[root@hz1 ~]# wget https://dl.eff.org/certbot-auto
[root@hz1 ~]# chmod a+x certbot-auto
[root@hz1 ~]#./certbot-auto　　

[root@hz1 certbot]# ./certbot-auto certonly --email  zhai.junming@timecash.cn --agree-tos --webroot -w  /alidata1/www/timecash22/api3  -d  xxxx.zjm.cn
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxx.zjm.cn
Using the webroot path /alidata1/www/timecash22/api3 for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/xxx.zjm.cn/fullchain.pem. Your
   cert will expire on 2017-09-06. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot-auto again.
   To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let‘s Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le



-w:指定域名的根目录
-d:指定域名

server {  
    listen 443 ssl;
    ....
    ssl_certificate /etc/letsencrypt/live/xxx.zjm.cn/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xxx.zjm.cn/privkey.pem;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

   

}

$ sudo mkdir /etc/nginx/ssl
$ sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

./certbot-auto certonly --email admin@laobuluo.com --agree-tos --webroot -w /var/www/laozuo -d laozuo.org -d www.laozuo.org -w /var/www/laobuluo -d laobuluo.com -d www.laobuluo.com

./certbot-auto  renew --dry-run

30 2 * * 1 ./certbot-auto  renew  >> /var/log/le-renew.log