一、环境要求
1. git
2. openSSL 版本要求大于1.0.2
3. nginx 最新稳定版本1.12.2
4. certBot

二、预装环境
请先将openSSL升级到版本>1.0.2,nginx>= 1.12.2
nginx需要升级到1.12.2版本

2.1 安装certBot
cd /
mkdir soft
cd soft
mkdir staticHtml   //这个有用处后面会说
git clone https://github.com/certbot/certbot

2.2 配置nginx的certbot认证目录
切换到nginx的conf.d目录。 打开需要配置https域名的配置文件， 在配置文件的server模块中加入以下的话。
location ^~ /.well-known/acme-challenge/ {
   default_type "text/plain";
   root     /soft/staticHtml;
}
重启nginx以便映射生效
service nginx restart

三、申请证书(免费)
./certbot-auto certonly --webroot -w /ht/websites/httpStaticHtml/ -d buyer-api-ht-test.chinakeguan.cn --email wuhoujian@126.com

 ./certbot-auto certonly --standalone --email wuhoujian@126.com -d api-test.keguanzhongxin.com
在经过一会时间之后，成功会提示以下信息
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/a.domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/a.domain.com/privkey.pem
   Your cert will expire on 2018-07-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
   
注意：如果遇到失败的情况，可以尝试停掉nginx服务然后重试。另外，我们使用的是let's encrypt免费证书，有效期90天，到期后我们需要续期，续期的时候使用：

certbot-auto renew

四、 配置nginx SSL
拷贝一份原来http的nginx配置文件，并且修改与新增以下配置。

server {
        listen 443 ssl http2;
        
        ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/your.domain.com/chain.pem;
}

重启nginx server。
通过浏览器打开https://your.domain.com 即可查看是否成功开启http支持与http2功能了。

完整的nginx配置如下：

server{
    listen       443 ssl http2;
    server_name  your domain;

    ssl_certificate /etc/letsencrypt/live/your domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your domain/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/your domain/chain.pem;

    #charset koi8-r;
    access_log  /ht/logs/buyer-access.log  main;

    location / {
        proxy_redirect          off;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size    10m;
        client_body_buffer_size 128k;
        proxy_buffers           32 4k;
        proxy_connect_timeout   3;
        proxy_send_timeout      30;
        proxy_read_timeout      30;
        proxy_pass              后端服务地址;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location ^~ /.well-known/acme-challenge/{
      default_type "text/plain";
      root /soft/staticHtml;
    }
}