Problem Description
When applying for a certificate, in accordance with the official guidelines of Certbot, a public web server is required and an HTTP site is required to be online. This is mainly to complete the inquiry to prove domain name ownership.
But sometimes we do not have a public network server, nor an external site. We hope to be able to use the HTTPS certificate in the internal network test environment, so how should we apply for a certificate?
Solution
You can use the DNS challenge method............ When applying for a certificate, select DNS challenge, and you will be prompted to add domain name resolution during the application process.
The first step, start to apply for a certificate
Execute the following command to start applying for a certificate, just follow the prompts:
certbot certonly --manual --preferred-challenges dns -d example.com
When you receive a prompt similar to the following, go to the next step and add the TXT analysis record:
Please deploy a DNS TXT record under the name _acme-challenge.example.com with the following value: 667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc Once this is deployed, Press ENTER to continue
The second step, add analysis records
According to the above prompt, add a TXT record named _acme-challenge.example.com , and set 667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc as the record value.
Note that since DNS records will not take effect immediately, press Enter again later. You can use the dig +short -t txt _acme-challenge.example.com command to verify whether DNS is effective.
The third step, press the enter key
After confirming that the DNS record is valid, press Enter and you will receive a prompt that the certificate application is successful (similar to the following content):
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2020-03-11. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
The fourth step, use the certificate
Unlike other methods, this method can only apply for a certificate, and you need to manually modify the Web server configuration to use the certificate.
The fifth step, the certificate is automatically renewed
The certificate is valid for 90 days. You need to use the certbot renew command in a scheduled task to renew the certificate. Refer to the official document for the relevant content. However, additional operations are required. You can refer to the ERR-manual plugin is not working note.
Additional information
In Tencent Cloud, if the domain name of the HTTP site is not filed, it will fail when using HTTP challenge (because the unfiled HTTP site will be redirected). At this point (1) you can use DNS to challenge, only apply for a certificate, (2) and then use --nignx or other options, for the existing certificate, he will prompt you to install the certificate.
related articles
「Certbot」- 安装
「Certbot」- ImportError: 'pyOpenSSL' module missing required functionality
「Certbot」- SERVFAIL looking up CAA for
「Certbot」- The manual plugin is not working
「Certbot」- ocsp.int-x3.letsencrypt.org Read timed out
references
Linux command to inspect TXT records of a domain
Let's Encrypt Server Certificate via DNS Challenge
How to use Let's Encrypt DNS challenge validation?