1、安装Certbot
第一步：Install snapd:
sudo apt install snapd

第二步：Ensure you have the latest snapd version installed:
sudo snap install core; sudo snap refresh core

第三步：Install Certbot with snapd:
sudo snap install --classic certbot

第四步：Create a symlink to ensure Certbot runs:
sudo ln -s /snap/bin/certbot /usr/bin/certbot

2、安装阿里云DNS工具
阿里云DNS工具https://github.com/justjavac/certbot-dns-aliyun.git

1、安装 aliyun cli 工具

wget https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz
tar xzvf aliyun-cli-linux-latest-amd64.tgz
sudo cp aliyun /usr/local/bin
rm aliyun

配置阿里云信息
aliyun configure --profile AkProfile

Configuring profile 'certbotProfile' in 'AK' authenticate mode...
Access Key Id []: XXXX
Access Key Secret []: XXXX
Default Region Id []: XXX
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: zh
Saving profile[certbotProfile] ...Done.

Configure Done!!!
..............888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............

先创建RAM用户的AccessKey
再管理RAM用户安全设置
然后授权对应的信息AliyunDNSFullAccess

阿里云获取access_key 和 access_key_secret 方法：
https://help.aliyun.com/zh/ram/user-guide/create-an-accesskey-pair?spm=a2c4g.11186623.0.0.212c33afTBclEr#title-ebf-nrl-l0i

2、安装 certbot-dns-aliyun 插件

wget https://cdn.jsdelivr.net/gh/justjavac/certbot-dns-aliyun@main/alidns.sh
sudo cp alidns.sh /usr/local/bin
sudo chmod +x /usr/local/bin/alidns.sh
sudo ln -s /usr/local/bin/alidns.sh /usr/local/bin/alidns
rm alidns.sh

3、申请证书
测试是否能正确申请：

# -d 指定域名，*表示泛域名  --dry-run 表示试运行，正式运行需要去掉
certbot certonly -d *.example.com --manual --preferred-challenges dns --manual-auth-hook "alidns" --manual-cleanup-hook "alidns clean" --dry-run

正式流程操作

# 正式运行
certbot certonly -d *.example.com --manual --preferred-challenges dns --manual-auth-hook "alidns" --manual-cleanup-hook "alidns clean" 

# 以下是配置信息，输入通知邮箱，如果不需要，加入命令  --register-unsafely-without-email
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): xxxx@xx.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for *.example.com
Hook '--manual-auth-hook' for example.com ran with output:
 {
    "RecordId": "xxx",
    "RequestId": "xxx"
 }
Hook '--manual-cleanup-hook' for example.com ran with output:
 {
    "RecordId": "xxx",
    "RequestId": "xxx"
 }

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2024-11-24.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

注册完毕

4、设置定时任务

crontab -e
# 选择实用vim编辑，当然选择适合自己的

# 定时任务参考
# 0 0 1,15 * * 表示1、15号0点执行一次，Certbot是7天内可以执行几次
# --force-renewal 强制更新，否则不到30天内不更新
# --deploy-hook 更新成功后，执行命令
# systemctl restart nginx 我实用的Ubuntu，直接重启更实在
0 0 1,15 * * /usr/bin/certbot renew --force-renewal --manual --preferred-challenges dns --manual-auth-hook "alidns" --manual-cleanup-hook "alidns clean" --deploy-hook "systemctl restart nginx" > /dev/null 2>&1

# 可以使用测试命令查看一下
/usr/bin/certbot renew --force-renewal --manual --preferred-challenges dns --manual-auth-hook "alidns" --manual-cleanup-hook "alidns clean" --deploy-hook "systemctl restart nginx" --dry-run
# 显示以下内容
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for *.example.com
Hook '--manual-auth-hook' for example.com ran with output:
 {
    "RecordId": "xxx",
    "RequestId": "xxxx"
 }
Hook '--manual-cleanup-hook' for example.com ran with output:
 {
    "RecordId": "xxx",
    "RequestId": "xxxx"
 }

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5、检查是否更新成功

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: example.com
    Serial Number: 4edf83b9cf3597ab494b92af2075320f340
    Key Type: ECDSA
    Domains: *.example.com
    Expiry Date: 2024-11-24 02:15:15+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

或者

cd /etc/letsencrypt/live/example.com/

openssl x509 -in fullchain.pem -noout -dates

# 显示 
notBefore=Aug 26 02:15:16 2024 GMT
notAfter=Nov 24 02:15:15 2024 GMT