环境说明

[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core) [root@localhost ~]# uname -r
3.10.0-862.11.6.el7.x86_64

安装

此处使用yum安装certbot

#certbot 包在epel源中，所以此处需要先安装epel源
#另一种安装方法直接下载 wget https://dl.eff.org/certbot-auto
#因为域名都在cloudflare上，所以此处安装certbot-dns-cloudflare插件通过API来自动添加txt记录
#https://certbot-dns-cloudflare.readthedocs.io/en/stable/ 官方配置文档yum -y install epel-release
yum -y install certbotsource  /opt/eff.org/certbot/venv/bin/activatepip install certbot-dns-cloudflarecertbot certonly  --agree-tos --manual-public-ip-logging-ok --dns-cloudflare   --dns-cloudflare-credentials cloudflare.ini --dns-cloudflare-propagation-seconds 30 -d *.xleon.top -d xleon.top  --server https://acme-v02.api.letsencrypt.org/directory --email xxx@qq.com -n#如果不使用插件的话可以用下面的命令来生成泛域名证书
./certbot-auto certonly --manual -d *.example.com -d example.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

renew

let’s encrypt的有效期为90天，到期之后需要重新更新证书，可以使用renew命令,写个cron任务

certbot renew -q --deploy-hook /path/to/script#--deploy-hook 为更新成功后会执行的脚本 --pre-hook为更新前脚本 --post-hook为更新后脚本
如果您手动更新所有证书，该 --force-renewal标志可能会有所帮助; 它会导致在考虑续订时忽略证书的到期时间，并尝试更新每个已安装的证书，而不管其年龄如何。（此参数不适合每天运行，因为每个证书将每天续订，这将快速进入证书颁发机构速率限制。50次）如果您确定此命令在没有人为干预的情况下成功执行，您可以添加命令crontab（因为证书只有在确定接近到期时才会更新，命令可以定期运行，例如每周或每个天）。在这种情况下，您可能希望使用-q或--quiet标志来静音除错误之外的所有输出

cloudflare.ini文件

dns_cloudflare_email = your_cloudflare_email_account
dns_cloudflare_api_key = your_api_key

问题

pip uninstall requests
pip uninstall urllib3
yum remove python-urllib3
yum remove python-requests
yum -y  install python-urllib3
yum -y install python-requests
yum install certbot -y
yum install docker-compose

