EC2 - Expired Certificate Renewal

lrosouza · January 5, 2021, 2:18am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
checkout.cursoh.dev

I ran this command:
[root@ip-172-31-42-161 renewal]# certbot renew --force-renewal

It produced this output: bash: certbot:
command not found

My web server is (include version):
Apache/2.4.46 (Amazon)

The operating system my web server runs on is (include version):
NAME="Amazon Linux AMI"
VERSION="2018.03"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2018.03"

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I`m using certbot, but the output for both (certbot --version and certbot-auto --version) is bash: certbot-auto: command not found

I installed certbot following this link for Amazon EC2:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-ami.html#lets-encrypt-alami

I did the setup in order to automatically renew the certificate. Here is the line inside Crontab file:

39 1,13 * * * root certbot renew --no-self-upgrade

I guess that my mistake was to close port 80 to increase safety. This way certbot could not renew let`s encrypt certificate automatically.

How can I solve this?

rg305 · January 5, 2021, 3:47am

Have you tried opening port 80?

Osiris · January 5, 2021, 6:58am

All I see from your post are "command not found" when you try to run certbot. How did you conclude that's a sign your port 80 is closed?

rg305 · January 5, 2021, 7:04am

When he tried to run certbot-auto that wasn't found.

Osiris · January 5, 2021, 7:26am

rg305 · January 5, 2021, 7:45am

So neither was found?
Maybe they should install one.

lrosouza · January 5, 2021, 2:17pm

Yes! Did not work! I think that the fact of the certificate being already expired changes the whole situation. I mean, I think that the auto renewal process is no longer available when certificate expires.

lrosouza · January 5, 2021, 2:18pm

I opened port 80 in order to install certificate. After that I just kept port 443 open to run https only.

lrosouza · January 5, 2021, 2:22pm

I have certbot-auto in my machine at /etc/httpd/conf.d

-rwxr-xr-x 1 root root 79639 Oct 2 04:20 certbot-auto

It is installed...

Osiris · January 5, 2021, 5:32pm

Multiple things:

certbot-auto is deprecated, please update your system to a more durable method of installing (and consequently updating) certbot. See https://certbot.eff.org for more info.
That's a highly unusual place to keep a script such as the certbot-auto wrapper script.
As /etc/httpd/conf.d probably isn't in the PATH variable, you can't run certbot-auto without a path in front of it. You probably ran it from that directory with ./certbot-auto.
Port 80 needs to be open for the http-01 challenge to work indeed. Closing it doesn't increase security. See https://letsencrypt.org/docs/allow-port-80/ for more info.

griffin · January 5, 2021, 7:46pm

Welcome to the Let's Encrypt Community, Lucas

Renewing a certificate is functionally no different than acquiring a new certificate. Let's Encrypt ignores the fact that a certificate is expired or even invalid during the authentication process.

lrosouza · January 5, 2021, 9:08pm

Ok, so what should I do to get a valid certificate again?

griffin · January 5, 2021, 9:09pm

Most likely the same thing you did to get your first certificate (making any tweaks suggested above).

lrosouza · January 6, 2021, 2:02am

Got stuck on step 4.

Command: sudo ./certbot-auto --debug

Output:
Your system is not supported by certbot-auto anymore.
Certbot will no longer receive updates.
Please visit https://certbot.eff.org/ to check for other alternatives.
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in
from certbot.main import main
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 2, in
from certbot._internal import main as internal_main
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/_internal/main.py", line 10, in
import josepy as jose
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/init.py", line 44, in
from josepy.interfaces import JSONDeSerializable
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py", line 7, in
from josepy import errors, util
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py", line 7, in
import OpenSSL
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/init.py", line 8, in
from OpenSSL import crypto, SSL
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 12, in
from cryptography import x509
ImportError: No module named cryptography

The message below called my attention:
> Your system is not supported by certbot-auto anymore.

Went to https://certbot.eff.org/ and as far as I could get is that I need to get SNAPD, in order to install another version of certbot. But none of the options guided me to AMI Linux.

