Certbot: Issue and install certificate for NGINX using DNS-01 domain validation

For DV certificates, domain control validation checks always get handled dynamically by the ACME protocol.

For OV/EV certificates, domain validation checks only get handled by the ACME protocol if the domain is not already prevalidated in CertCentral. If the domain is prevalidated, then CertCentral validates the domain itself, out-of-band and independent of the ACME protocol.

The --preferred-challenges option specifies the preferred form of domain validation. Enter dns here to request DNS-01 validation.

The --manual option means you will manually add a DNS record to your domain for the validation challenge.

This command runs interactively. Certbot supplies the required DNS validation parameters, which must be added as a TXT DNS record. For example:

_acme-challenge.example.com. 300 IN TXT "mJ9ffxp9pX...f0EDcZZ_klG5wWD1"

After the TXT DNS record is in place, the command completes, and the certificate is validated, issued, and installed.

If the requested certificate matches an existing order, CertCentral applies the default automation action for that order (see ACME automation actions). If there is no matching order, or if the ACME URL includes ?action=enroll, CertCentral treats it as a new order and enrolls the new certificate for you.