certbot 命令行选项

Certbot command-line options
Certbot supports a lot of command line options. Here’s the full list, from certbot --help all:usage: certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:obtain, install, and renew certificates:(default) run   Obtain & install a certificate in your current webservercertonly        Obtain or renew a certificate, but do not install itrenew           Renew all previously obtained certificates that are near expiryenhance         Add security enhancements to your existing configuration-d DOMAINS       Comma-separated list of domains to obtain a certificate for--apache          Use the Apache plugin for authentication & installation--standalone      Run a standalone webserver for authentication--nginx           Use the Nginx plugin for authentication & installation--webroot         Place files in a server's webroot folder for authentication--manual          Obtain certificates interactively, or using shell script hooks-n               Run non-interactively--test-cert       Obtain a test certificate from a staging server--dry-run         Test "renew" or "certonly" without saving any certificates to diskmanage certificates:certificates    Display information about certificates you have from Certbotrevoke          Revoke a certificate (supply --cert-path or --cert-name)delete          Delete a certificatemanage your account with Let's Encrypt:register        Create a Let's Encrypt ACME account--agree-tos       Agree to the ACME server's Subscriber Agreement-m EMAIL         Email address for important account notificationsoptional arguments:-h, --help            show this help message and exit-c CONFIG_FILE, --config CONFIG_FILEpath to config file (default: /etc/letsencrypt/cli.iniand ~/.config/letsencrypt/cli.ini)-v, --verbose         This flag can be used multiple times to incrementallyincrease the verbosity of output, e.g. -vvv. (default:-2)--max-log-backups MAX_LOG_BACKUPSSpecifies the maximum number of backup logs thatshould be kept by Certbot's built in log rotation.Setting this flag to 0 disables log rotation entirely,causing Certbot to always append to the same log file.(default: 1000)-n, --non-interactive, --noninteractiveRun without ever asking for user input. This mayrequire additional command line flags; the client willtry to explain which ones are required if it finds onemissing (default: False)--force-interactive   Force Certbot to be interactive even if it detectsit's not being run in a terminal. This flag cannot beused with the renew subcommand. (default: False)-d DOMAIN, --domains DOMAIN, --domain DOMAINDomain names to apply. For multiple domains you canuse multiple -d flags or enter a comma separated listof domains as a parameter. The first domain providedwill be the subject CN of the certificate, and alldomains will be Subject Alternative Names on thecertificate. The first domain will also be used insome software user interfaces and as the file pathsfor the certificate and related material unlessotherwise specified or you already have a certificatewith the same name. In the case of a name collision itwill append a number like 0001 to the file path name.(default: Ask)--cert-name CERTNAME  Certificate name to apply. This name is used byCertbot for housekeeping and in file paths; it doesn'taffect the content of the certificate itself. To seecertificate names, run 'certbot certificates'. Whencreating a new certificate, specifies the newcertificate's name. (default: the first provideddomain or the name of an existing certificate on yoursystem for the same domains)--dry-run             Perform a test run of the client, obtaining test(invalid) certificates but not saving them to disk.This can currently only be used with the 'certonly'and 'renew' subcommands. Note: Although --dry-runtries to avoid making any persistent changes on asystem, it is not completely side-effect free: if usedwith webserver authenticator plugins like apache andnginx, it makes and then reverts temporary configchanges in order to obtain test certificates, andreloads webservers to deploy and then roll back thosechanges. It also calls --pre-hook and --post-hookcommands if they are defined because they may benecessary to accurately simulate renewal. --deploy-hook commands are not called. (default: False)--debug-challenges    After setting up challenges, wait for user inputbefore submitting to CA (default: False)--preferred-challenges PREF_CHALLSA sorted, comma delimited list of the preferredchallenge to use during authorization with the mostpreferred challenge listed first (Eg, "dns" or "tls-sni-01,http,dns"). Not all plugins support allchallenges. Seehttps://certbot.eff.org/docs/using.html#plugins fordetails. ACME Challenges are versioned, but if youpick "http" rather than "http-01", Certbot will selectthe latest version automatically. (default: [])--user-agent USER_AGENTSet a custom user agent string for the client. Useragent strings allow the CA to collect high levelstatistics about success rates by OS, plugin and usecase, and to know when to deprecate support for pastPython versions and flags. If you wish to hide thisinformation from the Let's Encrypt server, set this to"". (default: CertbotACMEClient/0.28.0(certbot(-auto); OS_NAME OS_VERSION) Authenticator/XXXInstaller/YYY (SUBCOMMAND; flags: FLAGS)Py/major.minor.patchlevel). The flags encoded in theuser agent are: --duplicate, --force-renew, --allow-subset-of-names, -n, and whether any hooks are set.