https 证书生成步骤

验证证书是否生效地址： https://www.myssl.cn/tools/check-server-cert.html

可参考文档： http://note.youdao.com/noteshare?id=90ad276a4abd028034830fe5e031614d

acme.sh申请Let's Encrypt 免费HTTPS证书

1.安装acme.sh

curl https://get.acme.sh | sh
source ~/.bashrc

2.配置nginx

server {
	listen 80;
	server_name www.xmmost.com; # 域名
	location /.well-known/acme-challenge {
        # 自己定义的位置，用于校验服务器所有权
        root /var/www/letsencrypt;
    }	
}

3.申请证书

-d 后面为域名，--webroot后面是刚才创建的目录

acme.sh --issue -d www.xmmost.com --webroot /var/www/letsencrypt

申请成功显示

root@VM-0-7-ubuntu:~# acme.sh --issue -d www.xmmost.com --webroot /var/www/letsencrypt
[Mon Aug 20 22:15:01 CST 2018] Single domain='www.xmmost.com'
[Mon Aug 20 22:15:01 CST 2018] Getting domain auth token for each domain
[Mon Aug 20 22:15:01 CST 2018] Getting webroot for domain='www.xmmost.com'
[Mon Aug 20 22:15:01 CST 2018] Getting new-authz for domain='www.xmmost.com'
[Mon Aug 20 22:15:07 CST 2018] The new-authz request is ok.
[Mon Aug 20 22:15:07 CST 2018] Verifying:www.xmmost.com
[Mon Aug 20 22:15:17 CST 2018] Success
[Mon Aug 20 22:15:17 CST 2018] Verify finished, start to sign.
[Mon Aug 20 22:15:22 CST 2018] Cert success.
-----BEGIN CERTIFICATE-----
MIIGBzCCBO+gAwIBAgISA0nhXrbNjgmYeOiTGxqgQAEhMA0GCSqGSIb3DQEBCwUA
...
aw3J6g8vnhGR7aM=
-----END CERTIFICATE-----
[Mon Aug 20 22:15:22 CST 2018] Your cert is in  /root/.acme.sh/www.xmmost.com/www.xmmost.com.cer 
[Mon Aug 20 22:15:22 CST 2018] Your cert key is in  /root/.acme.sh/www.xmmost.com/www.xmmost.com.key 
[Mon Aug 20 22:15:26 CST 2018] The intermediate CA cert is in  /root/.acme.sh/www.xmmost.com/ca.cer 
[Mon Aug 20 22:15:26 CST 2018] And the full chain certs is there:  /root/.acme.sh/www.xmmost.com/fullchain.cer 

4.安装证书

上面的命令会在/root/.acme.sh/www.xmmost.com目录下生成证书
官方不推荐直接引用.acme.sh目录下的证书，创建目录安装证书

mkdir -p /usr/local/nginx/ssl

运行下面命令，在上面的位置存入证书

务必执行，否则安卓手机校验证书会有问题

acme.sh --installcert -d www.xmmost.com --keypath /usr/local/nginx/ssl/www.xmmost.com.key --fullchainpath /usr/local/nginx/ssl/www.xmmost.com.cer

5.再次配置nginx

server {
    listen      443 ssl;
    server_name  www.xmmost.com;
	include proxy.conf;

    ssl on;
    ssl_certificate      ssl/www.xmmost.com.cer;    # 证书路径
    ssl_certificate_key  ssl/www.xmmost.com.key;    # 证书路径
	location / {
		proxy_pass http://127.0.0.1:10060;
	}
}
server {
    listen      80;
    server_name www.xmmost.com;
	location /.well-known/acme-challenge {
		root /var/www/letsencrypt;
	}
    return      301 https://$server_name$request_uri;
}

最后，强制重启才会生效
校验nginx配置是否正确

nginx -t

ngnix重启，仅修改conf时用

nginx -s reload

nginx强制重启，修改证书一定要执行

service nginx force-reload