certbot 免费Https证书

1.安装Certbot

$ sudo apt install certbot python3-certbot-nginx

2.生成证书

$ sudo certbot --nginx -d 你的域名.cn --agree-tos  -n --email wsw@qq.com

SSL证书具体位置：/ect/letsencrypt/live下

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.你的域名.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.你的域名.com/privkey.pem
   Your cert will expire on 2018-09-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

HTTPS 证书相关的文件在/etc/letsencrypt/目录中：

find /etc/letsencrypt/ -name "*www.你的域名.com*"
/etc/letsencrypt/renewal/www.你的域名.com.conf
/etc/letsencrypt/archive/www.你的域名.com
/etc/letsencrypt/live/www.你的域名.com

certbot 会自动修改 nginx 配置文件：

cat /etc/nginx/conf.d/你的域名.conf


server
{
    listen 80;
    server_name www.你的域名.com;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.你的域名.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.你的域名.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

通过上面两步，直接将Nginx配置写入了已存在的配置文件
证书三个月会过期，但是可以无限续签，可通过以上命令重新申请，也可重新需续签或者自动续签

3、手动续签

$ sudo certbot renew --force-renew

4、自动续签

crontab -e

0 3 1 * * certbot renew --force-renew

5、重启 nginx:

sudo nginx -s reload