通过certbot安装SSL证书

文章目录

• [操作系统：Alibaba Cloud Linux 3.2104 LTS 64位](#操作系统：Alibaba Cloud Linux 3.2104 LTS 64位)
• • [添加 EPEL 仓库（Certbot 依赖）](#添加 EPEL 仓库（Certbot 依赖）)
  • 安装certbot。
  • 获取SSL证书
  • • 有个特殊情况
  • 后续

操作系统：Alibaba Cloud Linux 3.2104 LTS 64位

添加 EPEL 仓库（Certbot 依赖）

sudo yum install -y epel-release

报错

Last metadata expiration check: 0:14:29 ago on Fri 13 Mar 2026 05:18:56 PM CST.
Error:
 Problem: problem with installed package epel-aliyuncs-release-8-15.1.al8.noarch
  - package epel-aliyuncs-release-8-15.1.al8.noarch from @System conflicts with epel-release provided by epel-release-8-22.el8.noarch from epel
  - package epel-aliyuncs-release-8-15.1.al8.noarch from alinux3-updates conflicts with epel-release provided by epel-release-8-22.el8.noarch from epel
  - conflicting requests
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

这个错误是因为系统中已经存在名为 epel-aliyuncs-release 的包，与标准的 epel-release 包冲突。

从包的名称来看，是阿里云自己兼容的epel，所以直接进行下一步。

安装certbot。

sudo yum install -y certbot

无报错完成

Last metadata expiration check: 0:18:21 ago on Fri 13 Mar 2026 05:18:56 PM CST.
Dependencies resolved.
========================================================================================================================
 Package                           Architecture   Version                                  Repository              Size
========================================================================================================================
Installing:
 certbot                           noarch         1.22.0-1.el8                             epel                    54 k
Installing dependencies:
 python3-acme                      noarch         1.22.0-4.el8                             epel                    96 k
 python3-certbot                   noarch         1.22.0-1.el8                             epel                   426 k
 
* * * * * * * * * * * * * * 省略多行内容 * * * * * * * * * * * * * * * 

Installed:
  certbot-1.22.0-1.el8.noarch                          python-josepy-doc-1.9.0-1.el8.noarch
  python3-acme-1.22.0-4.el8.noarch                     python3-certbot-1.22.0-1.el8.noarch
  python3-configargparse-0.14.0-6.el8.noarch           python3-distro-1.4.0-2.1.module+al8+10+4ba10e20.noarch
  python3-josepy-1.9.0-1.el8.noarch                    python3-parsedatetime-2.5-1.el8.noarch
  python3-pyrfc3339-1.1-1.el8.noarch                   python3-requests-toolbelt-0.9.1-4.el8.noarch
  python3-zope-component-4.3.0-8.el8.noarch            python3-zope-event-4.2.0-12.el8.noarch
  python3-zope-interface-4.6.0-1.el8.x86_64

Complete!

获取SSL证书

使用 Standalone 模式（需临时停止占用 80/443 端口的服务），获取SSL证书。

假设我们的域名是xxxxx.com

sudo certbot certonly --standalone -d xxxxx.com

在这个命令执行过程中，要输入一些东西

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): wodeemail@email.com
* * * * * * * * * * * * * * * 这里要输入邮箱 * * * * * * * * * * * * * * * *
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf. You must agree
in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
* * * * * * * * * * * * * * 这里是相关服务声明，必须输入Y，表示同意 * * * * * * * * * * * * * * * 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
* * * * * * * * * * * * * * 是否接收新闻、活动等等内容的电子邮件，输入Y，表示同意接收 * * * * * * * * * * * * * * * 
Account registered.
Requesting a certificate for xxxxx.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/xxxxx.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/xxxxx.com/privkey.pem
This certificate expires on 2026-06-11.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

无报错完成。

有个特殊情况

sudo certbot certonly --standalone -d xxxxx.com

可能出现如下报错

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): wodeemail@email.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Requesting a certificate for fxxkrock.top

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: fxxkrock.top
  Type:   connection
  Detail: 47.97.27.78: Fetching http://xxxxx.com/.well-known/acme-challenge/DqitmUHBr-4eEkBcNWoEZWzAf10C8Gwpm5ipvFxoY1U: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

从输出内容中就能看到原因：申请SSL过程中要从80端口访问，但网不通，

从相关资料看，在申请SSL过程过程中，80/443 端口都要使用。

在相关设置中打开80和443端口即可。比如阿里云的服务器，那么就要在服务器实例的管理页面->网络与安全组，在出入两个方向都要添加允许80/443。

后续

申请的SLL文件的位置如下

Certificate is saved at: /etc/letsencrypt/live/xxxxx.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/xxxxx.com/privkey.pem

这个位置还会生成另三个文件，共五个文件：cert.pem、chain.pem、fullchain.pem、privkey.pem。

README内容如下：

This directory contains your keys and certificates.

`privkey.pem`  : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem`     : will break many server configurations, and should not be used
                 without reading further documentation (see link below).

WARNING: DO NOT MOVE OR RENAME THESE FILES!
         Certbot expects these files to remain in this location in order
         to function properly!

We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

正常权限下，这个目录是无法访问的，所以要把它们复制到web应用能访问的位置。