以前写过2篇博文，介绍Let’s Encrypt：#安全：部署Let’s Encrypt开启HTTPS，安装和更新Let’s Encrypt证书，后来Let’s Encrypt更名为cerbot，今天更新HTTPS证书，报了如下错误，大致意思就是认证失败等等，并优化https达到评分A+ 点击查看本站评分详情：

[root@ImmenseGargantuan-VM certbot]# ./certbot-auto certonly --email kf@kaifashuo.com  --agree-tos --no-eff-email --webroot -w  /home/kaifashuo -d kaifashuo.com -d kaifashuo.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for kaifashuo.com
http-01 challenge for kaifashuo.com
Using the webroot path /home/kaifashuo for all unmatched domains.
Waiting for verification...
Cleaning up challenges


Failed authorization procedure. kaifashuo.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://kaifashuo.com/.well-known/acme-challenge/SRzxeQBHFnYjbPFRC9PsoMaUYSxd2gNaFBI5obt9DSI: Connection refused, kaifashuo.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://kaifashuo.com/.well-known/acme-challenge/xJlFrUFHPaJNlKxXgPlKuF_q9lXhAy-KFvVy-RFp35Y: Connection refused

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: kaifashuo.com
   Type:   connection
   Detail: Fetching
   http://kaifashuo.com/.well-known/acme-challenge/SRzxeQBHFnYjbPFRC9PsoMaUYSxd2gNaFBI5obt9DSI:
   Connection refused

   Domain: kaifashuo.com
   Type:   connection
   Detail: Fetching
   http://kaifashuo.com/.well-known/acme-challenge/xJlFrUFHPaJNlKxXgPlKuF_q9lXhAy-KFvVy-RFp35Y:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

既然报错就要解决，删除所有certbot和letsencrypt的文件，重新安装certbot。

[root@ImmenseGargantuan-VM certbot]# rpm -qa |grep letsencrypt
[root@ImmenseGargantuan-VM certbot]# rpm -qa |grep certbot
[root@ImmenseGargantuan-VM certbot]# ll /etc/letsencrypt/
total 12
drwx------ 3 root root 4096 Oct 10 22:26 accounts
drwxr-xr-x 2 root root 4096 Oct 10 22:26 renewal
drwxr-xr-x 5 root root 4096 Oct 10 22:26 renewal-hooks
[root@ImmenseGargantuan-VM certbot]# find / -name letsencrypt
/opt/eff.org/certbot/venv/bin/letsencrypt
/opt/eff.org/certbot/venv/lib/python2.7/site-packages/letsencrypt
/root/.local/share/letsencrypt
/var/log/letsencrypt
/var/lib/letsencrypt
/etc/letsencrypt
[root@ImmenseGargantuan-VM certbot]# rm -rf /opt/eff.org/certbot/venv/bin/letsencrypt /opt/eff.org/certbot/venv/lib/python2.7/site-packages/letsencrypt /root/.local/share/letsencrypt /var/log/letsencrypt /var/lib/letsencrypt /etc/letsencrypt 
[root@ImmenseGargantuan-VM certbot]# find / -name letsencrypt
[root@ImmenseGargantuan-VM certbot]# find / -name certbot
/opt/eff.org/certbot
/opt/eff.org/certbot/venv/bin/certbot
/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot
/usr/local/src/certbot
/usr/local/src/certbot/certbot
[root@ImmenseGargantuan-VM certbot]# rm -rf /opt/eff.org/certbot /opt/eff.org/certbot/venv/bin/certbot /opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot  /usr/local/certbot/

重新克隆安装cerbot

[root@ImmenseGargantuan-VM src]# git clone https://github.com/certbot/certbot.git  （克隆cerbot源文件）
Cloning into 'certbot'...
remote: Counting objects: 49913, done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 49913 (delta 14), reused 16 (delta 7), pack-reused 49882
Receiving objects: 100% (49913/49913), 15.47 MiB | 5.65 MiB/s, done.
Resolving deltas: 100% (35736/35736), done.
[root@ImmenseGargantuan-VM src]# cd certbot/
[root@ImmenseGargantuan-VM certbot]# ./certbot-auto certonly --standalone --email kf@kaifashuo.com  -d kaifashuo.com -d kaifashuo.com
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: pubmirrors.dal.corespace.com
 * elrepo: repos.lax-noc.com
 * epel: mirror.hmc.edu
 * extras: mirror.keystealth.org
 * updates: mirror.sjc02.svwh.net
Package gcc-4.8.5-16.el7.x86_64 already installed and latest version
Package augeas-libs-1.4.0-2.el7_4.1.x86_64 already installed and latest version
Package 1:openssl-1.0.2k-8.el7.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.2k-8.el7.x86_64 already installed and latest version
Package libffi-devel-3.0.13-18.el7.x86_64 already installed and latest version
Package redhat-rpm-config-9.1.0-76.el7.centos.noarch already installed and latest version
Package ca-certificates-2017.2.14-71.el7.noarch already installed and latest version
Package python-2.7.5-58.el7.x86_64 already installed and latest version
Package python-devel-2.7.5-58.el7.x86_64 already installed and latest version
Package python-virtualenv-1.10.1-4.el7.noarch already installed and latest version
Package python-tools-2.7.5-58.el7.x86_64 already installed and latest version
Package python2-pip-8.1.2-5.el7.noarch already installed and latest version
Nothing to do
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a  （同意使用条款TOS）

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: n  （是否接受邮件之类的东东）
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for kaifashuo.com
tls-sni-01 challenge for kaifashuo.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:（此处如果是Congratulations 代表安装成功）
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/kaifashuo.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/kaifashuo.com/privkey.pem
   Your cert will expire on 2018-01-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

配置nginx配置文件

[root@ImmenseGargantuan-VM ~]# cat /etc/nginx/conf.d/kaifashuo.conf 
server {
    listen 80 default_server;
    server_name  kaifashuo.com kaifashuo.com;
        
    return 301 https://www.kaifashuo.com$request_uri;
    
}

    server {
        listen 443 ssl http2 default_server;
    server_name  kaifashuo.com kaifashuo.com;

        ssl_certificate      /etc/letsencrypt/live/kaifashuo.com/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/kaifashuo.com/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/kaifashuo.com/chain.pem;

    ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
    keepalive_timeout   70;
        ssl_buffer_size 8k;
        ssl_stapling on;
        ssl_stapling_verify on;
    ssl_session_tickets      on;
    resolver 223.5.5.5 223.6.6.6;
    ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
#    ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
    ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security max-age=15768000;


    if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) {
            return           444;
        }

        location / {
            root   /home/kaifashuo
;
            index  index.php index.html index.htm;

        if (!-e $request_filename) {
            rewrite ^(.*)$ /index.php$1 last;
        }

        }


    location ~* \.(eot|otf|ttf|woff|woff2|svg)$ {
        root  /home/kaifashuo;
        add_header Access-Control-Allow-Origin *;
    }

location ~* .(ico|gif|bmp|jpg|jpeg|png|swf|js|css|mp3) {
  root  /home/kaifashuo;
  expires 30d;
}


#        location ~ \.php$ {
    location ~ .*\.php(\/.*)*$ { 
#           root           /home/kaifashuo;
#            fastcgi_pass   127.0.0.1:9000;
            fastcgi_pass   unix:/dev/shm/php7-fpm.sock;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  /home/kaifashuo$fastcgi_script_name;
            include        fastcgi_params;
        }

    }

去ssllabs 验证https配置的安全评分，我的是A+