When trying to run certbot-auto with [ sudo /home/ec2-user/letsencrypt/certbot-auto --apache --debug ] I’m getting an error that virtualenv cannot be found.
It’s actually located in /home/ec2-user/.pyenv/versions/2.7.12/lib/python2.7/site-packages/virtualenv.py (and virtualenv.pyc)
Do I need to create a symlink (and if so where and how if you don’t mind explaining).
Or, do I need to add the above location to my path (and again if you would help explain how to do that).
I’m on an AWS Centos6, running Python2.7, Apache 2.4.25, OpenSSL 1.0.1k
By default, sudo strips wacky directories from the PATH. You probably need to include your pyenv bindir in the secure_path for sudo. Run sudo visudo, locate the secure_path entry, and add your pyenv bindir to that path listing.
Alternatively, you could install certbot via pip into your pyenv rather than using certbot-auto. While this means you’ll have to manually upgrade certbot with pip every now and then instead of it automatically upgrading during certificate renewal, it might work with your pyenv with much less fuss.
Another alternative would be to just sudo yum install python-virtualenv and let certbot use the system python instead of your pyenv.
When I proceed I’m now hung up on “
FailedChallenges: Failed authorization procedure. poursafe.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout”
This is an AWS EC2 instance where I have a publicly accessible website. I’ve opened up the ports to send/receive all traffic but, am still getting the error above. I don’t see any indicators in the logs that describe the issue either.
Could you tell me what I should be looking for to get this resolved? Thanks much!
Does it work for you? Even on mobile data or connection in another place?
Double-check that the A record for this domain matches the external IP listed in the Amazon EC2 control panel.
Make sure that ports 80 and 443 are open in both your system firewall and in the appropriate Security Group in the Amazon control panel.
You could also try stopping and starting the instance so it gets moved to different hardware and gets a new IP address. I’m not aware of this ever resolving any connectivity issues but I do that all the time to resolve other issues. (It’s so bad Netflix programmed their instances to do so for them. )
I was just checking to be sure 443 was enabled and now have it in my vhosts, and reinstalled mod_ssl along the way. So, I can access the site poursafe.net now. When running the original script I still am getting the “FailedChallenges: Failed authorization procedure. poursafe.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout” error,
I’m now getting a ‘Server only speaks HTTP, not TLS’ error.
I checked my virtual hosts file and changed the 443 record to:
If it’s a rate limit about failed authorizations, you only have to wait for one hour (but you can also test with --staging in order to avoid this restriction).
Thanks Schoen. I added this to the app1.conf (my vhosts file) and everything works like a charm. So, it appears my problem is I wasn’t set up to receive LE from generating and saving a cert because it didn’t know my file system (where to put certs?) or, it needs the localhost certs to verify before creating LE ones. (It’s all a blur but, hope this helps the next person).
I think the way I would summarize it is that there should be either no HTTPS virtualhost, or an already working HTTPS virtualhost (whether via self-signed certificates, previous Let’s Encrypt certificates, or certificates from some other CA). The Certbot application is able to work under either condition. What doesn’t work is what we might call a partially filled in HTTPS virtualhost—Certbot is not able to detect this in order to “complete” it.
)