--user-agent-comment USER_AGENT_COMMENTAdd a comment to the default user agent string. May beused when repackaging Certbot or calling it fromanother tool to allow additional statistical data tobe collected. Ignored if --user-agent is set.(Example: Foo-Wrapper/1.0) (default: None)automation:Flags for automating execution & other tweaks--keep-until-expiring, --keep, --reinstallIf the requested certificate matches an existingcertificate, always keep the existing one until it isdue for renewal (for the 'run' subcommand this meansreinstall the existing certificate). (default: Ask)--expand              If an existing certificate is a strict subset of therequested names, always expand and replace it with theadditional names. (default: Ask)--version             show program's version number and exit--force-renewal, --renew-by-defaultIf a certificate already exists for the requesteddomains, renew it now, regardless of whether it isnear expiry. (Often --keep-until-expiring is moreappropriate). Also implies --expand. (default: False)--renew-with-new-domainsIf a certificate already exists for the requestedcertificate name but does not match the requesteddomains, renew it now, regardless of whether it isnear expiry. (default: False)--reuse-key           When renewing, use the same private key as theexisting certificate. (default: False)--allow-subset-of-namesWhen performing domain validation, do not consider ita failure if authorizations can not be obtained for astrict subset of the requested domains. This may beuseful for allowing renewals for multiple domains tosucceed even if some domains no longer point at thissystem. This option cannot be used with --csr.(default: False)--agree-tos           Agree to the ACME Subscriber Agreement (default: Ask)--duplicate           Allow making a certificate lineage that duplicates anexisting one (both can be renewed in parallel)(default: False)--os-packages-only    (certbot-auto only) install OS package dependenciesand then stop (default: False)--no-self-upgrade     (certbot-auto only) prevent the certbot-auto scriptfrom upgrading itself to newer released versions(default: Upgrade automatically)--no-bootstrap        (certbot-auto only) prevent the certbot-auto scriptfrom installing OS-level dependencies (default: Promptto install OS-wide dependencies, but exit if the usersays 'No')-q, --quiet           Silence all output except errors. Useful forautomation via cron. Implies --non-interactive.(default: False)security:Security parameters & server settings--rsa-key-size N      Size of the RSA key. (default: 2048)--must-staple         Adds the OCSP Must Staple extension to thecertificate. Autoconfigures OCSP Stapling forsupported setups (Apache version >= 2.3.3 ). (default:False)--redirect            Automatically redirect all HTTP traffic to HTTPS forthe newly authenticated vhost. (default: Ask)--no-redirect         Do not automatically redirect all HTTP traffic toHTTPS for the newly authenticated vhost. (default:Ask)--hsts                Add the Strict-Transport-Security header to every HTTPresponse. Forcing browser to always use SSL for thedomain. Defends against SSL Stripping. (default: None)--uir                 Add the "Content-Security-Policy: upgrade-insecure-requests" header to every HTTP response. Forcing thebrowser to use https:// for every http:// resource.(default: None)--staple-ocsp         Enables OCSP Stapling. A valid OCSP response isstapled to the certificate that the server offersduring TLS. (default: None)--strict-permissions  Require that all configuration files are owned by thecurrent user; only needed if your config is somewhereunsafe like /tmp/ (default: False)--auto-hsts           Gradually increasing max-age value for HTTP StrictTransport Security security header (default: False)testing:The following flags are meant for testing and integration purposes only.--test-cert, --stagingUse the staging server to obtain or revoke test(invalid) certificates; equivalent to --server https://acme-staging-v02.api.letsencrypt.org/directory(default: False)--debug               Show tracebacks in case of errors, and allow certbot-auto execution on experimental platforms (default:False)--no-verify-ssl       Disable verification of the ACME server's certificate.