LouayH
September 3, 2019, 4:31pm
1
Hi there,
It’s my first time of using Let’s Encrypt and I’m trying to install certbot on my AWS EC2 Instanse but it cannot be done.
I’ve walked through this steps https://certbot.eff.org/lets-encrypt/centosrhel7-nginx , but stopped at Step 4
My domain is: http://leo-micro.tk
I ran this command:
$ sudo yum install certbot python2-certbot-nginx
It produced this error message:
Error: Package: python2-acme-0.37.2-1.el7.noarch (epel-testing)
Requires: pyOpenSSL >= 0.13.1
Available: python26-pyOpenSSL-0.10-2.8.amzn1.x86_64 (amzn-main)
pyOpenSSL = 0.10-2.8.amzn1
Error: Package: python2-six-1.9.0-0.el7.noarch (epel)
Requires: python-six >= 1.9.0
Available: python26-six-1.8.0-1.23.amzn1.noarch (amzn-main)
python-six = 1.8.0-1.23.amzn1
Error: Package: python2-requests-2.6.0-0.el7.noarch (epel)
Requires: python-requests >= 2.6.0
Installing: python26-requests-1.2.3-5.10.amzn1.noarch (amzn-main)
python-requests = 1.2.3-5.10.amzn1
Error: Package: python2-josepy-1.2.0-1.el7.noarch (epel)
Requires: python2-cryptography
Error: Package: python2-acme-0.37.2-1.el7.noarch (epel-testing)
Requires: python2-pyasn1
Error: Package: python2-six-1.9.0-0.el7.noarch (epel)
Requires: python-six >= 1.9.0
Installing: python26-six-1.8.0-1.23.amzn1.noarch (amzn-main)
python-six = 1.8.0-1.23.amzn1
Error: Package: python2-acme-0.37.2-1.el7.noarch (epel-testing)
Requires: pyOpenSSL >= 0.13.1
Installing: python26-pyOpenSSL-0.10-2.8.amzn1.x86_64 (amzn-main)
pyOpenSSL = 0.10-2.8.amzn1
Error: Package: python2-certbot-0.37.2-1.el7.noarch (epel-testing)
Requires: python2-cryptography
Error: Package: python2-josepy-1.2.0-1.el7.noarch (epel)
Requires: python2-setuptools
Error: Package: certbot-0.37.2-1.el7.noarch (epel-testing)
Requires: systemd
Error: Package: python2-acme-0.37.2-1.el7.noarch (epel-testing)
Requires: python2-cryptography
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
PS: I’ve also tried --skip-broken flag and it seems that it’s not working since I cannot execute certbot.
My web server is (include version): nginx/1.14.1
The operating system my web server runs on is (include version): Red Hat 7.2.1-2
My hosting provider, if applicable, is: AWS EC2 Amazon Linux AMI 2018.03
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): It cannot be installed yet
Welcome to this forum,
Could you please try to update your system by running yum -y update and see if there are any available updates?
Also calling @juergenauer since i won’t be able to reply in the next 3 hours.
Thank you
LouayH
September 3, 2019, 5:30pm
3
Thank you steven,
I ran this command three days ago and it said that all packages are up to date, but when I run it now I’ve got this error message
Error: Package: iproute-4.4.0-3.23.amzn1.x86_64 (installed)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: subversion-1.9.7-1.58.amzn1.x86_64 (@amzn-main)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: rpm-4.11.3-21.75.amzn1.x86_64 (installed)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: ruby20-libs-2.0.0.648-1.32.amzn1.x86_64 (@amzn-updates)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: pam-1.1.8-12.33.amzn1.x86_64 (installed)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: subversion-libs-1.9.7-1.58.amzn1.x86_64 (@amzn-main)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: libdb4 conflicts with filesystem-2.4.30-3.8.amzn1.x86_64
Error: Package: rpm-build-libs-4.11.3-21.75.amzn1.x86_64 (installed)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: python27-libs-2.7.16-1.129.amzn1.x86_64 (@amzn-updates)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: cyrus-sasl-lib-2.1.23-13.16.amzn1.x86_64 (installed)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: rpm-build-4.11.3-21.75.amzn1.x86_64 (@amzn-main)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: sendmail-8.14.4-9.14.amzn1.x86_64 (installed)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: rpm-libs-4.11.3-21.75.amzn1.x86_64 (installed)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: pam_ccreds-10-4.9.amzn1.x86_64 (installed)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: rpm-4.11.3-21.75.amzn1.x86_64 (installed)
Requires: /usr/bin/db_stat
Removing: db4-utils-4.7.25-18.11.amzn1.x86_64 (installed)
Not found
Obsoleted By: libdb4-utils-4.8.30-13.el7.x86_64 (epel)
Not found
Error: Package: cyrus-sasl-2.1.23-13.16.amzn1.x86_64 (installed)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: libserf-1.3.7-1.7.amzn1.x86_64 (@amzn-main)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: rpm-python27-4.11.3-21.75.amzn1.x86_64 (installed)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: python26-2.6.9-2.89.amzn1.x86_64 (@amzn-main)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
Error: Package: apr-util-1.5.4-6.18.amzn1.x86_64 (@amzn-main)
Requires: libdb-4.7.so()(64bit)
Removing: db4-4.7.25-18.11.amzn1.x86_64 (installed)
libdb-4.7.so()(64bit)
Obsoleted By: libdb4-4.8.30-13.el7.x86_64 (epel)
~libdb-4.8.so()(64bit)
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
CC @JuergenAuer
Hi @LouayH
I'm not so firm with such installation problems. But there (11 days)
@schoen wrote:
One important thing to know is that Certbot is currently not supported on Amazon Linux , so users should probably either use it via Docker or switch to a different client.
