从具体操作来说,首先需要访问 Certbot
的官方网站并且选择正确的选项。对于我来说,我并不需要在本地部署证书,因此我选的是
My HTTP website is running Other on Linux
(snap)。选择之后一步步跟着官方的教程安装
certbot,对于我来说命令是下边这些,其他系统的命令可能有所不同:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for *.my-domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name:
_acme-challenge.my-domain.com.
with the following value:
4uSjh1kbHQFrozxG1F9bK2UF6UxNm893qYE8n7pE6dQ
Before continuing, verify the TXT record has been deployed. Depending on the DNS provider, this may take some time, from a few seconds to multiple minutes. You can check if it has finished deploying with aid of online tools, such as the Google Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.my-domain.com. Look for one or more bolded line(s) below the line ';ANSWER'. It should show the value(s) you've just added.
根据上面的指示,需要手动添加一条名字为 _acme-challenge
的 DNS 记录,类型为
TXT,内容则是上述信息给出的那串超长随机字符串。添加之后去访问
Google
管理员工具箱的地址,看到这条记录出现之后就可以回车开始进行下一个步骤。需要注意的是,这个操作需要有域名对应的
DNS 解析权限,如果没有的话是无法添加这条记录的。
如果一切操作都正确的话,会看到下面的输出:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/my-domain.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/my-domain.com/privkey.pem This certificate expires on 2025-08-20. These files will be updated when the certificate renews.
NEXT STEPS: - This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.