网站的https访问，需要域名证书。可以在letsencrypt上申请免费的域名证书。首先，需要向letsencrypt证明对域名的控制权。证明的方式很多，这里采用的是，让certbot在网站上添加一个类似 的节点，letsencrypt会去访问这个节点，以此证明对域名的控制权。先配置一个简单的nginx，用于申请证书， 验证域名的控制权。得到证书后，就可以配置用于https访问的nginx了。证书3个月过期，更新证书的时候，关掉https访问的nginx，开启证书申请的nginx。更新完成之后，再关掉证书申请的nginx，重新开启https访问的nginx。

1. 需要docker镜像

docker pull nginxdocker pull certbot/certbot

2. 申请证书的nginx配置letsencrypt-nginx.conf

server {    listen       80;    server_name  ooxxooxx.com;    location ~ /.well-known/acme-challenge {        allow all;        root   /usr/share/nginx/html;    }    root /usr/share/nginx/html;    index index.html;}

3. 文件index.html

    
            
Oh, hai there!
    
        This is the temporary site that will only be used for the very first time SSL certificates are issued by Let's Encrypt's        certbot.    

4. 启动申请证书的nginx

docker run --network host --rm --name nginx-letsencrypt \-v /root/docker/nginx/volumes/letsencrypt-nginx.conf:/etc/nginx/conf.d/default.conf \-v /root/docker/nginx/volumes/letsencrypt/html:/usr/share/nginx/html \-d nginx

5. 申请证书。因为有次数限制，先测试一下命令，成功后在运行正式命令。有--staging参数是测试命令。没有--staging参数就是正式命令。

docker run -it --rm \-v /root/docker/nginx/volumes/letsencrypt/etc/letsencrypt:/etc/letsencrypt \-v /root/docker/nginx/volumes/letsencrypt/var/lib/letsencrypt:/var/lib/letsencrypt \-v /root/docker/nginx/volumes/letsencrypt/var/log/letsencrypt:/var/log/letsencrypt \-v /root/docker/nginx/volumes/letsencrypt/html:/data/letsencrypt \certbot/certbot \certonly --webroot \--register-unsafely-without-email --agree-tos \--webroot-path=/data/letsencrypt \--staging \-d ooxxooxx.com

看命令的结果，是否有证书生成。

6. https的nginx配置https-nginx.conf

server {    listen       443;    server_name  ooxxooxx.com;    ssl on;    ssl_certificate /etc/letsencrypt/live/ooxxooxx.com/fullchain.pem;    ssl_certificate_key /etc/letsencrypt/live/ooxxooxx.com/privkey.pem;     location / {        root   /usr/share/nginx/html;        index  index.html index.htm;    }    error_page   500 502 503 504  /50x.html;    location = /50x.html {        root   /usr/share/nginx/html;    }}

7. 启动https的nginx

docker run --network host --rm --name nginx-https \-v /root/docker/nginx/volumes/https-nginx.conf:/etc/nginx/conf.d/default.conf \-v /root/docker/nginx/volumes/letsencrypt/etc/letsencrypt:/etc/letsencrypt \-d nginx

8. 更新证书

docker run --rm -it --name certbot \-v /root/docker/nginx/volumes/letsencrypt/etc/letsencrypt:/etc/letsencrypt \-v /root/docker/nginx/volumes/letsencrypt/var/lib/letsencrypt:/var/lib/letsencrypt \-v /root/docker/nginx/volumes/letsencrypt/var/log/letsencrypt:/var/log/letsencrypt \-v /root/docker/nginx/volumes/letsencrypt/html:/data/letsencrypt \certbot/certbot renew --webroot -w /data/letsencrypt

9. 参考