1-2 申請憑證

因為我也不希望certbot會自行更動設定檔，以免改到不該改的設定而我不自知，而且我也需要單單域名的憑證因此會有如下的執行過程：

[root@prox ~]# certbot certonly --manual -d "*.lx.idv.tw" -d "lx.idv.tw" --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for lx.idv.tw
dns-01 challenge for lx.idv.tw

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

在你接續按下"Y"之後憑證就會產生了。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.lx.idv.tw with the following value:

WMKAXXXXXXXXwWfk98Nj_mIcU9GCxQzXXXXXXXX02LM

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

第一個憑證已經產生在你接續按下"enter"之後，第二個憑證也會跟著產生。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.lx.idv.tw with the following value:

GJrVXXXXXXXXPU5noiVb1n90D-O2021XXXXXXXXfc08

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

要注意!!!  在二個憑證都已經產生後，在你接續按下"enter"之前，你必須要先去確認DNS已經設定成功。

Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/lx.idv.tw/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/lx.idv.tw/privkey.pem
   Your cert will expire on 2019-08-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

依照上面列出來的pem檔的路徑，最後我們就可以去設定nginx的憑證了。