How to renew my certificate on EC2 Amazon Linux 2 AMI (Apache server)?

Help
21

Hi @rg305, Hi @Osiris,

Strangely, /etc/letsencrypt/ isn't owned by apache.

I changed /var ownership (sudo chown -R root:root /var) and I ran this command:

sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/onearth.studio.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for onearth.studio and www.onearth.studio
Performing the following challenges:
http-01 challenge for onearth.studio
http-01 challenge for www.onearth.studio
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/onearth.studio/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/onearth.studio/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Then I ran this command:

sudo snap install core; sudo snap refresh core

It produced this output:

snap "core" is already installed, see 'snap help refresh'
snap "core" has no updates available

I ran this command:

sudo snap install --classic certbot

It produced this output:

snap "certbot" is already installed, see 'snap help refresh'

I ran this command:

sudo certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: onearth.studio
2: www.onearth.studio
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):    
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for onearth.studio and www.onearth.studio
Performing the following challenges:
http-01 challenge for onearth.studio
http-01 challenge for www.onearth.studio
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
Enhancement redirect was already set.
Enhancement redirect was already set.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://onearth.studio and
https://www.onearth.studio
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/onearth.studio/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/onearth.studio/privkey.pem
   Your certificate will expire on 2021-10-31. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Thanks to you, it's working again!
You are really really awsome!!!

I do have one more question: which hosting service works best with Certbot? Which one do you recommend to use?

I wish you all the best,
Jan

1 Like
22

"Working best with certbot" really doesn't matter in terms of "hosting service", certbot is a good choice for when you're running your own VM, and while I'm sure some people might prefer one flavor of Linux over another and think certbot is easier to use on one over another, that doesn't really change based on what service is hosting the server.

The thing that may be easiest for some, depending on your site and requirements, is not having a VM that you own/manage yourself. Some people find it easiest to just use a hosting service where they can just upload files and that the hosting provider worry about installing patches on servers and getting and installing certificates and so forth. For instance, if your site is completely "static" (no back-end programming to process user forms or the like), and you want to stay within the AWS platform, you can just put your files in S3 and have CloudFront host it (with an ACM certificate that's from Amazon rather than from Let's Encrypt) and then you don't need to worry about Certbot or Linux or anything.

Even if you do need (or prefer) a full VM, if you don't want to use Certbot and are staying with AWS, if you switch from Apache to nginx you could use EC2's Enclaves with ACM which has Amazon manage the private keys and certificate renewals and just have nginx use PKCS11 to use the key without needing to know the key itself. I don't know if setting that up would really be the easiest way to go, though.

But moving from AWS to some other service (like Azure or Google or GoDaddy or whatever, there's a bazillion of them) probably wouldn't make certbot any easier, though I'm sure there are plenty of reasons proponents of each would say to try to get you to switch to the one they prefer.

2 Likes
23

Any hosting with root access without a Bitnami stack should suffice. Some hosters seem to offer some sort of VPS with Bitnami on it. However, Bitnami uses a lot of non-standard locations for e.g. the webserver et cetera, so running certbot is not recommended. But a VPS (or a real physical "private server" of course) should work fine.

Certbot doesn't work without root very well and is therefore not recommended for shared hosting where the user doesn't have root.

2 Likes
24

Thank you very much for your answers, it is very appreciated, thx!

1 Like
25

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.