CentOS 7 配置 Let's Encrypt 实现 HTTPS 访问

安装 Nginx

yum install -y nginx

配置域名站点

打开 /etc/nginx/nginx.conf 文件，找到 server_name 并填写为自己的域名，如果主机在国内需要先备案才可以访问。

 38     server {
 39         listen       80 default_server;
 40         listen       [::]:80 default_server;
 41         server_name  childsay.com www.childsay.com;
 42         root         /usr/share/nginx/html;
 43 
 44         # Load configuration files for the default server block.
 45         include /etc/nginx/default.d/*.conf;
 46 
 47         location / {
 48         }
 49 
 50         error_page 404 /404.html;
 51             location = /40x.html {
 52         }
 53 
 54         error_page 500 502 503 504 /50x.html;
 55             location = /50x.html {
 56         }
 57     }

更改配置后需要重新启动 Nginx，重启前最好先检查下配置文件语法是否正确

nginx -t

正确输出如下：

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

重新启动并设置为开机启动

systemctl restart nginx
systemctl enable nginx 

配置 HTTPS

安装 certbot

yum install python2-certbot-nginx

为指定的站点配置 HTTPS

certbot --nginx

会要求输入正确的邮箱，用于发送更新和安全紧急通知

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): tumobi@163.com

输入后回车确认，输出如下：

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

这一步选择同意，输入 A，回车确认后输出结果如下：

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

这一步选择同意，输入 Y，回车确认后输出结果如下：

Starting new HTTPS connection (1): supporters.eff.org

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: childsay.com
2: www.childsay.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2

这一步要求我们选择需要配置 HTTPS 访问的域名，输入所需的域名前面的数字，多个使用空格隔开，回车。

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for childsay.com
http-01 challenge for www.childsay.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/childsay.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/childsay.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

这一步询问是否将 HTTP 访问跳转到 HTTPS ，不跳转则输入 1 ，跳转则输入 2，然后回车确认。

成功配置 HTTPS 后，将有如下类似输出：

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://childsay.com and
https://www.childsay.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=childsay.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.childsay.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/childsay.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/childsay.com/privkey.pem
   Your cert will expire on 2018-11-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

访问 You should test your configuration at 下的连接可验证你的网站是否成功配置 HTTPS，请留意下 IMPORTANT NOTES的信息， SSL 证书保存路径、过期日期等。

自动更新证书

因为 Let's Encrypt 签发的 SSL 证书有效期只有 90 天，可以使用 certbot 设置到期前自动续签，防止过期。

certbot renew --dry-run