Certbot is not generating certtificates

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://twosteptest.gvsmb.com

I ran this command: ./certbot-auto certonly -a webroot --webroot-path=/usr/share/nginx/html --no-self-upgrade -d twosteptest.gvsmb.com

It produced this output:
Had a problem while installing Python packages.

pip prints the following errors:

Collecting ConfigArgParse==1.2.3 (from -r /tmp/tmp.w5lZmnhDrz/letsencrypt-auto-requirements.txt (line 12))
Could not fetch URL https://pypi.python.org/simple/configargparse/: There was a problem confirming the ssl certificate: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727) - skipping
Could not find a version that satisfies the requirement ConfigArgParse==1.2.3 (from -r /tmp/tmp.w5lZmnhDrz/letsencrypt-auto-requirements.txt (line 12)) (from versions: )
No matching distribution found for ConfigArgParse==1.2.3 (from -r /tmp/tmp.w5lZmnhDrz/letsencrypt-auto-requirements.txt (line 12))

Certbot has problem setting up the virtual environment.

We were not be able to guess the right solution from your pip
output.

Consult Get Certbot — Certbot 2.11.0.dev0 documentation
for possible solutions.
You may also find some support resources at https://certbot.eff.org/support/

My web server is (include version): nginx/1.20.1

The operating system my web server runs on is (include version): ubuntu 20

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot-auto:1.9.0

Certbot-auto has been deprecated and removed some years ago. Please don't keep using it: it's completely end of life.

Please see Certbot Instructions | Certbot for instructions on how to install Certbot using a recommended method.

Hi @Osiris,

I have gone through above link.
Can you guide me how to pass DNS to generate certificates for that DNS.

Did you use the snap install method? That should work well on Ubuntu.

What does this show

sudo certbot --version

Also, the DNS for your domain has two IP addresses. Can you explain why you have two?

twosteptest.gvsmb.com. 0 IN A 3.99.28.63
twosteptest.gvsmb.com. 0 IN A 35.183.79.140
3 Likes

Hi @MikeMcQ

Actually I provisioned a ec2 instance and deployed nginx container in that. Inside nginx container trying to install snapd and trying to generate certificates for the DNS. While installing snapd and getting below error.
error: cannot communicate with server: Post http://localhost/v2/snaps/certbot: dial unix /run/snapd.socket: connect: no such file or directory

From AWS Route 53 created a record set(DNS) and mapped to above bastion load balancer due that two generated I think.

Guide me steps how to install cerbot for nginx container which is deployed in AWS bastion instance and also steps for generating the certificates for DNS

snapd is pre-installed in Ubuntu. I recommend installing Certbot in your host (not the nginx container) using the pre-installed snap according the instructions linked to by @osiris earlier in this thread.

You then setup volume statements in your nginx container to allow it to use the cert files in your host.

You describe a load balancer. How many servers will operate behind the load balancer? Because if there will be a large number you will run into Rate Limit problems. In these cases you should setup one server to obtain the certs and then distribute them to the other EC2 instances as needed.

And, if you are using an AWS Load Balancer why not just use AWS ACM instead? This would avoid needing to request your own certs.

If you still want to try getting a cert using the DNS Challenge and Route53, please see
https://certbot-dns-route53.readthedocs.io/en/stable/

3 Likes

Hi @MikeMcQ

Previously deprecated Certbot-auto was able to install in nginx container and able to generate the cert files. Now why are we not able to install cerbot in nginx container ?

I'm using AWS Load Balancer with AWS ACM only, after generating the cert files I will upload in ACM.

Guide me the steps to install cerbot in nginx container and generate cert files using certbot.

Why can't you just use the certs provided by ACM?

4 Likes

Hi @MikeMcQ

My requirement is not to install AWS CLI and need to install AWS CLI in ec2 instance to get certs provided by ACM?

Can we able to achieve without AWS CLI?

AWS docs and support are better references for server design.

If the Load Balancer terminates TLS you need certs there anyway and I believe you can set that up in the Console.

I think the Network Load Balancer just passes requests through to your EC2 which would then need certs. But, again, if you have a large number of these instances rate limits are a concern. If you are auto-scaling then you should obtain and keep certs from a central location and have your other EC2 instances get those at startup and periodically.

Design of load balancers, multiple servers, and certs is a complex undertaking. AWS is also complex and there are many different services and ways to do things.

I am not sure why installing Certbot with snapd was a problem for you on Ubutnu.
But, there are alternative install methods.
https://eff-certbot.readthedocs.io/en/stable/install.html

4 Likes

Hi @MikeMcQ

Previously I used to follow the steps below:

  1. Install cerbot-auto in nginx container and generate certs file for the DNS.
  2. Upload the cert files in AWS ACM.

But now cerbot-auto is deprecated and is there any way to generate cert files in a nginx container?

Kindly guide me on the same.

I can't guide you any further. I don't understand your system configuration well enough to give good advice.

Below is the Certbot doc about docker. Hopefully this will help or perhaps some other volunteer will offer help
https://eff-certbot.readthedocs.io/en/stable/install.html#alternative-1-docker

4 Likes

Hi @MikeMcQ

Thanks a lot for your time :slightly_smiling_face: .

4 Likes