How to install LetsEncrypt in Amazon Linux 2 (centos rhel fedora) using Nginx?

Kindly help with the latest tutorial as all other tutorials are old and not supported anymore. I'm getting 404 error.

Old Tutorial: Install and Renew Let’s Encrypt SSL on Amazon AMI | by Mohan Pawar | Medium

I ran this command: sudo wget https://dl.eff.org/certbot-auto

It produced this output:
--2021-09-15 17:51:50-- https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)... 199.232.xx.yyy, 2a04:4e42:50::201
Connecting to dl.eff.org (dl.eff.org)|199.232.xx.yyy|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2021-09-15 17:51:50 ERROR 404: Not Found.

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): 4.14.203-156.332.amzn2.x86_64

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No. using SSH to login via shell terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): No idea. I can't install.

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Perhaps try this?

1 Like

First, @aningbo, a clarification. You are having trouble installing Certbot which is a client used to get a cert from Lets Encrypt. There are many other clients if Certbot is too problematic.

I also use AWS Linux 2 and was not able to use the Snap instructions that @griffin linked. There was a missing dependency in the distro. Some people reported success with pip install but I never tried.

What I eventually discovered was that AWS Linux 2 has version 1.11.0 in the epel package available through EC2 extras. It is a few updates behind but has been working well for my purposes. You can install with:

amazon-linux-extras install epel -y
yum update -y --skip-broken
yum install -y certbot

I make no guarantees that this will not interfere with your other software packages. I have not seen any problems with my configuration. And, I saw most of the above on a blog so at least two of us have it working like this :slight_smile:

Here is a list of other clients from Lets Encrypt:

3 Likes

@MikeMcQ

I thought I (might have) found a workaround a while back to the issue you've mentioned with snap on Linux2, but I don't think it ever got tested.

2 Likes

The specific issue here is that the tutorial uses an ancient method (the certbot-auto wrapper script) which has been deprecated for some time now and recently removed entirely. So personally I wouldn't classify this attempt to install certbot as "troubling" or "problematic", but just as "it makes sense you're getting this error". Luckily @griffin already pointed to a more recent guide to install certbot and from first hand too instead of third party ancient guides :slight_smile: And if that doesn't work, you're rightly so to notice the pip method of installing certbot :slight_smile: For which is also a guide on the certbot homepage of course :wink:

3 Likes

The other option if you're staying within the AWS infrastructure, though not using Let's Encrypt, is to use Amazon's certificates. They have an "enclave" concept where the nginx server doesn't have direct access to the certificate private key, but nginx can communicate with the enclave to do the needed cryptography on its behalf, and the enclave communicates with AWS Certificate Manager which handles the certificates and renewals for you.

https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html

That may be more complicated than you're looking to set up, though. If you're looking to go with certbot and Let's Encrypt, I'd second just using the version in epel through yum, which is also described in AWS's documentation:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#letsencrypt

(Though I don't know why that documentation suggests downloading an rpm from fedoraproject to enable epel rather than just using amazon-linux-extras. I'd think amazon-linux-extras would generally be easier.)

4 Likes

@petercooperjr Cool tip about the enclaves. Thanks.

Another option in AWS is to front your EC2 with CloudFront (their CDN). CloudFront also supports AWS Certificate Manager (ACM) and it is trivial to setup auto-renewing certs. I know because I recently setup such a system. However, the cert from ACM in CloudFront is for https between it and the client (viewer in CF lingo). You then choose http or https (or a mix) between CloudFront and your EC2. I chose https and use Certbot and Lets Encrypt in my EC2 so I am https from EC2 through CloudFront to the client. Choosing http between EC2 and CloudFront would avoid needing a cert in EC2 and still allow https between CloudFront and your client.

I limit my description to certs here - of course deciding on CloudFront, or the Elastic Load Balancer (another ACM option for EC2), have additional considerations for the app designer.

Thanks again for the nitro reference.

2 Likes

The tutorial says I need to install snapd but there's no distribution package for amazon linux 2

Running this command gives: cat /etc/os-release

NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

Running this command gives: uname -r

4.14.203-156.332.amzn2.x86_64

Any idea how to proceed further?

PS: I also don't know if I'm running on CentOS/RHEL 7 or CentOS/RHEL 8.

Running this command gives: cat /etc/redhat-release
cat: /etc/redhat-release: No such file or directory

Running this command gives: cat /etc/centos-release
cat: /etc/centos-release: No such file or directory

1 Like

Anything in?:
cat /etc/issue

Are the certbot installation instructions any different?

1 Like

This command gives: cat /etc/issue
\S
Kernel \r on an \m

My main follow up question is about installing snapd. There's no Amazon Linux 2 as an option.

1 Like

Yes, understood.
My point there was, that I think all certbot RHEL and Fedora instructions say to install snapd.
So, it really doesn't matter much if you have 7 or 8.
I would prefer to go with some other ACME client in the case of Amazon Linux.

1 Like

I use centos 7 on a VPS. I never could get the certbot python code running so I used acme.sh. The somewhat bad news is though acme.sh is open source it was sold, but it still does work with Let's Encrypt. It might be harder to install now since it targets some other certificate company.

This was my issue with the new version of Let's Encrypt. It was solved.
getting it going with Let's Encrypt version 2

This is the code on github:
acme.sh

1 Like