Let's Encrypt 手动以 DNS TXT 方式续签证书

2020-05-30
摘要: 本文记录了如何手动以 DNS TXT 方式进行 Let's Encrypt 证书续签。

上次说到因为国内云服务器监管比较严,通过手动通过 DNS TXT 方式 申请证书。今天 Certbot 给我发了个邮件提醒证书快到期了,于是考虑续签证书。
但是因为之前是手动用 DNS 签的,所以续签也得手动用 DNS 签。在这里记录一下关键步骤。

sudo certbot certonly --renew-by-default -d YOURDOMAIN --manual --preferred-challenges dns

certonly 只申请证书

--renew-by-default 通过默认配置更新证书

-d YOURDOMAIN 需要更新证书的域名

--manual 交互方式执行

--preferred-challenges dns 通过DNS TXT记录的方式进行认证

之后便进入了续签程序,我们选择 Yes:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for YOURDOOMAIN

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

之后需要去域名服务商处修改 _acme-challenge.YOURDOOMAIN 对应的值为 ZyRP-9kEDjuTW**********hyw-8XZFkC7yE

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.YOURDOOMAIN with the following value:

ZyRP-9kEDjuTW**********hyw-8XZFkC7yE

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

配置完成,输入 Enter 后便会有成功的提示,以及过期时间等。