Certbot-voorbeeld: certificaat voor NGINX uitgeven en installeren met behulp van DNS-01-domeinvalidatie

Before you begin

To install the certificate, ensure you have the following ACME details:

ACME directory URL:
For CertCentral accounts, use the region-specific URL (See Inbound IP addresses and URLs by environment and region).
Base URL: https://one.digicert.com/mpki/api/v1/acme/v2/directory
Region-specific URLs:
EU region: https://one.nl.digicert.com orhttps://one.ch.digicert.com
Japan region: https://one.digicert.co.jp
US region: https://one.us.digicert.com
The external account binding (EAB) credentials from DigiCert:
- The EAB key identifier (KID). For CertCentral. accounts, use ACME credentialsi.
  Sample KID: zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-g
- The external account binding HMAC key from your ACME credentials.
  Sample HMAC: RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnR

Issue and install the certificate using DNS-01 method

Copy the following command to the command-line prompt:

sudo certbot --nginx --register-unsafely-without-email --eab-kid {MY-KEY-IDENTIFIER} --eab-hmac-key {MY-HMAC-KEY} --server {ACME-URL} --config-dir {MY-CONFIG-DIR} -d {FQDN} --manual --preferred-challenges dns

Replace the command argument placeholders in curly braces with your actual values:
Command argument placeholders
- {MY-KEY-IDENTIFIER}: Use the EAB KID.
- {MY-HMAC-KEY}: Use the EAB HMAC key.
- {ACME-URL}: Use your region-specific ACME directory URL.
- {MY-CONFIG-DIR}: Path to Certbot configuration files for the current application. If --config-dir is omitted, Certbot defaults to /etc/letsencrypt.
- {FQDN}: Fully qualified domain name (FQDN) to secure the certificate. Use an extra -d for each additional domain; the first entry becomes the common name (CN).
Order handling
- Default order: If the requested certificate matches an existing order, automatically applies the default automation action. See ACME automation actions.
- New order: If no matching order exists, or if the ACME URL includes ?action=enroll, treats the request as a new order and enrolls the certificate.
Validation and template requirements
- For OV and EV certificates with prevalidated domains in CertCentral, CertCentral performs out-of-band domain control validation outside the ACME protocol.
De --preferred-challenges optie specificeert de voorkeursvorm van domeinvalidatie. Binnenkomen dns hier om DNS-01-validatie aan te vragen.
This applies to DV certificates and OV/EV certificates that are not prevalidated.
To manually add a DNS record to your domain, use the --manual option to complete the validation challenge.
When run in manual mode, the command is interactive: Certbot provides the DNS validation parameters to decide how the validation gets carried out. For example:
```
_acme-challenge.example.com. 300 IN TXT "mJ9ffxp9pX...f0EDcZZ_klG5wWD1"
```
To complete the process, run the command.

What's next

The certificate is validated, issued, and installed successfully.

The domains are validated, and the certificate is issued and installed on your NGINX server.

To renew, reissue, or duplicate the certificate, see ???

In deze sectie: