letsencrypt免费https泛域名（*.yourdomain.com）证书申请

安装环境CentOS
*.example.com形式的域名即为泛域名，不通的子域名共用一个证书，省去多次申请的烦恼

1. 工具安装
安装最新的certbot
sudo yum install -y certbot
已安装cerbot，需升级至高版本
sudo yum update -y certbot

2. 证书申请
将*.yourdomain.com 替换成你的泛域名
运行命令：

[root@host src]# sudo  ./certbot-auto certonly  -d *.domain --email main@domain --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxx@163.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for archerwong.cn

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: (Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.archerwong.cn with the following value:

apQPzp-NYZ0md_D_2_fKr465Il3dDbdR_BlOSOJTYAo

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

出现以下内容后，请在阿里云云解析中添加一条TXT解析记录

Please deploy a DNS TXT record under the name
_acme-challenge.yourdomain.com with the following value: 

xxxxx  

Before continuing, verify the record is deployed.

配置nginx

server {

    listen 443 ssl;

    server_name www.domain.com domain.com;

    ssl on;

    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;

    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

    ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1;

    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;

    ssl_prefer_server_ciphers on;

    location / {

        proxy_pass http://127.0.0.1:8090;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }

}