(default: False)--tls-sni-01-port TLS_SNI_01_PORTPort used during tls-sni-01 challenge. This onlyaffects the port Certbot listens on. A conforming ACMEserver will still attempt to connect on port 443.(default: 443)--tls-sni-01-address TLS_SNI_01_ADDRESSThe address the server listens to during tls-sni-01challenge. (default: )--http-01-port HTTP01_PORTPort used in the http-01 challenge. This only affectsthe port Certbot listens on. A conforming ACME serverwill still attempt to connect on port 80. (default:80)--http-01-address HTTP01_ADDRESSThe address the server listens to during http-01challenge. (default: )--break-my-certs      Be willing to replace or renew valid certificates withinvalid (testing/staging) certificates (default:False)paths:Flags for changing execution paths & servers--cert-path CERT_PATHPath to where certificate is saved (with auth --csr),installed from, or revoked. (default: None)--key-path KEY_PATH   Path to private key for certificate installation orrevocation (if account key is missing) (default: None)--fullchain-path FULLCHAIN_PATHAccompanying path to a full certificate chain(certificate plus chain). (default: None)--chain-path CHAIN_PATHAccompanying path to a certificate chain. (default:None)--config-dir CONFIG_DIRConfiguration directory. (default: /etc/letsencrypt)--work-dir WORK_DIR   Working directory. (default: /var/lib/letsencrypt)--logs-dir LOGS_DIR   Logs directory. (default: /var/log/letsencrypt)--server SERVER       ACME Directory Resource URI. (default:https://acme-v02.api.letsencrypt.org/directory)manage:Various subcommands and flags are available for managing yourcertificates:certificates          List certificates managed by Certbotdelete                Clean up all files related to a certificaterenew                 Renew all certificates (or one specified with --cert-name)revoke                Revoke a certificate specified with --cert-path or--cert-nameupdate_symlinks       Recreate symlinks in your /etc/letsencrypt/live/directoryrun:Options for obtaining & installing certificatescertonly:Options for modifying how a certificate is obtained--csr CSR             Path to a Certificate Signing Request (CSR) in DER orPEM format. Currently --csr only works with the'certonly' subcommand. (default: None)renew:The 'renew' subcommand will attempt to renew all certificates (or moreprecisely, certificate lineages) you have previously obtained if they areclose to expiry, and print a summary of the results. By default, 'renew'will reuse the options used to create obtain or most recently successfullyrenew each certificate lineage. You can try it with `--dry-run` first. Formore fine-grained control, you can renew individual lineages with the`certonly` subcommand. Hooks are available to run commands before andafter renewal; see https://certbot.eff.org/docs/using.html#renewal formore information on these.--pre-hook PRE_HOOK   Command to be run in a shell before obtaining anycertificates. Intended primarily for renewal, where itcan be used to temporarily shut down a webserver thatmight conflict with the standalone plugin. This willonly be called if a certificate is actually to beobtained/renewed. When renewing several certificatesthat have identical pre-hooks, only the first will beexecuted. (default: None)--post-hook POST_HOOKCommand to be run in a shell after attempting toobtain/renew certificates. Can be used to deployrenewed certificates, or to restart any servers thatwere stopped by --pre-hook. This is only run if anattempt was made to obtain/renew a certificate. Ifmultiple renewed certificates have identical post-hooks, only one will be run. (default: None)--deploy-hook DEPLOY_HOOKCommand to be run in a shell once for eachsuccessfully issued certificate. For this command, theshell variable $RENEWED_LINEAGE will point to theconfig live subdirectory (for example,"/etc/letsencrypt/live/example.com") containing thenew certificates and keys; the shell variable$RENEWED_DOMAINS will contain a space-delimited listof renewed certificate domains (for example,"example.com www.example.com" (default: None)--disable-hook-validationOrdinarily the commands specified for --pre-hook/--post-hook/--deploy-hook will be checked forvalidity, to see if the programs being run are in the$PATH, so that mistakes can be caught early, even whenthe hooks aren't being run just yet. The validation israther simplistic and fails if you use more advancedshell constructs, so you can use this switch todisable it. (default: False)--no-directory-hooks  Disable running executables found in Certbot's hookdirectories during renewal. (default: False)--disable-renew-updatesDisable automatic updates to your server configurationthat would otherwise be done by the selected installerplugin, and triggered when the user executes "certbotrenew", regardless of if the certificate is renewed.This setting does