Checked your domain you don't have an older certificate, so there was no older working configuration.
Perhaps check acme.sh.
1 Like
LouayH
September 3, 2019, 9:24pm
5
Hi @JuergenAuer ,
Yes, it seems an issue with Amazon Linux, and many thanks for referring me to acme.sh.
Do me a favor and help me get it working, as I’m new to managing servers
I’ve completed steps mentioned here to issue a cert in a standalone mode, but it stills not working for me
Here is my nginx conf block
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name leo-micro.tk;
root /usr/share/nginx/html;
ssl_certificate /etc/letsencrypt/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
}
You can see that my domain is working as http://leo-micro.tk/ but not as https://leo-micro.tk/
Should I issue a cert in webroot instead of standalone mode?/usr/share/nginx/html my webroot?
You have created a certificate - https://check-your-website.server-daten.de/?q=leo-micro.tk#ct-logs
Issuer
not before
not after
Domain names
LE-Duplicate
next LE
Let’s Encrypt Authority X3
2019-09-03
2019-12-02
leo-micro.tk
1 entries
duplicate nr. 1
So that part has worked. It’s “only” an installation problem.
Did you use the --install-cert option? Are the certificate paths correct?
What says
nginx -T
LouayH
September 3, 2019, 9:52pm
7
nginx -T says
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
index index.html index.htm;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name localhost;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
# redirect server error pages to the static page /40x.html
#
error_page 404 /404.html;
location = /40x.html {
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# # It is *strongly* recommended to generate unique DH parameters
# # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
# #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/leo-micro.tk.conf:
upstream easyio {
ip_hash;
server localhost:8080;
server localhost:8081;
}
server {
listen 80;
listen [::]:80;
server_name leo-micro.tk;
root /home/leo/easyio/public;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location /socket.io/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass "http://easyio/socket.io/";
}
location /api/ {
proxy_pass "http://easyio/api/";
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name leo-micro.tk;
# default route for static files if not configured in / location
root /usr/share/nginx/html;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
# ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# replacewith the IP address of your resolver
resolver 8.8.8.8;
}
# configuration file /etc/nginx/conf.d/virtual.conf:
#
# A virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
Yes, I’ve used --install-cert, and that what I got
acme.sh --install-cert --domain leo-micro.tk --cert-file /etc/letsencrypt/cert.pem --key-file /etc/letsencrypt/key.pem --fullchain-file /etc/letsencrypt/fullchain.pem --reloadcmd "service nginx reload"
[Tue Sep 3 20:53:42 UTC 2019] Installing cert to:/etc/letsencrypt/cert.pem
[Tue Sep 3 20:53:42 UTC 2019] Installing key to:/etc/letsencrypt/key.pem
[Tue Sep 3 20:53:42 UTC 2019] Installing full chain to:/etc/letsencrypt/fullchain.pem
[Tue Sep 3 20:53:42 UTC 2019] Run reload cmd: service nginx reload
I’ve tried cert.pem as ssl_certificate in nginx configuration but I get this error on service nginx reload
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/letsencrypt/cert.pem"
So I changed it to fullchain.pem, and nginx reloaded without errors, although cert.pem and fullchain.pem are exist in the same directory.
Does your server work internal?
curl https://leo-micro.tk/
LouayH
September 3, 2019, 10:40pm
9
I did a research about this problem and found that I should allow HTTPS inbound to AWS EC2 Instance and now It’s working https://leo-micro.tk/
@JuergenAuer Thank you very much for your help.
2 Likes
Yep, that's required.
Now you have a new certificate
Issuer
not before
not after
Domain names
LE-Duplicate
next LE
Let's Encrypt Authority X3
2019-09-03
2019-12-02
leo-micro.tk
1 entries
duplicate nr. 1
Happy to read that it has worked.
2 Likes
system
October 4, 2019, 5:24am
11
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
