申請 Let's Encrypt 證書
sudo apt install certbot
sudo certbot certonly --webroot -w 網(wǎng)站根目錄 -d 網(wǎng)站域名

生成 ssl_dhparam
sudo openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 2048

NGINX 的配置舉例

server {
listen 80 default_server;
listen [::]:80 default_server;
# 310 跳轉HTTP流量到HTTPS
return 301 https://$host$request_uri;
}

server {
# 將上面生成的證書和密鑰文件填到這里
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/網(wǎng)站域名/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/網(wǎng)站域名/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot 拷貝options-ssl-nginx.conf文件到該目錄
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

配置自動續(xù)簽
開 cron 定時任務，官方推薦執(zhí)行 certbot renew 一天兩次。定時任務如下，每天的0點和12點執(zhí)行
crontab -e

0 0,12 * * * /usr/bin/certbot renew --quiet

參考
https://cloud.tencent.com/developer/article/2203944
https://blog.csdn.net/for_cxc/article/details/120380370
https://blog.csdn.net/zdhsoft/article/details/127359919