looking for a way to get certbot running on Amazon Linux 2
Solution 1
I was having trouble with this as well since Amazon Linux 2 doesn't have epel-release
in its repositories, but I've found you can install the EPEL RPM package itself, and then you'll be able to install certbot
or certbot-nginx
from there.
-
Download the RPM
curl -O http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
-
Then install it
sudo yum install epel-release-latest-7.noarch.rpm
-
Now you can install certbot
sudo yum install certbot
-
And then run it as usual
sudo certbot
Check out the certbot page for configuration details after that.
Solution 2
Instead of Certbot you can use Acme, which works and is well documented. I have a tutorial on setting up Let's Encrypt on Amazon Linux here.
Nginx Configuration
Let's Encrypt needs to call out to the server to verify the request before a certificate is issued. Acmetool can use its built in web server or an external web server. Here's my Nginx configuration, which sits alongside a secure server block that serves the rest of the site.
# This server directly serves ACME / certificate redirects. All other requests are forwarded the https version of the page
server {
listen 80;
server_name example.com;
access_log /var/log/nginx/access.log main;
# Let's Encrypt certificates with Acmetool
location /.well-known/acme-challenge/ {
alias /var/www/.well-known/acme-challenge/;
}
location / {
return 301 https://www.photographerstechsupport.com$request_uri;
}
}
Nginx Folders
mkdir -p /var/www/.well-known/acme-challenge
chmod -R user:www-data /var/www/acme-challenge/*
find /var/www/acme-challenge/ -type d -exec chmod 755 {} \;
vi /var/www/acme-challenge/.well-known/acme-challenge/text.html (add "hello world" or similar)
Install Acme
sudo -i (this is run as root)
cd /opt
wget https://github.com/hlandau/acme/releases/download/v0.0.62/acmetool-v0.0.62-linux_386.tar.gz (NB check for newer versions here)
tar -xzf acmetool-v0.0.62-linux_386.tar.gz
cd acmetool-v0.0.62-linux_386/bin
cp ./acmetool /usr/local/bin
/usr/local/bin/acmetool quickstart
In the quickstart enter this as your webroot
/var/www/.well-known/acme-challenge/
Request a Certificate
/usr/local/bin/acmetool want example.com www.example.com
Troubleshooting #1
acmetool --xlog.severity=debug > /tmp/dump 2>&1 want example.com www.example.com
fgrep -v fdb: /tmp/dump | fgrep -v storageops: > /tmp/dumpout
I have other troubleshooting tips on my blog article.
iewebguy
Updated on September 18, 2022Comments
-
iewebguy over 1 year
Amazon has a new Linux out called "Amazon Linux 2"
When I try and get certbot going....
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto ./certbot-auto
gives this error
Sorry, I don't know how to bootstrap Certbot on your operating system! You will need to install OS dependencies, configure virtualenv, and run pip install manually. Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites for more info.
Then I tried:
yum install pip yum install python-pip pip install cryptography pip install certbot yum install python-urllib3 yum install augeas /usr/bin/certbot
And I get this message
Traceback (most recent call last): File "/usr/bin/certbot", line 7, in <module> from certbot.main import main File "/usr/lib/python2.7/site-packages/certbot/main.py", line 19, in <module> from certbot import client File "/usr/lib/python2.7/site-packages/certbot/client.py", line 11, in <module> from acme import client as acme_client File "/usr/lib/python2.7/site-packages/acme/client.py", line 34, in <module> import urllib3.contrib.pyopenssl # pylint: disable=import-error File "/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 50, in <module> from ndg.httpsclient.ssl_peer_verification import SUBJ_ALT_NAME_SUPPORT ImportError: No module named ndg.httpsclient.ssl_peer_verification
I am not sure where to go from here. Any suggestions would be greatly appreciated!
-
iewebguy over 6 yearsThis works on Amazon Linux 2 - Thanks. It looks like it will take months to verify that it is going to keep working, since there is no --force in acmetool
-
Tim over 6 yearsYou can delete the certificates and have them generated again. I always take a backup before I do anything with certificates, because I don't do this very often I find them a bit complex.
-
Dan Manastireanu over 3 yearsAmazon now has instructions (mostly the same as this) on how to setup epel repositories and install certbot: docs.aws.amazon.com/AWSEC2/latest/UserGuide/…