not apply to important TLSconfiguration updates. (default: False)--no-autorenew        Disable auto renewal of certificates. (default: True)certificates:List certificates managed by Certbotdelete:Options for deleting a certificaterevoke:Options for revocation of certificates--reason {unspecified,keycompromise,affiliationchanged,superseded,cessationofoperation}Specify reason for revoking certificate. (default:unspecified)--delete-after-revokeDelete certificates after revoking them. (default:None)--no-delete-after-revokeDo not delete certificates after revoking them. Thisoption should be used with caution because the 'renew'subcommand will attempt to renew undeleted revokedcertificates. (default: None)register:Options for account registration & modification--register-unsafely-without-emailSpecifying this flag enables registering an accountwith no email address. This is strongly discouraged,because in the event of key loss or account compromiseyou will irrevocably lose access to your account. Youwill also be unable to receive notice about impendingexpiration or revocation of your certificates. Updatesto the Subscriber Agreement will still affect you, andwill be effective 14 days after posting an update tothe web site. (default: False)--update-registrationWith the register verb, indicates that detailsassociated with an existing registration, such as thee-mail address, should be updated, rather thanregistering a new account. (default: False)-m EMAIL, --email EMAILEmail used for registration and recovery contact. Usecomma to register multiple emails, ex:u1@example.com,u2@example.com. (default: Ask).--eff-email           Share your e-mail address with EFF (default: None)--no-eff-email        Don't share your e-mail address with EFF (default:None)unregister:Options for account deactivation.--account ACCOUNT_ID  Account ID to use (default: None)install:Options for modifying how a certificate is deployedconfig_changes:Options for controlling which changes are displayed--num NUM             How many past revisions you want to be displayed(default: None)rollback:Options for rolling back server configuration changes--checkpoints N       Revert configuration N number of checkpoints.(default: 1)plugins:Options for for the "plugins" subcommand--init                Initialize plugins. (default: False)--prepare             Initialize and prepare plugins. (default: False)--authenticators      Limit to authenticator plugins only. (default: None)--installers          Limit to installer plugins only. (default: None)update_symlinks:Recreates certificate and key symlinks in /etc/letsencrypt/live, if youchanged them by hand or edited a renewal configuration fileenhance:Helps to harden the TLS configuration by adding security enhancements toalready existing configuration.plugins:Plugin Selection: Certbot client supports an extensible pluginsarchitecture. See 'certbot plugins' for a list of all installed pluginsand their names. You can force a particular plugin by setting optionsprovided below. Running --help <plugin_name> will list flags specific tothat plugin.--configurator CONFIGURATORName of the plugin that is both an authenticator andan installer. Should not be used together with--authenticator or --installer. (default: Ask)-a AUTHENTICATOR, --authenticator AUTHENTICATORAuthenticator plugin name. (default: None)-i INSTALLER, --installer INSTALLERInstaller plugin name (also used to find domains).(default: None)--apache              Obtain and install certificates using Apache (default:False)--nginx               Obtain and install certificates using Nginx (default:False)--standalone          Obtain certificates using a "standalone" webserver.(default: False)--manual              Provide laborious manual instructions for obtaining acertificate (default: False)--webroot             Obtain certificates by placing files in a webrootdirectory. (default: False)--dns-cloudflare      Obtain certificates using a DNS TXT record (if you areusing Cloudflare for DNS). (default: False)--dns-cloudxns        Obtain certificates using a DNS TXT record (if you areusing CloudXNS for DNS). (default: False)--dns-digitalocean    Obtain certificates using a DNS TXT record (if you areusing DigitalOcean for DNS). (default: False)--dns-dnsimple        Obtain certificates using a DNS TXT record (if you areusing DNSimple for DNS). (default: False)--dns-dnsmadeeasy     Obtain certificates using a DNS TXT record (if youareusing DNS Made Easy for DNS). (default: False)--dns-gehirn          Obtain certificates using a DNS TXT record (if you areusing Gehirn Infrastracture Service for DNS).