Checking os-release I have:

NAME="Amazon Linux AMI"
VERSION="2018.03"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2018.03"
PRETTY_NAME="Amazon Linux AMI 2018.03"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2018.03:ga"
HOME_URL="http://aws.amazon.com/amazon-linux-ami/"

Which drove me to Fedora. But when trying to run fedora commands nothing happened.

rg305 · January 6, 2021, 2:21am

Which commands?
Something always happens; please show whatever that is.

Did you try following?:
Certbot - Pip Other (eff.org)

lrosouza · January 6, 2021, 8:46pm

I`ve tried before. But, here it goes:

[root@ip-172-31-42-161 ec2-user]# snap install core
bash: snap: command not found

So I went to link that you said and followed steps for install snapd / Red Hat Enterprise Linux (RHEL) and added EPEL for RHEL 7. As you can see below I updated my EPEL.

Results:

[root@ip-172-31-42-161 ec2-user]# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Loaded plugins: priorities, update-motd, upgrade-helper
epel-release-latest-7.noarch.rpm | 15 kB 00:00:00
Examining /var/tmp/yum-root-Nm8Yvt/epel-release-latest-7.noarch.rpm: epel-release-7-13.noarch
Marking /var/tmp/yum-root-Nm8Yvt/epel-release-latest-7.noarch.rpm as an update to epel-release-6-8.9.amzn1.noarch
Resolving Dependencies
amzn-main/latest | 2.1 kB 00:00:00
amzn-updates/latest | 3.8 kB 00:00:00
--> Running transaction check
---> Package epel-release.noarch 0:6-8.9.amzn1 will be updated
---> Package epel-release.noarch 0:7-13 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================
Package Arch Version Repository Size

Updating:
epel-release noarch 7-13 /epel-release-latest-7.noarch 25 k

Transaction Summary

Upgrade 1 Package

Total size: 25 k
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : epel-release-7-13.noarch 1/2
warning: /etc/yum.repos.d/epel.repo created as /etc/yum.repos.d/epel.repo.rpmnew
Cleanup : epel-release-6-8.9.amzn1.noarch 2/2
Verifying : epel-release-7-13.noarch 1/2
Verifying : epel-release-6-8.9.amzn1.noarch 2/2

Updated:
** epel-release.noarch 0:7-13**

Complete!

So I moved to the next step:

With the EPEL repository added to your RHEL installation, simply install the snapd package:
$ sudo yum install snapd

So I ran the command! Output as follows:

[root@ip-172-31-42-161 /]# yum install snapd
Loaded plugins: priorities, update-motd, upgrade-helper
amzn-main | 2.1 kB 00:00:00
amzn-updates | 3.8 kB 00:00:00
1067 packages excluded due to repository priority protections
No package snapd available.
Error: Nothing to do

Nothing here yet. Seems that if we solve the SNAPD we will be able to move on.

Any Ideas?

rg305 · January 6, 2021, 9:22pm

yum update
yum install snapd
? ? ?

lrosouza · January 7, 2021, 12:57am

already tried 100 times...

sahsanu · January 7, 2021, 1:42am

Hello @lrosouza,

You are using Amazon Linux AMI and it is a special Linux distribution so, mixing it with epel repositories from other distributions maybe could not be a good idea, you could mess your system.

You should try to research whether snapd package is provided by your distribution and in case it isn't maybe you should consider to change the client used. acme.sh could be a good alternative to certbot as it is a bash script and it requires only a few tools like, openssl, curl, sed, etc, tools that you should have installed or you could install easily.

Anyway, I hope someone could help you to install snapd on Amazon Linux AMI but be careful or you could mess your entire system, also, seems Amazon Linux AMI full support ended December 31st 2020 and now it is on a maintenance mode till 2023.

Good luck,
sahsanu

system · February 6, 2021, 1:42am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

EC2 - Expired Certificate Renewal

============================================================================================================================================================= Package Arch Version Repository Size

Transaction Summary

=============================================================================================================================================================
Package Arch Version Repository Size