如果域名没有绑定具体主机,但仍需要签发ssl证书的话,可以使用acme.sh的DNS模式手动进行签发。
这种签发模式有一个缺点就是不能自动更新,需要手动关注更新证书,周期为90天。
安装acme.sh
curl https://get.acme.sh | sh -s email=my@example.com`
或者
wget -O - https://get.acme.sh | sh -s email=my@example.com
dns模式签发证书
使用如下命令为optipng.cn和www.optipng.cn签发证书。
acme.sh --issue --dns -d optipng.cn -d www.optipng.cn --yes-I-know-dns-manual-mode-enough-go-ahead-please
... ...
[Mon Nov 17 07:17:54 PM PST 2025] Sleeping for 10 seconds and retrying.
[Mon Nov 17 07:18:05 PM PST 2025] Using CA: https://acme.zerossl.com/v2/DV90
[Mon Nov 17 07:18:05 PM PST 2025] Account key creation OK.
[Mon Nov 17 07:18:05 PM PST 2025] No EAB credentials found for ZeroSSL, let's obtain them
[Mon Nov 17 07:18:06 PM PST 2025] Registering account: https://acme.zerossl.com/v2/DV90
[Mon Nov 17 07:18:06 PM PST 2025] Could not get nonce, let's try again.
[Mon Nov 17 07:18:09 PM PST 2025] Could not get nonce, let's try again.
[Mon Nov 17 07:18:13 PM PST 2025] Could not get nonce, let's try again.
[Mon Nov 17 07:18:16 PM PST 2025] Registered
[Mon Nov 17 07:18:16 PM PST 2025] ACCOUNT_THUMBPRINT='39EcpbbsWhtdSzzd8Rz-z3kXNzpzadw0Vmq6wS2xIKY'
[Mon Nov 17 07:18:16 PM PST 2025] Creating domain key
[Mon Nov 17 07:18:16 PM PST 2025] The domain key is here: /root/.acme.sh/optipng.cn_ecc/optipng.cn.key
[Mon Nov 17 07:18:16 PM PST 2025] Multi domain='DNS:optipng.cn,DNS:www.optipng.cn'
[Mon Nov 17 07:18:17 PM PST 2025] Getting webroot for domain='optipng.cn'
[Mon Nov 17 07:18:17 PM PST 2025] Getting webroot for domain='www.optipng.cn'
[Mon Nov 17 07:18:17 PM PST 2025] Add the following TXT record:
[Mon Nov 17 07:18:17 PM PST 2025] Domain: '_acme-challenge.optipng.cn'
[Mon Nov 17 07:18:17 PM PST 2025] TXT value: 'VTtpEviHUIZZz4wCu9RWR4yJBTNkIE1t1vw9cuGv6-g'
[Mon Nov 17 07:18:17 PM PST 2025] Please make sure to prepend '_acme-challenge.' to your domain
[Mon Nov 17 07:18:17 PM PST 2025] so that the resulting subdomain is: _acme-challenge.optipng.cn
[Mon Nov 17 07:18:17 PM PST 2025] Add the following TXT record:
[Mon Nov 17 07:18:17 PM PST 2025] Domain: '_acme-challenge.www.optipng.cn'
[Mon Nov 17 07:18:17 PM PST 2025] TXT value: 'zp-ntPgXeUX_TZO7NZaeNCeX_AJqTc76OV7Z-s5axRY'
[Mon Nov 17 07:18:17 PM PST 2025] Please make sure to prepend '_acme-challenge.' to your domain
[Mon Nov 17 07:18:17 PM PST 2025] so that the resulting subdomain is: _acme-challenge.www.optipng.cn
[Mon Nov 17 07:18:17 PM PST 2025] Please add the TXT records to the domains, and re-run with --renew.
[Mon Nov 17 07:18:17 PM PST 2025] Please add '--debug' or '--log' to see more information.
[Mon Nov 17 07:18:17 PM PST 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
在dns管理中,按如上提示添加_acme-challenge.optipng.cn和_acme-challenge.www.optipng.cn两个txt解析,大约等待1分钟左右生效。
然后执行以下命令签发证书
acme.sh --renew --dns -d optipng.cn -d www.optipng.cn --yes-I-know-dns-manual-mode-enough-go-ahead-please
输出结果如下:
... ...
[Mon Nov 17 07:22:32 PM PST 2025] Your cert is in: /root/.acme.sh/optipng.cn_ecc/optipng.cn.cer
[Mon Nov 17 07:22:32 PM PST 2025] Your cert key is in: /root/.acme.sh/optipng.cn_ecc/optipng.cn.key
[Mon Nov 17 07:22:32 PM PST 2025] The intermediate CA cert is in: /root/.acme.sh/optipng.cn_ecc/ca.cer
[Mon Nov 17 07:22:32 PM PST 2025] And the full-chain cert is in: /root/.acme.sh/optipng.cn_ecc/fullchain.cer
