Install Let’s Encrypt client (Certbot)

sudo apt-get update && sudo apt-get install software-properties-common
sudo add-apt-repository universe && sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update && sudo apt-get install certbot python-certbot-nginx

Configure the Firewall

sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
sudo ufw status

應該要看到:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6) 

Get an SSL Certificate

sudo certbot --nginx

填上你的聯絡email

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

Agree後enter

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel:

No, 不用分享

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:

他會掃你的設定檔，知道你的domain name，選你喜歡的或空格等於全選

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: yourdomain.com
2: www.yourdomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel)

選2，讓所有request都重導至https

Congratulations! You have successfully enabled https://yourdomain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com

這時候開啟https://yourdomain.com，來檢查SSL憑證是否順利運作! 可以到他給的SSL Labs的網站測試你的SSL安全等級。

注意: SSL Labs 在2020/1/31將所有允許TLS 1.0和TLS 1.1的網站分數一律調成B，而Certbot目前設定預設還是允許TLS 1.0和TLS 1.1的

這篇Turn Your Website SSL Labs Test Grade to A+能幫你提升你的網站SSL分數