1. 安装Certbot

> yum install certbot

2. 安装certbot-dns-cloudflare插件

> yum install -y certbot-dns-cloudflare

3. 设置cloudflare api key 文件

获取api key参考这里https://developers.cloudflare.com/fundamentals/api/get-started/keys/

> vi /root/.secrets/certbot/cloudflare.ini
#写入如下信息,cloudflare账户邮箱和api_key
dns_cloudflare_email = youremail@xxx.com
dns_cloudflare_api_key = 017cesd4aasdf85cbsdd2912faa83sd9ccf

4. 申请证书

申请泛域名二级域名证书和一级域名证书，脚本自动设置cloudflare txt记录，等待60秒后生效，有一些警告询问Yes(Y) No(N) ,输入Y

> certbot certonly   --dns-cloudflare   --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini   -d *.kuai.blog -d kuai.blog --dns-cloudflare-propagation-seconds 60

5. 自动更新证书

设置每月1号，凌晨1:30分更新，—renew-hook 后面为更新完成后需要执行的脚本，此处重载Nginx

> crontab -e
#写入如下信息
30 1 * * 1 certbot renew --renew-hook "/usr/sbin/nginx -s reload"

5. nginx ssl证书配置 gzip配置

> vi /etc/nginx/nginx.conf
server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  kuai.blog;
        ssl_certificate "/etc/letsencrypt/live/kuai.blog/fullchain.pem";
        ssl_certificate_key "/etc/letsencrypt/live/kuai.blog/privkey.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        gzip on;
        gzip_buffers 32 4K;
        gzip_comp_level 6;
        gzip_min_length 100;
        gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
        gzip_disable "MSIE [1-6]\."; #配置禁用gzip条件，支持正则。此处表示ie6及以下不启用gzip（因为ie低版本不支持）
        gzip_vary on;
        client_max_body_size 100m;  
        root   /home/kuai.blog;
	    index  index.html index.htm index.php;

}