1. 安装Certbot

bash
sudo apt install certbot -y

certbot --version
certbot 2.9.0

2. 域名验证

泛域名的验证采用DNS01的验证方式，通过在域名DNS记录中添加特定TXT记录（如_acme-challenge）完成验证。

bash
certbot certonly --manual --preferred-challenges dns \
-d "*.zenseek.site" -d "zenseek.site" --email brain_07@163.com --agree-tos

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.zenseek.site and zenseek.site

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.zenseek.site.

with the following value:

Za59txFdRj3s0I3v_fFxCy7jRN1erVai9j3285XXXXX

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

从其他的Linux Terminal来验证DNS的TXT解析是否成功。能看见解析出来的字符串和Certbot给的一样就算是成功了。

bash
dig TXT _acme-challenge.zenseek.site +short
"Za59txFdRj3s0I3v_fFxCy7jRN1erVai9j3285XXXXX"

这时我们按回车键，会继续验证一遍。提示特意强调不要删除之前的challenge。同一个名的记录可以对应两个TXT值。

bash
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.zenseek.site.

with the following value:

71QWlJFQnx-KseIECTqhPCbisU2b2wbq9rWre3XXXXX

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.zenseek.site.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

我们在dig一遍，有时候发现会有两个值。

bash
dig TXT _acme-challenge.zenseek.site +short
"71QWlJFQnx-KseIECTqhPCbisU2b2wbq9rWre3XXXXX"
"Za59txFdRj3s0I3v_fFxCy7jRN1erVai9j3285XXXXX"

3. 取得域名

这时我们再次按下回车键，就会提示你的证书生成成功了。

bash
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/zenseek.site/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/zenseek.site/privkey.pem
This certificate expires on 2025-10-03.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

再之后，就可以把证书挂到Nginx下了。