To non-interactively renew *all* ofyour certificates, run "certbot renew"- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donateDonating to EFF:                    https://eff.org/donate-le

HTTPS 证书相关的文件在**/etc/letsencrypt/**目录中：

find /etc/letsencrypt/ -name "*子域名.主域名.cn*"
/etc/letsencrypt/renewal/子域名.主域名.cn.conf
/etc/letsencrypt/archive/子域名.主域名.cn
/etc/letsencrypt/live/子域名.主域名.cn

certbot 会自动修改 nginx 配置文件：

cat /etc/nginx/conf.d/你的域名.confserver
{listen 80;server_name 子域名.主域名.cn;listen 443 ssl; # managed by Certbotssl_certificate /etc/letsencrypt/live/子域名.主域名.cn/fullchain.pem; # managed by Certbotssl_certificate_key /etc/letsencrypt/live/子域名.主域名.cn/privkey.pem; # managed by Certbotinclude /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbotssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

通过上面两步，直接将Nginx配置写入了已存在的配置文件
证书三个月会过期，但是可以无限续签，可通过以上命令重新申请，也可重新需续签或者自动续签

2.2、仅生成证书

$ sudo certbot certonly --nginx

3、手动续签

$ sudo certbot renew --force-renew

4、自动续签

crontab -e0 3 1 * * certbot renew --force-renew

5、重启 nginx:

sudo nginx -s reload