使用 Let’s Encrypt创建免费的https证书，本次操作是在本地电脑上手动生成 phpernote.com 域名的 https 证书，不做自动配置和自动续期，本地 ubuntu 系统。

注意：Let’s Encrypt 的证书有效期为 90 天。

1. 更新软件包并安装（如果已安装则跳过）

sudo apt update
sudo apt install certbot python3-certbot-nginx  # 对于 Nginx

2. 手动申请证书（如果不自动配置）

certbot certonly --manual --preferred-challenges=dns -d phpernote.com -d www.phpernote.com

-d 参数指定域名，支持指定多个域名，本次指定 phpernote.com 和 www.phpernote.com 两个域名。

注意：standalone 模式会临时启动一个 Web 服务器来完成验证，所以申请之前需要先停掉本地占用 80 端口的应用程序，多半是 nginx，如果不停掉，会报类似如下错误：

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for phpernote.com
http-01 challenge for www.phpernote.com
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6. 

申请过程中 Certbot 会询问你几个问题，例如：

输入电子邮件地址：用于接受到期通知。
是否同意服务条款。
选择自动重定向 HTTP 到 HTTPS（推荐选择自动重定向）。

3. 去域名控制面板手动添加 DNS 记录

3.1 使用 DNS-01 申请证书

certbot certonly --manual --preferred-challenges dns -d phpernote.com -d www.phpernote.com

会生成一堆类似下面的提示：

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for phpernote.com
dns-01 challenge for www.phpernote.com

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
(Y)es/(N)o: Y

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Please deploy a DNS TXT record under the name
_acme-challenge.phpernote.com with the following value:

7mnyoK7vRt6fu7T6yzPSf1hIkfnX7WBNhdgzeNeC2C4

Before continuing, verify the record is deployed.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Press Enter to Continue

3.2 去域名控制面板手动添加 DNS 记录

根据上面的提示添加一条如下的 txt 记录

_acme-challenge.phpernote.com    TXT    7mnyoK7vRt6fu7T6yzPSf1hIkfnX7WBNhdgzeNeC2C4

添加完毕，等待大约 10 分钟，然后敲 enter 按键继续，就会生成如下信息：

Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:
 – Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/phpernote.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/phpernote.com/privkey.pem
   Your cert will expire on 2025-01-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   “certbot renew”
 – If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let’s Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

到这里就代表证书文件生成成功了，证书文件地址：

/etc/letsencrypt/live/phpernote.com/fullchain.pem

私钥文件地址：

/etc/letsencrypt/live/phpernote.com/privkey.pem

4. 改名并上传到服务器

scp /etc/letsencrypt/live/phpernote.com/fullchain.pem root@123.56.71.70:/home/www/cert/phpernote.com.pem
scp /etc/letsencrypt/live/phpernote.com/privkey.pem root@123.56.71.70:/home/www/cert/phpernote.com.key

5. 重启 nginx 服务

service nginx restart