Linux 利用 Let's Encrypt生成免费证书

1、下载certbot客户端，授权

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

2.停止nginx

   sudo nginx -s stop

3、生成证书

     ./certbot-auto certonly --standalon --email '邮箱' -d '域名' 

     示例：./certbot-auto certonly --standalon --email 10363@qq.com -d www.zszhan.cn

出现问题1：

      ./certbot-auto has insecure permissions!
       To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/
       Saving debug log to /var/log/letsencrypt/letsencrypt.log
       Plugins selected: Authenticator standalone, Installer None
       Obtaining a new certificate
       Performing the following challenges:
       http-01 challenge for main.smarthome.60community.com
       Cleaning up challenges
        Problem binding to port 80: Could not bind to IPv4 or IPv6.
   解决：停止nginx

成功生成证书：
[root@qa_docker_node01 xx]# ./certbot-auto certonly --standalon --email '邮箱' -d '域名'
./certbot-auto has insecure permissions!
To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 域名
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/main.smarthome.60community.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/main.smarthome.60community.com/privkey.pem
   Your cert will expire on 2019-08-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

4.查看证书路径

   /etc/letsencrypt/live

5.在nginx配置服务

server {
         listen 80;
         listen 443 ssl http2;
          server_name  域名;
         location  /
           {
               proxy_set_header Host $host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_pass http://localhost:8999;
               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
          }

         ssl_certificate /etc/letsencrypt/live/域名/fullchain.pem; # managed by Certbot
         ssl_certificate_key /etc/letsencrypt/live/域名/privkey.pem;# managed by Certbot
         include /etc/letsencrypt/options-ssl-nginx.conf;# managed by Certbot
         ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;# managed by Certbot

}

由于let encrypt证书的有效时间是90天，证书续期：./certbot-auto renew