(default: False)--dns-google          Obtain certificates using a DNS TXT record (if you areusing Google Cloud DNS). (default: False)--dns-linode          Obtain certificates using a DNS TXT record (if you areusing Linode for DNS). (default: False)--dns-luadns          Obtain certificates using a DNS TXT record (if you areusing LuaDNS for DNS). (default: False)--dns-nsone           Obtain certificates using a DNS TXT record (if you areusing NS1 for DNS). (default: False)--dns-ovh             Obtain certificates using a DNS TXT record (if you areusing OVH for DNS). (default: False)--dns-rfc2136         Obtain certificates using a DNS TXT record (if you areusing BIND for DNS). (default: False)--dns-route53         Obtain certificates using a DNS TXT record (if you areusing Route53 for DNS). (default: False)--dns-sakuracloud     Obtain certificates using a DNS TXT record (if you areusing Sakura Cloud for DNS). (default: False)apache:Apache Web Server plugin - Beta--apache-enmod APACHE_ENMODPath to the Apache 'a2enmod' binary (default: None)--apache-dismod APACHE_DISMODPath to the Apache 'a2dismod' binary (default: None)--apache-le-vhost-ext APACHE_LE_VHOST_EXTSSL vhost configuration extension (default: -le-ssl.conf)--apache-server-root APACHE_SERVER_ROOTApache server root directory (default: /etc/apache2)--apache-vhost-root APACHE_VHOST_ROOTApache server VirtualHost configuration root (default:None)--apache-logs-root APACHE_LOGS_ROOTApache server logs directory (default:/var/log/apache2)--apache-challenge-location APACHE_CHALLENGE_LOCATIONDirectory path for challenge configuration (default:/etc/apache2/other)--apache-handle-modules APACHE_HANDLE_MODULESLet installer handle enabling required modules for you(Only Ubuntu/Debian currently) (default: False)--apache-handle-sites APACHE_HANDLE_SITESLet installer handle enabling sites for you (OnlyUbuntu/Debian currently) (default: False)--apache-ctl APACHE_CTLFull path to Apache control script (default:apachectl)certbot-route53:auth:Obtain certificates using a DNS TXT record (if you are using AWS Route53for DNS).--certbot-route53:auth-propagation-seconds CERTBOT_ROUTE53:AUTH_PROPAGATION_SECONDSThe number of seconds to wait for DNS to propagatebefore asking the ACME server to verify the DNSrecord. (default: 10)dns-cloudflare:Obtain certificates using a DNS TXT record (if you are using Cloudflarefor DNS).--dns-cloudflare-propagation-seconds DNS_CLOUDFLARE_PROPAGATION_SECONDSThe number of seconds to wait for DNS to propagatebefore asking the ACME server to verify the DNSrecord. (default: 10)--dns-cloudflare-credentials DNS_CLOUDFLARE_CREDENTIALSCloudflare credentials INI file. (default: None)dns-cloudxns:Obtain certificates using a DNS TXT record (if you are using CloudXNS forDNS).--dns-cloudxns-propagation-seconds DNS_CLOUDXNS_PROPAGATION_SECONDSThe number of seconds to wait for DNS to propagatebefore asking the ACME server to verify the DNSrecord. (default: 30)--dns-cloudxns-credentials DNS_CLOUDXNS_CREDENTIALSCloudXNS credentials INI file. (default: None)dns-digitalocean:Obtain certs using a DNS TXT record (if you are using DigitalOcean forDNS).--dns-digitalocean-propagation-seconds DNS_DIGITALOCEAN_PROPAGATION_SECONDSThe number of seconds to wait for DNS to propagatebefore asking the ACME server to verify the DNSrecord. (default: 10)--dns-digitalocean-credentials DNS_DIGITALOCEAN_CREDENTIALSDigitalOcean credentials INI file. (default: None)dns-dnsimple:Obtain certificates using a DNS TXT record (if you are using DNSimple forDNS).--dns-dnsimple-propagation-seconds DNS_DNSIMPLE_PROPAGATION_SECONDSThe number of seconds to wait for DNS to propagatebefore asking the ACME server to verify the DNSrecord. (default: 30)--dns-dnsimple-credentials DNS_DNSIMPLE_CREDENTIALSDNSimple credentials INI file. (default: None)dns-dnsmadeeasy:Obtain certificates using a DNS TXT record (if you are using DNS Made Easyfor DNS).--dns-dnsmadeeasy-propagation-seconds DNS_DNSMADEEASY_PROPAGATION_SECONDSThe number of seconds to wait for DNS to propagatebefore asking the ACME server to verify the DNSrecord. (default: 60)--dns-dnsmadeeasy-credentials DNS_DNSMADEEASY_CREDENTIALSDNS Made Easy credentials INI file. (default: None)dns-gehirn:Obtain certificates using a DNS TXT record (if you are using GehirnInfrastracture Service for DNS).--dns-gehirn-propagation-seconds DNS_GEHIRN_PROPAGATION_SECONDSThe number of seconds to wait for DNS to propagatebefore asking the ACME server to verify the DNSrecord. (default: 30)--dns-gehirn-credentials DNS_GEHIRN_CREDENTIALSGehirn Infrastracture Service credentials file.(default: None)dns-google:Obtain certificates using a DNS TXT record (if you are using Google CloudDNS for DNS).--dns-google-propagation-seconds DNS_GOOGLE_PROPAGATION_SECONDSThe number of seconds to wait for DNS to propagatebefore asking the ACME server to verify the DNSrecord. (default: 60)--dns-google-credentials DNS_GOOGLE_CREDENTIALSPath to Google Cloud DNS service account JSON file.