这篇帮助讲解了如何在CentOS 7云服务器上安装SSL证书的方法，Web服务器使用Apache。安装成功后，在服务端和客户端之间的流量将会加密。SSL证书广泛应用在电商网站和在线金融行业。Let's Encrypt是免费SSL证书的先驱，也是最常见的SSL证书之一。

安装Certbot

首先安装两个依赖包：

sudo yum install -y epel-release mod_ssl

安装Certbot客户端。Certbot是一种轻松管理SSL证书的工具。

sudo yum install python-certbot-apache

安装SSL证书

安装并配置SSL证书。example.com换成实际域名。

sudo certbot --apache -d example.com

如果需要为多个域名生产证书，可使用以下命令。注意第一个域名必须是根域名。

sudo certbot --apache -d example.com -d www.example.com

安装过程中，系统会给出一个分步骤的配置向导。我们可以选择是否强制HTTPS还是保留HTTP作为默认协议，向导还要求我们提供证书的管理员邮箱等。安装完成后，系统会显示如下结果：

IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
emails sent to user@example.com.
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert
will expire on 2019-04-21. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at / etc / letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also have certificates and private keys obtained by Let's
Encrypt so regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:

设置自动续订

Let's encrypt证书的有效期为90天，因此需要及时进行续订。Certbot会协助我们完成证书的续订。这里我们需要确认Certbot的续订功能是否正常。

sudo certbot renew

如果证书是近期安装的，Certbot只会显示到期日期而不进行续订。

Processing  /etc/letsencrypt/renewal/example.com.conf
The following certs are not due for renewal yet:
    /etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted.

设置自动续订需要通过定时任务cronjob完成。

sudo crontab -e

添加以下定时任务，每周一凌晨执行一次。

0 0 * * 1 / usr / bin / certbot renew >> /var/log/sslrenew.log

以上就完成了CentOS 7云服务器下免费SSL证书的安装过程，至此在Apache和客户端之间的数据将会加密，确保网络传输的安全。