1. 檢查 Certbot 是否已安裝
which certbot
2. 安裝 Certbot

2.1啟用 EPEL 倉庫（如果尚未啟用）：

sudo yum install epel-release

2.2 安裝 Certbot 和 Nginx 插件：

sudo yum install certbot python3-certbot-nginx

2.3驗證安裝是否成功：

certbot --version

2.4.使用 Certbot 自動化腳本 (如果不使用包管理器)

sudo curl https://get.acme.sh | sh

3. 使用 Certbot Nginx 插件
sudo certbot --nginx

4.1使用 certbot 生成證書(執行下面密令時80端口不能被占用)：
sudo certbot certonly --standalone -d colourful.run

證書路徑
證書文件：/etc/letsencrypt/live/colourful.run/fullchain.pem
私鑰文件：/etc/letsencrypt/live/colourful.run/privkey.pem

[root@VM-16-2-centos dream]# sudo certbot certonly --standalone -d colourful.run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for colourful.run
Performing the following challenges:
http-01 challenge for colourful.run
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: myfuturecloud@163.com).
Starting new HTTPS connection (1): supporters.eff.org

IMPORTANT NOTES:
?- Congratulations! Your certificate and chain have been saved at:
? ?/etc/letsencrypt/live/colourful.run/fullchain.pem
? ?Your key file has been saved at:
? ?/etc/letsencrypt/live/colourful.run/privkey.pem
? ?Your certificate will expire on 2025-03-10. To obtain a new or
? ?tweaked version of this certificate in the future, simply run
? ?certbot again. To non-interactively renew *all* of your
? ?certificates, run "certbot renew"
?- If you like Certbot, please consider supporting our work by:

? ?Donating to ISRG / Let's Encrypt: ? https://letsencrypt.org/donate
? ?Donating to EFF: ? ? ? ? ? ? ? ? ? ?https://eff.org/donate-le

[root@VM-16-2-centos dream]#?

4.2修改Nginx配置，手動配置 SSL 證書，通常在 /etc/nginx/nginx.conf配置文件中，添加以下內容：
server {
? ? listen 443 ssl;
? ? server_name colourful.run;

? ? ssl_certificate /etc/letsencrypt/live/colourful.run/fullchain.pem;
? ? ssl_certificate_key /etc/letsencrypt/live/colourful.run/privkey.pem;
}

4.3重新加載 Nginx 配置：
sudo systemctl reload nginx

或
sudo systemctl start nginx

4.4驗證 HTTPS 是否生效：
你可以通過瀏覽器訪問 https://colourful.run 來檢查 SSL 是否正確配置

4.5自動續期證書：
Certbot 會自動為你設置續期任務，通常 Certbot 會通過 Cron 或系統的定時任務（systemd）來自動更新證書

sudo certbot renew --dry-run

證書相關重要操作
如果你想查看證書的詳細信息，可以運行：
sudo certbot certificates

如果你需要撤銷證書，可以使用：
sudo certbot revoke --cert-path /etc/letsencrypt/live/colourful.run/fullchain.pem

-------nginx配置https證書

--配置前要確保nginx安裝了ssl

----linux版本安裝nginx時;:-with-http_ssl_module要啟動

./configure --prefix=/dream/rte/nginx --with-http_ssl_module

linux下nginx.conf文檔示例：

worker_processes  1;events {worker_connections  1024;
}http {include       mime.types;default_type  application/octet-stream;sendfile        on;keepalive_timeout  65;upstream mtis-server {server localhost:9999;}# HTTP 到 HTTPS 的重定向server {listen       80;server_name  www.colourful.com;rewrite ^(.*)$ https://$host\$1;error_page   500 502 503 504  /50x.html;location = /50x.html {root   html;}}# HTTPS 配置server {ssl_certificate /etc/letsencrypt/live/colourful.run/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/colourful.run/privkey.pem;listen 443 ssl;server_name www.colourful.run;ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;ssl_prefer_server_ciphers on;location / {root html;index index.html index.htm;}location ^~ /yunmeng/ {proxy_pass http://mtis-server;proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_connect_timeout 5s;proxy_read_timeout 60s;}# 錯誤頁面配置放到 HTTPS 的 server 塊內error_page 500 502 503 504 /50x.html;location = /50x.html {root html;}}
}

Windows下nginx.conf文件示例：

#user  nobody;
worker_processes  1;events {worker_connections  1024;
}http {include       mime.types;default_type  application/octet-stream;log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';sendfile        on;#tcp_nopush     on;#keepalive_timeout  0;keepalive_timeout  65;#gzip  on;#WebSocket支持配置map $http_upgrade $connection_upgrade {default upgrade;'' close;}upstream xxx-server{server localhost:15686;}server {listen       80;server_name  www.wmkjyf.com;rewrite ^(.*)$ https://$host$1;error_page   500 502 503 504  /50x.html;location = /50x.html {root   html;}}# HTTPS serverserver {listen 443 ssl;#填寫證書綁定的域名server_name www.wmkjyf.com;#填寫證書文件絕對路徑ssl_certificate C:/xxxxxx/ssl/fullchain.crt;#填寫證書私鑰文件絕對路徑ssl_certificate_key C:/xxxxxx/ssl/private.pem;ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;#自定義設置使用的TLS協議的類型以及加密套件（以下為配置示例，請您自行評估是否需要配置）#TLS協議版本越高，HTTPS通信的安全性越高，但是相較于低版本TLS協議，高版本TLS協議對瀏覽器的兼容性較差。ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;#表示優先使用服務端加密套件。默認開啟ssl_prefer_server_ciphers on;location ^~ /wm-iot/ {proxy_pass http://xxx-server;proxy_set_header Host $http_host;#proxy_read_timeout 3600s;   #默認60s沒有傳輸數據就會關閉，延長時間proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection $connection_upgrade;}location ^~ /wm-mtis/ {proxy_pass http://xxx-server;proxy_set_header Host $http_host;}location ~* .*\.(gif|ico|png|jpg|eot|svg|ttf|woff|txt|pdf) {root  C:/xxxxxx/projects/static;expires 30d;}location ~* .*\.(js|css)$ {root  C:/xxxxxx/projects/static;expires 1h;}location / {root  C:/xxxxxx/projects/static/page;index index.html index.htm;}location /page/ {rewrite "^/page/(.*)$" $scheme://$http_host/$1 permanent;}error_page   500 502 503 504  /50x.html;location = /50x.html {root   html;}}}