1. 检查 Certbot 是否已安装
which certbot
2. 安装 Certbot

2.1启用 EPEL 仓库（如果尚未启用）：

sudo yum install epel-release

2.2 安装 Certbot 和 Nginx 插件：

sudo yum install certbot python3-certbot-nginx

2.3验证安装是否成功：

certbot --version

2.4.使用 Certbot 自动化脚本 (如果不使用包管理器)

sudo curl https://get.acme.sh | sh

3. 使用 Certbot Nginx 插件
sudo certbot --nginx

4.1使用 certbot 生成证书(执行下面密令时80端口不能被占用)：
sudo certbot certonly --standalone -d colourful.run

证书路径
证书文件：/etc/letsencrypt/live/colourful.run/fullchain.pem
私钥文件：/etc/letsencrypt/live/colourful.run/privkey.pem

[root@VM-16-2-centos dream]# sudo certbot certonly --standalone -d colourful.run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for colourful.run
Performing the following challenges:
http-01 challenge for colourful.run
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: myfuturecloud@163.com).
Starting new HTTPS connection (1): supporters.eff.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/colourful.run/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/colourful.run/privkey.pem
   Your certificate will expire on 2025-03-10. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@VM-16-2-centos dream]# 

4.2修改Nginx配置，手动配置 SSL 证书，通常在 /etc/nginx/nginx.conf配置文件中，添加以下内容：
server {
    listen 443 ssl;
    server_name colourful.run;

    ssl_certificate /etc/letsencrypt/live/colourful.run/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/colourful.run/privkey.pem;
}

4.3重新加载 Nginx 配置：
sudo systemctl reload nginx

或
sudo systemctl start nginx

4.4验证 HTTPS 是否生效：
你可以通过浏览器访问 https://colourful.run 来检查 SSL 是否正确配置

4.5自动续期证书：
Certbot 会自动为你设置续期任务，通常 Certbot 会通过 Cron 或系统的定时任务（systemd）来自动更新证书

sudo certbot renew --dry-run

证书相关重要操作
如果你想查看证书的详细信息，可以运行：
sudo certbot certificates

如果你需要撤销证书，可以使用：
sudo certbot revoke --cert-path /etc/letsencrypt/live/colourful.run/fullchain.pem

-------nginx配置https证书

--配置前要确保nginx安装了ssl

----linux版本安装nginx时;:-with-http_ssl_module要启动

./configure --prefix=/dream/rte/nginx --with-http_ssl_module

linux下nginx.conf文档示例：

worker_processes  1;events {worker_connections  1024;
}http {include       mime.types;default_type  application/octet-stream;sendfile        on;keepalive_timeout  65;upstream mtis-server {server localhost:9999;}# HTTP 到 HTTPS 的重定向server {listen       80;server_name  www.colourful.com;rewrite ^(.*)$ https://$host\$1;error_page   500 502 503 504  /50x.html;location = /50x.html {root   html;}}# HTTPS 配置server {ssl_certificate /etc/letsencrypt/live/colourful.run/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/colourful.run/privkey.pem;listen 443 ssl;server_name www.colourful.run;ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;ssl_prefer_server_ciphers on;location / {root html;index index.html index.htm;}location ^~ /yunmeng/ {proxy_pass http://mtis-server;proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_connect_timeout 5s;proxy_read_timeout 60s;}# 错误页面配置放到 HTTPS 的 server 块内error_page 500 502 503 504 /50x.html;location = /50x.html {root html;}}
}

Windows下nginx.conf文件示例：

#user  nobody;
worker_processes  1;events {worker_connections  1024;
}http {include       mime.types;default_type  application/octet-stream;log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';sendfile        on;#tcp_nopush     on;#keepalive_timeout  0;keepalive_timeout  65;#gzip  on;#WebSocket支持配置map $http_upgrade $connection_upgrade {default upgrade;'' close;}upstream xxx-server{server localhost:15686;}server {listen       80;server_name  www.wmkjyf.com;rewrite ^(.*)$ https://$host$1;error_page   500 502 503 504  /50x.html;location = /50x.html {root   html;}}# HTTPS serverserver {listen 443 ssl;#填写证书绑定的域名server_name www.wmkjyf.com;#填写证书文件绝对路径ssl_certificate C:/xxxxxx/ssl/fullchain.crt;#填写证书私钥文件绝对路径ssl_certificate_key C:/xxxxxx/ssl/private.pem;ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;#自定义设置使用的TLS协议的类型以及加密套件（以下为配置示例，请您自行评估是否需要配置）#TLS协议版本越高，HTTPS通信的安全性越高，但是相较于低版本TLS协议，高版本TLS协议对浏览器的兼容性较差。ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;#表示优先使用服务端加密套件。默认开启ssl_prefer_server_ciphers on;location ^~ /wm-iot/ {proxy_pass http://xxx-server;proxy_set_header Host $http_host;#proxy_read_timeout 3600s;   #默认60s没有传输数据就会关闭，延长时间proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection $connection_upgrade;}location ^~ /wm-mtis/ {proxy_pass http://xxx-server;proxy_set_header Host $http_host;}location ~* .*\.(gif|ico|png|jpg|eot|svg|ttf|woff|txt|pdf) {root  C:/xxxxxx/projects/static;expires 30d;}location ~* .*\.(js|css)$ {root  C:/xxxxxx/projects/static;expires 1h;}location / {root  C:/xxxxxx/projects/static/page;index index.html index.htm;}location /page/ {rewrite "^/page/(.*)$" $scheme://$http_host/$1 permanent;}error_page   500 502 503 504  /50x.html;location = /50x.html {root   html;}}}