网站使用 HTTPS 协议已是大势所趋，而要在 web 上使用 HTTPS 的话，我们首先需要获得一个 SSL 证书文件。本文介绍如何在 CentOS7 + Nginx 环境下，安装使用 Let’s Encrypt 免费 SSL 证书。

1. 准备工作

(1)首先安装Nginx服务器，并确保正常运行。

yum install nginx -y
systemctl start nginx  //启动Nginx
systemctl enable nginx  //设置Nginx开机自启动

(2)服务器要开放80端口以及443端口

firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload

2. 安装certbot工具

我们采用certbot脚本方式申请let’s Encrypt证书，依次执行如下命令安装该工具：

yum install -y epel-release
yum install -y certbot python2-certbot-nginx

3. 申请证书

接下来我们要使用certbot命令初次申请证书：

[root ~]# certbot certonly --nginx -d blog.top -d www.blog.top 

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for blog.top and www.blog.top

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/blog.top/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/blog.top/privkey.pem
   Your certificate will expire on 2025-01-17. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

申请成功后，证书会保存在 /etc/letsencrypt/live/blog.top/ 下面：

[root@ ~]# ls /etc/letsencrypt/live/blog.top/
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

使用如下命令可以查看证书的有效期 :

openssl x509 -noout -dates -in /etc/letsencrypt/live/blog.top/fullchain.pem

4. 证书更新

1) Let’s Encrypt 证书的有效期是 `90 天，需要长期使用的话，需要在失效前进行延长申请。我们可以执行如下命令去更新：

//更新证书
certbot renew --dry-run
 
//如果不需要返回的信息，可以用静默方式
certbot renew --quiet

2) 我们也可以将更新证书的脚本写到定时任务来自动完成，免得我们手动操作。首先执行如下命令开始编辑定时任务：

crontab -e

3）此时会进入 vi 的编辑界面让你编辑工作（每项工作都是一行）。我们在末尾添加如下一行内容，表示每月 1 号 5 时会执行执行一次更新，并重启 nginx 服务器：

00 05 01 * * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx

5. 配置Nginx

server
{
        listen 80;
        server_name www.blog.top;

        rewrite ^(.*)$ https://$host$request_uri;
}

server
{
        listen 80;
        server_name blog.top;

        return 301 https://www.blog.top$request_uri;
}

server {
        listen 443;

        server_name blog.top;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/blog.top/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/blog.top/privkey.pem;

        return 301 https://www.blog.top$request_uri;
}

server {
        listen 443;

        #server_name www.blog.top;
        set $root /opt/webserver/wwww;
        root $root;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/blog.top/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/blog.top/privkey.pem;

        location ~* /index.php/archives/(\d+)$ {
                return 301 https://$host/index.php/archives/$1.html;
        }
        location ~* /index.php/archives/(\d+)/$ {
                return 301 https://$host/index.php/archives/$1.html;
        }

        # 下面直接照写
        location / {
                try_files $uri $uri/ /$is_args$args;
        }

        location ~ \.php$ {

                root $root;
                fastcgi_pass 127.0.0.1:9000;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;

        }

        error_page 404 /404.html;
        location = /404.html {
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html{
        }


        location  ~ .*\.(jpg|ipa|jpeg|gif|png|ico|css|js|pdf|txt)
        {
                root $root;
                proxy_temp_path $root;
        }
}