使用 let encrypt 申请免费 SSL 证书

一、下载 certbot 客户端

cd /usr/local/bin && \
wget https://dl.eff.org/certbot-auto && \
chmod +x certbot-auto

二、申请证书

• 使用域名 TXT 记录来验证域名所有权来申请证书

# 首先会要求输入一个邮箱，然后自动按照一些依赖软件
certbot-auto certonly -d "xxx.xxx.com" --manual --preferred-challenges \
dns-01 --server https://acme-v02.api.letsencrypt.org/directory

对应的TXT记录名和记录值，自行在阿里云配置 申请成功后的显示

• 证书有效期为90天，证书到期后通过以下命令进行续期

certbot-auto renew

三、nginx 配置

# ln -s /etc/letsencrypt/live /etc/nginx/ssl

# vi /etc/nginx/conf.d/ssl.conf
server {
    server_name xxx.com;
    listen 443 http2 ssl;
    ssl on;
    ssl_certificate /etc/nginx/ssl/dev.xxx.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/dev.xxx.com/privkey.pem;
    ssl_trusted_certificate /etc/nginx/ssl/dev.xxx.com/chain.pem;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        proxy_pass http://127.0.0.1:6666;
}