(See https://developers.google.com/identity/protocols/OAuth2ServiceAccount#creatinganaccount forinformationabout creating a service account andhttps://cloud.google.com/dns/access-control#permissions_and_roles for information abouttherequired permissions.) (default: None)dns-linode:Obtain certs using a DNS TXT record (if you are using Linode for DNS).--dns-linode-propagation-seconds DNS_LINODE_PROPAGATION_SECONDSThe number of seconds to wait for DNS to propagatebefore asking the ACME server to verify the DNSrecord. (default: 1200)--dns-linode-credentials DNS_LINODE_CREDENTIALSLinode credentials INI file. (default: None)dns-luadns:Obtain certificates using a DNS TXT record (if you are using LuaDNS forDNS).--dns-luadns-propagation-seconds DNS_LUADNS_PROPAGATION_SECONDSThe number of seconds to wait for DNS to propagatebefore asking the ACME server to verify the DNSrecord. (default: 30)--dns-luadns-credentials DNS_LUADNS_CREDENTIALSLuaDNS credentials INI file. (default: None)dns-nsone:Obtain certificates using a DNS TXT record (if you are using NS1 for DNS).--dns-nsone-propagation-seconds DNS_NSONE_PROPAGATION_SECONDSThe number of seconds to wait for DNS to propagatebefore asking the ACME server to verify the DNSrecord. (default: 30)--dns-nsone-credentials DNS_NSONE_CREDENTIALSNS1 credentials file. (default: None)dns-ovh:Obtain certificates using a DNS TXT record (if you are using OVH for DNS).--dns-ovh-propagation-seconds DNS_OVH_PROPAGATION_SECONDSThe number of seconds to wait for DNS to propagatebefore asking the ACME server to verify the DNSrecord. (default: 30)--dns-ovh-credentials DNS_OVH_CREDENTIALSOVH credentials INI file. (default: None)dns-rfc2136:Obtain certificates using a DNS TXT record (if you are using BIND forDNS).--dns-rfc2136-propagation-seconds DNS_RFC2136_PROPAGATION_SECONDSThe number of seconds to wait for DNS to propagatebefore asking the ACME server to verify the DNSrecord. (default: 60)--dns-rfc2136-credentials DNS_RFC2136_CREDENTIALSRFC 2136 credentials INI file. (default: None)dns-route53:Obtain certificates using a DNS TXT record (if you are using AWS Route53for DNS).--dns-route53-propagation-seconds DNS_ROUTE53_PROPAGATION_SECONDSThe number of seconds to wait for DNS to propagatebefore asking the ACME server to verify the DNSrecord. (default: 10)dns-sakuracloud:Obtain certificates using a DNS TXT record (if you are using Sakura Cloudfor DNS).--dns-sakuracloud-propagation-seconds DNS_SAKURACLOUD_PROPAGATION_SECONDSThe number of seconds to wait for DNS to propagatebefore asking the ACME server to verify the DNSrecord. (default: 90)--dns-sakuracloud-credentials DNS_SAKURACLOUD_CREDENTIALSSakura Cloud credentials file. (default: None)manual:Authenticate through manual configuration or custom shell scripts. Whenusing shell scripts, an authenticator script must be provided. Theenvironment variables available to this script depend on the type ofchallenge. $CERTBOT_DOMAIN will always contain the domain beingauthenticated. For HTTP-01 and DNS-01, $CERTBOT_VALIDATION is thevalidation string, and $CERTBOT_TOKEN is the filename of the resourcerequested when performing an HTTP-01 challenge. When performing a TLS-SNI-01 challenge, $CERTBOT_SNI_DOMAIN will contain the SNI name for whichthe ACME server expects to be presented with the self-signed certificatelocated at $CERTBOT_CERT_PATH. The secret key needed to complete the TLShandshake is located at $CERTBOT_KEY_PATH. An additional cleanup scriptcan also be provided and can use the additional variable$CERTBOT_AUTH_OUTPUT which contains the stdout output from the authscript.--manual-auth-hook MANUAL_AUTH_HOOKPath or command to execute for the authenticationscript (default: None)--manual-cleanup-hook MANUAL_CLEANUP_HOOKPath or command to execute for the cleanup script(default: None)--manual-public-ip-logging-okAutomatically allows public IP logging (default: Ask)nginx:Nginx Web Server plugin--nginx-server-root NGINX_SERVER_ROOTNginx server root directory. (default: /etc/nginx or/usr/local/etc/nginx)--nginx-ctl NGINX_CTLPath to the 'nginx' binary, used for 'configtest' andretrieving nginx version number. (default: nginx)null:Null Installerstandalone:Spin up a temporary webserverwebroot:Place files in webroot directory--webroot-path WEBROOT_PATH, -w WEBROOT_PATHpublic_html / webroot path. This can be specifiedmultiple times to handle different domains; eachdomain will have the webroot path that preceded it.For instance: `-w /var/www/example -d example.com -dwww.example.com -w /var/www/thing -d thing.net -dm.thing.net` (default: Ask)--webroot-map WEBROOT_MAPJSON dictionary mapping domains to webroot paths; thisimplies -d for each entry. You may need to escape thisfrom your shell. E.g.: --webroot-map'{"eg1.is,m.eg1.is":"/www/eg1/", "eg2.is":"/www/eg2"}'This option is merged with, but takes precedence over,-w / -d entries. At present, if you put webroot-map ina config file, it needs to be on a single line, like:webroot-map = {"example.com":"/var/www"}. (default:{})