检查系统CA证书是否存在。Debian/Ubuntu系统尝试执行sudo apt-get install --reinstall ca-certificates

@Alone 我的操作系统是CentOS Linux release 7.6.1810，虚拟机

@maht sudo update-ca-trust

@maht sudo curl https://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

@Alone还是一样的错误。。。

@Alone 这个错误和python有关系么

@maht curl -I https://acme-v02.api.letsencrypt.org 把结果贴出来看一下

@Alone [root@docker bin]# curl -I https://acme-v02.api.letsencrypt.org curl: (60) Peer's Certificate has expired. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. [root@docker bin]# curl -I -k https://acme-v02.api.letsencrypt.org HTTP/1.1 200 OK Server: nginx Content-Type: text/html Content-Length: 2174 Last-Modified: Fri, 02 Feb 2018 23:46:37 GMT ETag: "5a74f85d-87e" X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 Accept-Ranges: bytes Expires: Wed, 03 Jul 2019 08:21:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 03 Jul 2019 08:21:38 GMT Connection: keep-alive

@maht 检查系统时间

@Alone 我是为了模拟一下，能生成证书，特意调整的系统时间，如果时间调整为正常时间，就生成不了证书

@maht 时间不对会导致ssl证书验证失败

@Alone 那就是没有办法测试了吗

@Alone ./certbot-auto renew --force-renewal --manual-auth-hook ./certbot-auth-dnspod.sh 可以了。应该就是时间问题，多谢