在CentOS7上使用Certbot申请Wildcard证书

1. certbot需要python2的相关库，而系统自带的相关库会报错。所以先删除相关库。

# yum remove python-requests
# yum remove python-urllib3
# yum remove python2-requests
# yum remove python2-urllib3
# pip uninstall requests
# pip uninstall urllib3

2. 更新repositories，安装certbot。

# yum update
# yum install certbot python2-certbot-nginx

3. 申请wildcard类型的SSL证书。这种证书可以让子域名也使用上https。

# certbot -d maomao.run -d *.maomao.run --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly

4. 点击上述命令后，会出现如下提示，是否要公开记录申请该证书的IP地址。这里必须要选择同意。

----------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this certificate. 
If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.

Are you OK with your IP being logged?
----------------------------------------------------------------------
(Y)es/(N)o: y

5. 同意之后，出现如下提示，需要在我的域名供应商处添加一个DNS TXT Record。此处直接回车。

---------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.maomao.run with the following value:

iLS0NjcdP3RR1KphB6xbbVnKS_NS2uMW-xdDRzz85OM

Before continuing, verify the record is deployed.
---------------------------------------------------------------------
Press Enter to Continue             #此处直接回车

6. 此时出现第二次需要添加DNS TXT Record的需求。此时不要回车，将上下两提示中随机码部分记录，准备添加到域名商的DNS解析处。

---------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.maomao.run with the following value:

f3V7aw5GPm5yzNsJFanQQaUFMyVQcqriUe3UjIDUHn0

Before continuing, verify the record is deployed.
---------------------------------------------------------------------
Press Enter to Continue             #此处直接回车

7. 在自己域名的DNS记录管理页面中，增加两条TXT记录。（以name.com为例）

   
   image
   image
8. 在域名供应商处填入信息完成后，需要等待一段时间，等TXT记录生效后，再回到命令行界面回车，得到结果。

Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges

IMPORTANT NOTES:
-   Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/maomao.run/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/maomao.run/privkey.pem
Your cert will expire on 2018-06-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
-   If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

9. 打开nginx配置文件。

# vim /etc/nginx/nginx.conf

10. 将域名配置成https访问。注意红字部分的路径与生成证书的路径一致。

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2 ;
        server_name maomao.run;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/maomao.run/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/maomao.run/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;

        location / {
            proxy_pass http://127.0.0.1:8001;
        }
}

11. 将80端口重定向到443端口。用户无论如何输入域名，都将使用https访问。

server {
        listen 80;
        listen [::]:80;
        server_name maomao.run;
        rewrite ^(.*)$ https://${server_name}$1 permanent;
}

12. 子域名的配置方式与主域名一样。