假定你已經(jīng)用nginx搭建好網(wǎng)站

安裝Certbot

Certbot是維護(hù)Let's Encrypt的Package。

添加package repository

sudo add-apt-repository ppa:certbot/certbot

直接回車，添加完畢后，更新apt源數(shù)據(jù)：

sudo apt-get update

然后安裝Certbot的Nginx package：

sudo apt-get install python-certbot-nginx

簽發(fā)ssl證書(shū)

現(xiàn)在使用Let's Encrypt簽發(fā)ssl證書(shū)：

sudo certbot --nginx -d your-domian.com -d www.your-domain.com

注意這里的 your-domain.com 換成你自己的域名，如果你第一次運(yùn)行certbot的話，會(huì)讓你輸入郵箱，還要接受Let's Encrypt的協(xié)議，最后會(huì)讓你選擇是否重定向http到https：

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

選2，重定向即可。

最后可以看到生成的證書(shū)的位置：

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/oyty.me/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/oyty.me/privkey.pem
   Your cert will expire on 2018-09-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

這個(gè)時(shí)候，ssl證書(shū)已經(jīng)自動(dòng)簽發(fā)完畢了，你可以訪問(wèn)網(wǎng)站，發(fā)現(xiàn)已經(jīng)是https的了。

查看我之前的nginx配置文件/etc/nginx/sites-available/oyty

server {

       server_name oyty.me www.oyty.me;

       root /var/www/oyty/oyty.github.io;
       index index.html;

       location / {
               try_files $uri $uri/ =404;
       }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/oyty.me/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/oyty.me/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
server {
    if ($host = www.oyty.me) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = oyty.me) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


       listen 80;
       listen [::]:80;

       server_name oyty.me www.oyty.me;
    return 404; # managed by Certbot

}

ssl證書(shū)文件自動(dòng)集成了，如果沒(méi)有你也可以根據(jù)生成的證書(shū)地址自己配置。

自動(dòng)更新證書(shū)

因?yàn)?Let's Encrypt 簽發(fā)的 SSL 證書(shū)有效期只有 90 天，所有在過(guò)期之前，我們需要自動(dòng)更新 SSL 證書(shū)，而如果你使用最新的 certbot 的話，Let's Encrypt 會(huì)幫你添加自動(dòng)更新的腳本到 /etc/cron.d 里，你只需要去檢測(cè)一下這個(gè)命令是否生效就OK！

sudo certbot renew --dry-run