Instructions for replacing certbot-auto

Are there any instructions on how to replace certbot-auto and what to replace it with? I've been searching for a couple hours now and can't seem to find anything.

My certbot-auto commands are telling me that my system isn't supported anymore and to visit https://certbot.eff.org/ to check for other alternatives. I can't seem to find any such information though. The commands still work, they just have that deprecation message every time, and I'd rather find an alternative before it breaks.

I found this topic: Replace certbot-auto with acme.sh? that almost seems to have a solution. There's a set of instructions at the top, but then, through comments, it's pointed out that other things should be done and I can't piece together the actual final set of steps that are needed.

I also looked through some of the entries from Certbot - Certbot Instructions but I have no clue which system I'm supposed to select from that list. I know I'm running Apache, but "Amazon Linux" isn't listed, and I don't know what it would be covered under. Plus, all of the instructions seemed to be for fresh installs rather than replacing certbot-auto.

What I'm trying to find is "Here's how to migrate from certbot-auto to ". It'd be nice to not have to issue new certs until my current ones expire. it'd also be nice to only have to make minimal changes (if any) to the apache configs. And It'd be nice to be able to auto-renew the certs still (currently done via crontab entry).

Background:

Several years ago, I followed some instructions from somewhere on how to use letsencrypt on my AWS hosted server for my domain, and also set it up to automatically renew the certificate. Recently I added a couple domains to the cert.

I don't really remember what all I did to get it originally set up. I just know there's a crontab entry that auto-renews the cert, and that there's some paths/stuff in my apache conf (mostly ssl.conf).

> sudo crontab -l
0 3 * * 6 cd /opt/letsencrypt/ && ./certbot-auto renew && /sbin/apachectl restart
> sudo ls -l /etc/letsencrypt/live/wedul.com
total 4
lrwxrwxrwx 1 root root  34 Jul  7 22:03 cert.pem -> ../../archive/wedul.com/cert19.pem
lrwxrwxrwx 1 root root  35 Jul  7 22:03 chain.pem -> ../../archive/wedul.com/chain19.pem
lrwxrwxrwx 1 root root  39 Jul  7 22:03 fullchain.pem -> ../../archive/wedul.com/fullchain19.pem
lrwxrwxrwx 1 root root  37 Jul  7 22:03 privkey.pem -> ../../archive/wedul.com/privkey19.pem
-rw-r--r-- 1 root root 682 Sep 12  2018 README

My domain is: wedul.com

I ran this command:

> sudo /opt/letsencrypt/certbot-auto certificates

It produced this output:

Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
...

My web server is (include version):

> sudo apachectl -v
Server version: Apache/2.4.48 ()
Server built:   Jun 25 2021 18:53:37

Note: apachectl is a #!/bin/sh wrapper script on top of /usr/sbin/httpd.

The operating system my web server runs on is (include version):

This was set up so long ago I'm not even certain anymore. It's an AWS t2.micro and Amazon lists it as "Platform: Amazon Linux (Inferred)". If it helps, I dug through the certbot-auto script to find what test is causing DEPRECATED_OS=1 and it's the final else clause that's doing it.

Also, when I ssh in, I get this message:

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/

Sometimes it also includes a message that there are yum packages that need updates.

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

> sudo ./certbot-auto --version
Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
certbot 1.8.0
1 Like

Amazon Linux 2 is a little bit tricky because (last I checked) it has issues with both snapd and EPEL, which are the best options for EL-based Linux distributions.

I would suggest replacing certbot-auto with Certbot - Pip Apache. It is in some ways the spiritual successor to certbot-auto.

Just trying it out myself, these are the dependencies I needed to install to make it work:

yum -y install python3 python3-tools augeas-libs

and otherwise follow all the instructions as shown.

If you want to move to acme.sh, I think that would be fine, but trying out those Certbot instructions would allow you to keep your current certificates and renewal settings without having to set everything up again.

