Let’s encrypt 免费泛域名证书已经有很多资料。这里只记录我使用的方法。

CentOS 7 安装 certbot:

yum install cerbot

手动请求证书:

certbot certonly –manual -d yourname.com -d *.yourname.com –agree-tos –no-bootstrap –manual-public-ip-logging-ok –preferred-challenges dns –server https://acme-v02.api.letsencrypt.org/directory

certbot certonly –manual -d dagong.in -d *.dagong.in –agree-tos –no-bootstrap –manual-public-ip-logging-ok –preferred-challenges dns –server https://acme-v02.api.letsencrypt.org/directory

在域名控制面板配置好 DNS txt, 需要等几分钟,再继续确认脚本。生成好的证书一般储存在以下地址:

/etc/letsencrypt/live/yourname.com

将证书写入 Nginx 配置,如下 ssl_certificate 两行。网上还有提高安全性的做法,但一般这两行就足够。

1
2
3
4
5
6
7
8
9
10
server {
    listen 80;
    listen 443 default_server;
    server_name yourname.com;
    root /var/www/yourname.com;
    index index.html;
        
    ssl_certificate /etc/letsencrypt/live/yourname.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourname.com/privkey.pem;
}

测试和重启 Nginx:

nginx -t
nginx -s reload

访问尝试。