1.自动安装：

wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto ./certbot-auto

2.生成域名证书 ./certbot-auto certonly –email [email protected] –agree-tos –webroot -w /home/wwwroot/xxxxx -d www.xxxxx.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for www.xxxxx.com Using the webroot path /home/wwwroot/xxxxx for all unmatched domains. Waiting for verification… Cleaning up challenges

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.xxxxx.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.xxxxx.com/privkey.pem Your cert will expire on 2018-04-21. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew all of your certificates, run “certbot-auto renew”

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

3. 如果是用的lnmp，一定要注意这两个文件：

/usr/local/nginx/conf/vhost/www.xxxxx.com.conf #你的域名对应的文件

请把里面的以下内容： location ~ /. { deny all; }

暂时更改为： location ~ /. { allow all; }

否则获取认证证书的，总失败，提示403 Forbidden。

然后在/usr/local/nginx/conf/vhost/www.xxxxx.com.conf #你的域名对应的文件，最上面添加如下内容，注意要把xxxx的地方改成你自己的。

     server
    {
            listen 443 ssl;
            ssl on;
            server_name www.xxxxx.com xxxxx.com;
            index index.html index.htm index.php default.html default.htm default.php;
            root  /home/wwwroot/xxxxx;

            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_prefer_server_ciphers on;
            ssl_certificate /etc/letsencrypt/live/www.xxxxx.com/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/www.xxxxx.com/privkey.pem;
            ssl_session_timeout 5m;

            include none.conf;
            #error_page   404   /404.html;
            include enable-php.conf;
    }  

这个时候通过https应该就能访问你的网站了！可以通过https://www.ssllabs.com/ssltest/测试你网站安全等级。

出于安全策略， Let’s Encrypt 签发的证书有效期只有 90 天，所以需要每隔三个月就要更新一次安全证书，虽然有点麻烦，但是为了网络安全，这是值得的也是应该的。好在 Certbot 也提供了很方便的更新方法。

1.测试一下更新，这一步没有在真的更新，只是在调用 Certbot 进行测试

./certbot-auto renew –dry-run
如果看到如下信息说明测试成功： Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/www.xxxx.com/fullchain.pem (success)

2.用 crontab 定时更新

编辑 crontab

crontab -e

每隔两个月1号的零点就会自动更新证书，5分钟后nginx重新加载配置。注意certbot-auto更改成你自己的

00 00 1 2,4,6,8,10,12 /usr/local/certbot-auto renew –quiet –no-self-upgrade 05 00 1 2,4,6,8,10,12 lnmp restart

参考网站：

使用Let’s Encrypt免费SSL证书 ubuntu 教程