Nginx預(yù)配置

server {
    listen               443 ssl; 
    server_name          example.com;
    server_tokens        off;#隱藏Nginx版本號

    # ssl_certificate      /etc/letsencrypt/live/example.com/fullchain.pem;
    # ssl_certificate_key  /etc/letsencrypt/live/example.com/privkey.pem;
    # ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

    ssl_ciphers  EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers  on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:whatever-SSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets on;
    ssl_stapling on;
    ssl_stapling_verify on;

    resolver 8.8.8.8 valid=300s;
    resolver_timeout 10s;

    if ($request_method !~ ^(GET|HEAD|POST|OPTIONS|PUT|DELETE|PATCH)$ ) {
        return           444;
    }

    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root /usr/share/nginx/html;
    }

    location / {
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass http://127.0.0.1:3000; #修改為你的nodejs程序端口
    }
}

安裝letsencrypt

sudo apt update
sudo apt install letsencrypt

安裝certbot-auto

wget https://dl.eff.org/certbot-auto    # 獲取certbot-auto 客戶端  
sudo chmod a+x certbot-auto    #可執(zhí)行權(quán)限
sudo mv certbot-auto /usr/local/bin/     #移動到這個目錄方便全局調(diào)用 sudo certbot-auto [options]

生成加密證書

certbot-auto certonly -a webroot --webroot-path=/var/www/html -d exampe.com -d www.example.com

OSError: Command /root/.local/share/letsencrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2

如果遇到該錯誤，可以嘗試已下兩種方法，沒有則跳過：
issues2883
issues46
出現(xiàn)下面內(nèi)容，則表示生成成功

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example/fullchain.pem. Your cert
   will expire on 2017-02-15. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

再修改下Nginx配置

#再添加一個80端口server，并將它定向到https
server{
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name mou.io;
        return 301 https://$server_name$request_uri;
}
server {
    listen 443 ssl; 
    server_name example.com;
    server_tokens off;
    #已下三行剛才是注釋狀態(tài)
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

    ssl_ciphers  EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers  on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:whatever-SSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets on;
    ssl_stapling on;
    ssl_stapling_verify on;

    resolver 8.8.8.8 valid=300s;
    resolver_timeout 10s;

    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root /usr/share/nginx/html;
    }

    location / {
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass http://127.0.0.1:3000; #修改為你的nodejs程序端口
    }
}

開啟自動續(xù)期

sudo certbot renew --agree-tos --dry-run   // --agree-tos 表示同意默認(rèn)  --dry-run 表示模擬  真實續(xù)簽去掉 --dry-run 即

然后

ubuntu 14.X

certbot renew --quiet --no-self-upgrade

ubuntu 16.x

letsencrypt renew 

centos

certbot renew --quiet 

參考：

Joephon