1. 安装Certbot

> yum install certbot

2. 安装pip

CentOS7一般自带python2.7,只需安装pip即可

> curl "https://bootstrap.pypa.io/pip/2.7/get-pip.py" -o "get-pip.py"
> python2.7 get-pip.py

3. 安装certbot-dns-cloudflare插件

> pip install certbot-dns-dnspod

4. 设置cloudflare api key 文件

获取api key参考这里https://console.dnspod.cn/account/token/token

> vi /root/.secrets/certbot/dnspod.ini
#写入如下信息
dns_dnspod_email = "xxxx@foxmail.com"
#tokenid,token
dns_dnspod_api_token = "00000,6ef9f0c62d1f8677328b2a6e05ea6cdf"

5. 申请证书

申请泛域名二级域名证书和一级域名证书，脚本自动设置cloudflare txt记录，等待60秒后生效，有一些警告询问Yes(Y) No(N) ,输入Y

> certbot certonly  -a dns-dnspod  --dns-dnspod-credentials /root/.secrets/certbot/dnspod.ini -d kuai.blog -d *.kuai.blog

6. 自动更新证书

设置每月1号，凌晨1:30分更新，—renew-hook 后面为更新完成后需要执行的脚本，此处重载Nginx

> crontab -e
#写入如下信息
30 1 * * 1 certbot renew --renew-hook "/usr/sbin/nginx -s reload"

5. nginx ssl证书配置 gzip配置

> vi /etc/nginx/nginx.conf
server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  kuai.blog;
        ssl_certificate "/etc/letsencrypt/live/kuai.blog/fullchain.pem";
        ssl_certificate_key "/etc/letsencrypt/live/kuai.blog/privkey.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        gzip on;
        gzip_buffers 32 4K;
        gzip_comp_level 6;
        gzip_min_length 100;
        gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
        gzip_disable "MSIE [1-6]\."; #配置禁用gzip条件，支持正则。此处表示ie6及以下不启用gzip（因为ie低版本不支持）
        gzip_vary on;
        client_max_body_size 100m;  
        root   /home/kuai.blog;
	    index  index.html index.htm index.php;

}