2 Likes

Welcome to the Let's Encrypt Community, Daniel :slightly_smiling_face:

In doing some research, I did find a lengthy tutorial that Amazon provides for fixing dependencies and installing certbot:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#letsencrypt

@_az is a certbot developer and knows worlds more about this than I do.

1 Like

@_az

This looks promising! :smiley:

@SpicyLemon

You might be able to successfully install snapd with this:

sudo yum install snapd-2.48.2-1.amzn2.1

I've read that there's at least a 2.50 repo available, but that should get you started and hopefully can be updated from there.

If the install worked, try running these:

sudo snap install core

sudo snap refresh core

If all is well, try running these:

sudo yum remove certbot-auto

sudo snap install --classic certbot

sudo ln -s /snap/bin/certbot /usr/bin/certbot

If all is still well, please show the output of:

sudo certbot --version
1 Like

Thanks for the help! After digging through the comments and reading through linked stuff, here's what I ended up doing.

  1. Logged into my AWS console and created a volume snapshot.
  2. Cleaned up my cron entries. It turns out I actually had two cron entries, one in /etc/crontab calling letsencrypt-auto and one in the root user's crontab (sudo crontab -l) calling certbot-auto.
    I did:
    $ sudo vi /etc/crontab
    
    and went to the letsencrypt-auto entry and commented it out (for now).
    I then did:
    $ sudo crontab -e
    
    and deleted the certbot-auto entry.
  3. I deleted the letsencrypt-auto script (although this seems to have come back during later steps):
    $ sudo rm /opt/letsencrypt/letsencrypt-auto
    
  4. I removed the /opt/eff.org directory:
    $ cd /opt
    $ sudo rm -rf eff.org/
    
  5. Installed some needed tools:
    $ sudo yum -y install python3 python3-tools augeas-libs
    
  6. Setup Python virtual environment:
    $ sudo python3 -m venv /opt/certbot/
    $ sudo /opt/certbot/bin/pip install --upgrade pip
    
  7. Installed Certbot:
    $ sudo /opt/certbot/bin/pip install certbot certbot-apache
    
  8. Added it to a location in my PATH (for easier execution):
    $ sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot
    
  9. I use the webroot method for domain verification, and found that a few of my domains/aliases were missing from the letsencrypt config. So I opened that for editing and added them under the [[webroot_map]] heading:
    $ sudo vi /etc/letsencrypt/renewal/wedul.com.conf
    
  10. Did a renewal dry-run to test things out:
    $ sudo certbot renew --dry-run
    
  11. I then added a new entry to /etc/crontab and deleted the entry I had previously commented out.
    $ sudo vi /etc/crontab
    
    The new entry is 0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/bin/certbot renew -q

This was all pieced together using previous comments in here as well as procedures in Certbot - Pip Apache and Uninstalling certbot-auto — Certbot 1.16.0.dev0 documentation.

I was concerned that I already had an /opt/letsencrypt directory, and wasn't instructed to delete it, but as far as I can tell, everything is okay. It also looks like the letsencrypt-auto script was put back in there at some step, and there's an identical certbot-auto script in there still too. But I guess if I'm not calling them, they're probably not hurting anything.

I might also go back and change the crontab line to execute sleep $(( RANDOM % 3600 )) && /usr/bin/certbot renew -q. I'm not quite sure why Python's being invoked for that. I'm guessing the randomness is primarily to prevent spikes on the EFF servers, so I'll leave that in there.

Thank you for the guidance!

2 Likes

Let's Encrypt not EFF, but yes, with over 2 million certs issued per day, you don't want all of them to renew at once, so certbot implements a few measures to spread them out.

1 Like

This is of course something which could have been thought of earlier in the process of developing the ACME RFC.. I just thought of it, but some kind of "throttling" by the ACME server without generating errors would have been nice perhaps. As in, simply a reply from the ACME server with "please try again in X seconds" where the ACME client would wait for that amount of time.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.