通过certbot安装SSL证书

文章目录

操作系统:Alibaba Cloud Linux 3.2104 LTS 64位

添加 EPEL 仓库(Certbot 依赖)

bash 复制代码
sudo yum install -y epel-release

报错

bash 复制代码
Last metadata expiration check: 0:14:29 ago on Fri 13 Mar 2026 05:18:56 PM CST.
Error:
 Problem: problem with installed package epel-aliyuncs-release-8-15.1.al8.noarch
  - package epel-aliyuncs-release-8-15.1.al8.noarch from @System conflicts with epel-release provided by epel-release-8-22.el8.noarch from epel
  - package epel-aliyuncs-release-8-15.1.al8.noarch from alinux3-updates conflicts with epel-release provided by epel-release-8-22.el8.noarch from epel
  - conflicting requests
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

这个错误是因为系统中已经存在名为 epel-aliyuncs-release 的包,与标准的 epel-release 包冲突。

从包的名称来看,是阿里云自己兼容的epel,所以直接进行下一步。

安装certbot。

bash 复制代码
sudo yum install -y certbot

无报错完成

bash 复制代码
Last metadata expiration check: 0:18:21 ago on Fri 13 Mar 2026 05:18:56 PM CST.
Dependencies resolved.
========================================================================================================================
 Package                           Architecture   Version                                  Repository              Size
========================================================================================================================
Installing:
 certbot                           noarch         1.22.0-1.el8                             epel                    54 k
Installing dependencies:
 python3-acme                      noarch         1.22.0-4.el8                             epel                    96 k
 python3-certbot                   noarch         1.22.0-1.el8                             epel                   426 k
 
* * * * * * * * * * * * * * 省略多行内容 * * * * * * * * * * * * * * * 

Installed:
  certbot-1.22.0-1.el8.noarch                          python-josepy-doc-1.9.0-1.el8.noarch
  python3-acme-1.22.0-4.el8.noarch                     python3-certbot-1.22.0-1.el8.noarch
  python3-configargparse-0.14.0-6.el8.noarch           python3-distro-1.4.0-2.1.module+al8+10+4ba10e20.noarch
  python3-josepy-1.9.0-1.el8.noarch                    python3-parsedatetime-2.5-1.el8.noarch
  python3-pyrfc3339-1.1-1.el8.noarch                   python3-requests-toolbelt-0.9.1-4.el8.noarch
  python3-zope-component-4.3.0-8.el8.noarch            python3-zope-event-4.2.0-12.el8.noarch
  python3-zope-interface-4.6.0-1.el8.x86_64

Complete!

获取SSL证书

使用 Standalone 模式(需临时停止占用 80/443 端口的服务),获取SSL证书。

假设我们的域名是xxxxx.com

bash 复制代码
sudo certbot certonly --standalone -d xxxxx.com

在这个命令执行过程中,要输入一些东西

bash 复制代码
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): wodeemail@email.com
* * * * * * * * * * * * * * * 这里要输入邮箱 * * * * * * * * * * * * * * * *
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf. You must agree
in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
* * * * * * * * * * * * * * 这里是相关服务声明,必须输入Y,表示同意 * * * * * * * * * * * * * * * 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
* * * * * * * * * * * * * * 是否接收新闻、活动等等内容的电子邮件,输入Y,表示同意接收 * * * * * * * * * * * * * * * 
Account registered.
Requesting a certificate for xxxxx.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/xxxxx.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/xxxxx.com/privkey.pem
This certificate expires on 2026-06-11.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

无报错完成。

有个特殊情况

bash 复制代码
sudo certbot certonly --standalone -d xxxxx.com

可能出现如下报错

bash 复制代码
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): wodeemail@email.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Requesting a certificate for fxxkrock.top

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: fxxkrock.top
  Type:   connection
  Detail: 47.97.27.78: Fetching http://xxxxx.com/.well-known/acme-challenge/DqitmUHBr-4eEkBcNWoEZWzAf10C8Gwpm5ipvFxoY1U: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

从输出内容中就能看到原因:申请SSL过程中要从80端口访问,但网不通,

从相关资料看,在申请SSL过程过程中,80/443 端口都要使用。

在相关设置中打开80和443端口即可。比如阿里云的服务器,那么就要在服务器实例的管理页面->网络与安全组,在出入两个方向都要添加允许80/443。

后续

申请的SLL文件的位置如下

bash 复制代码
Certificate is saved at: /etc/letsencrypt/live/xxxxx.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/xxxxx.com/privkey.pem

这个位置还会生成另三个文件,共五个文件:cert.pem、chain.pem、fullchain.pem、privkey.pem。

README内容如下:

bash 复制代码
This directory contains your keys and certificates.

`privkey.pem`  : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem`     : will break many server configurations, and should not be used
                 without reading further documentation (see link below).

WARNING: DO NOT MOVE OR RENAME THESE FILES!
         Certbot expects these files to remain in this location in order
         to function properly!

We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

正常权限下,这个目录是无法访问的,所以要把它们复制到web应用能访问的位置。

相关推荐
从零开始的代码生活_1 小时前
Linux epoll 多路转接详解
linux·运维·网络·后端·tcp/ip·计算机网络·php
小鹿软件办公1 小时前
通过调整编码参数使用 VLC 媒体播放器无损压缩视频方法
运维·网络·音视频
yqcoder3 小时前
什么是 Math 对象
网络·网络协议·udp
Piko61412 小时前
H3C IRF2 堆叠实战:打造高可靠核心交换网络
运维·网络·笔记
茯苓gao15 小时前
嵌入式开发笔记:CANopen相关移位运算与通信协议术语详解
网络·嵌入式硬件·学习·信息与通信
万联WANFLOW15 小时前
SD-WAN 控制平面高可用怎么做?SDWAN 控制器挂了,全网会发生什么
运维·网络·分布式·架构
酱学编程16 小时前
【从零到一实现一个 AI Agent 框架 · 第四篇】04. 任务规划:拆解复杂目标 -
服务器·网络·数据库·人工智能
风行南方17 小时前
密码学之分组密码
网络·密码学
艾莉丝努力练剑18 小时前
OpenCode AI 编程:Ubuntu 24.04 环境安装与使用指南
linux·服务器·网络·人工智能·tcp/ip·ubuntu
谷雪_65819 小时前
Linux 网络命名空间:从内核原理到企业级容器网络架构全景实战
linux·网络·架构