创建帐号

openssl genrsa 4096 > account.key

创建 CSR 文件

openssl genrsa 4096 > domain.key
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:cdeyun.com,DNS:www.cdeyun.com,DNS:git.cdeyun.com")) > domain.csr

先配置要Nginx

mkdir -p /srv/ssl/challenges/
# 提供签名时验证
server{
    listen 80;
    server_name cdeyun.com www.cdeyun.com git.cdeyun.com;
    location / {
        return 301 https://$server_name$request_uri;
        rewrite ^/(.*)$ https://$server_name$request permanent;
    }
    location ^~ /.well-known/acme-challenge/ {
        alias /srv/ssl/challenges/;
        try_files $uri =404;
    }
}

# 以下配置可能会出错，因为还没有chained.pem和domain.key文件
server{
    ssl_certificate     /srv/ssl/chained.pem;
    ssl_certificate_key /srv/ssl/domain.key;
    listen 443 ssl;
    server_name cdeyun.com www.cdeyun.com;
    set $root_dir /srv/cdeyun.com/;
    access_log  /srv/logs/cdeyun.com.access.log  main;
    include common.conf;
}

获取网站证书

wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py

python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /srv/ssl/challenges/ > ./signed.crt

wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem

wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem
cat intermediate.pem root.pem > full_chained.pem

配置自动更新

#!/bin/bash
# 0 0 1 * * /srv/ssl/renew_cert.sh >>/tmp/ssl.log 2>&1

cd /srv/ssl/
python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /srv/ssl/challenges/ > signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
service nginx reload

参考：https://imququ.com/post/letsencrypt-certificate.html