之前一直使用certbot-auto来获取https证书，今晚为一台新服务器安装的时候提示“Your system is not supported by certbot-auto anymore.”，
查了一下是因为certbot-auto团队没有精力为所有操作系统进行维护，所以包括centos7在内的许多系统已不被支持，于是整理了一下基于snap的方式。

1、安装snapd

依次执行下列命令

sudo yum install -y epel-release
sudo yum install -y yum-plugin-copr
sudo yum -y copr enable ngompa/snapcore-el7

sudo yum install -y snapd
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap

完成后，退出并重新登录一次系统，以确保snap生效,然后关selinux

sudo setenforce 0

完成后，退出并重新登录一次系统，以确保snap生效,然后更新下snap

snap install core
snap refresh core

2、安装certbot

依次执行下列命令

yum -y remove certbot
rm -rf /opt/eff.org/certbot

snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot

3、生成证书

certbot需要访问我们系统的80端口以验证你的所有权，所以先给nginx增加一个配置并重启:

   location ~ ^/.well-known/acme-challenge/(.*)$ {
    default_type text/html;
    return 200 $1;
}

执行以下命令(更换为你的邮箱和域名)

mkdir -p /mydata/webroot/
certbot certonly  --email xxx@xxx.com -d xxx.com -d www.xxx.com -w /mydata/webroot/

提示选择一个安装方式

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

选项和数字可能有所区别，选择“Place files in webroot directory (webroot)”

此时会报错:

Detail: The key authorization file from the server did not match
this challenge
"6awrCzvoy.LSUW93J599887-163523"
!= "6awrCzvoy"

这是因为校验服务器向我们的80端口发了个请求:http://xxx.com/.well-known/acme-challenge/<id>
并要求我们响应<id>.<key>也就是上面的字符串"6awrCzvoy.LSUW93J599887-163523"
因此，我们复制下需要的keyLSUW93J599887-163523(注意各服务器的key不一样，请复制你机器上报错出来的key)并修改刚才的nginx配置

location ~ ^/.well-known/acme-challenge/(.*)$ {
    default_type text/html;
    return 200 $1.LSUW93J599887-163523;
}

重启nginx，再次执行certbot certonly –email xxx@xxx.com -d xxx.com -d www.xxx.com -w /mydata/webroot/:

certbot certonly  --email xxx@xxx.com -d xxx.com -d www.xxx.com -w /mydata/webroot/

依然输入3

稍等片刻，证书生成完成，并提示:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xxx.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/xxx.com/privkey.pem
   Your certificate will expire on 2021-07-07. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"

请记下提示中的证书位置/etc/letsencrypt/live/xxx.com/

4、配置证书到nginx

配置nginx如下并重启，我们的网站就可以https访问了:

#强制将http访问转到https端口
server {
    listen       80;
    server_name  localhost;
    rewrite ^(.*)$  https://$host$1 permanent;
}



server {
    # 开启http2充分提高性能
    listen       443 http2 ssl;
    server_name  localhost;
    # 配置刚才生成的证书位置
    ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;
    # ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    # ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    gzip on;
    gzip_comp_level 3;
    gzip_types text/plain application/json application/x-javascript application/css application/xml application/xml+rss text/javascript application/x-httpd-php image/jpg image/jpeg image/gif image/x-ms-bmp;

    proxy_buffer_size   128k;
    proxy_buffers   4 256k;
    proxy_busy_buffers_size   256k;
    default_type 'text/html';
    charset utf-8;

    location / {
     proxy_pass   http://127.0.0.1:8081;
        index  index.html index.htm;
    }

    # 保留这个配置，自动续期的时候会再次访问
    location ~ ^/.well-known/acme-challenge/(.*)$ {
        default_type text/html;
        return 200 $1.LSUW93J599887-163523;
    }

}

5、自动续期

生成证书的时候，我们看到提示Your certificate will expire on 2021-07-07.，也就是证书是会过期的，所以我们要写个计划任务来定期续期证书：
确保crond运行

systemctl enable crond
systemctl start crond

执行如下命令编辑计划任务

crontab -e

增加一行

0 2  1 *  *  /bin/certbot renew ;/usr/local/nginx/sbin/nginx -s reload 

这样，系统就会每月1日凌晨两点续期证书了