Let's Encrypt installation on Amazon Linux -- configuration issues

Help
1

My domain is: stdominicchapel.org

I ran this command: sudo /usr/local/bin/certbot-auto -i apache -a manual --preferred-challenges dns -d ssl.stdominicchapel.org

It produced this output: Cannot find an SSLCertificateFile directive in /files/etc/httpd/conf.d/wsgi-le-ssl.conf/IfModule/VirtualHost. VirtualHost was not modified

My web server is (include version): Python 3.6

The operating system my web server runs on is (include version): Amazon Linux 2.9.7 64 bit

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is: certbot 1.3.0

$ [ec2-user ~]$ apachectl -S
Yields:

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server stdominicchapel.org (/etc/httpd/conf/httpd.conf:44)
         port 80 namevhost stdominicchapel.org (/etc/httpd/conf/httpd.conf:44)
                 alias www.stdominicchapel.org
         port 80 namevhost ip-172-31-26-125.us-east-2.compute.internal (/etc/httpd/conf.d/wsgi.conf:7)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex mpm-accept: using_defaults
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex default: dir="/var/run/httpd/" mechanism=default
PidFile: "/var/run/httpd/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48 not_used
Group: name="apache" id=48 not_used
1 Like
2

Your using the apache installer for name: ssl.stdominicchapel.org
But there is no virtual host file for that name.

Since you are using DNS authentication, you really don’t need to use an installer.
You could just use certonly option.
Get the new cert.
Then do whatever you want with it.

1 Like
3

Thank you for your reply.

I have made many changes in the past day or so and I am still stuck trying to install the certificates.

I have found many, many guides for using Let’s Encrypt on AWS Elastic Beanstalk, but no process that I have tried works. Is there an up-to-date guide out there that can be used for installing on Amazon Linux 2 for a website running on Apache?

I am currently trying the scripts that can be found here. None of them have worked as of yet.

1 Like
4

You can bypass the web server type altogether with the --webroot option.
If you know where the authentication files can be found, you can get a cert no matter which web server is used.

1 Like
5

As I am using Amazon Linux 2, should I follow Certbot installation instructions for CentOS/RHEL 7?

1 Like
6

You can search this forum for other similar topics…
But I would go with certbot-auto (instead of certbot in your case).

1 Like
7

AmazonLinux has some unresolved issues with certbot. You might also want to consider another acme client (like acme.sh, uacme, or others)

3 Likes
8

I am also facing issues:

My domain is: guptapustakalaya.com [provided by google]

I ran this command: certbot certonly --webroot -d guptapustakalaya.com -d www.guptapustakalaya.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for guptapustakalaya.com
http-01 challenge for www.guptapustakalaya.com
Input the webroot for guptapustakalaya.com: (Enter ‘c’ to cancel): /etc/opt

Select the webroot for www.guptapustakalaya.com:

1: Enter a new webroot
2: /etc/opt

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. guptapustakalaya.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://guptapustakalaya.com/.well-known/acme-challenge/e7iK23X1FRfizBymqL0HvyIbTUHRUfozoLIjeciGN7c [3.7.79.22]: "\n<html lang=“en-US” class=“no-js”>\n\n\t<meta charset=“UTF-8”>\n\t<meta name=“viewport” content=“width=device-wi”, www.guptapustakalaya.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.guptapustakalaya.com/.well-known/acme-challenge/oW2DNtRK3IMO0xb7Uz-O25q-qsl8-E49i7EWgkAwT1s [3.7.79.22]: "\n<html lang=“en-US” class=“no-js”>\n\n\t<meta charset=“UTF-8”>\n\t<meta name=“viewport” content=“width=device-wi”

IMPORTANT NOTES:

My web server is (include version): Ubuntu 16.04

The operating system my web server runs on is (include version):Linux/Unix

My hosting provider, if applicable, is: Amazon Web Service

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

1 Like
9

@9peppe Thank you for your suggestion. I am trying out acmesh and will post the results here when I get them.

@myedupoint are you using Route 53 to manage your domain?

1 Like
10

No,I am not using Route 53. what I did was

  1. I created instance throgh AWS marketplace and associated an Elastic IP to it.
  2. This elastic IP i used in Google in https://domains.google.com/m/registrar/guptapustakalaya.com/dns
  3. |Host name|IPv4 address|IPv6 address|||
    | — | — | — | — | — |
    |guptapustakalaya.com|3.7.79.22|
  4. Subdomain
    www.guptapustakalaya.com → 3.7.79.22
    Permanent redirect (301), Do not forward path, Enable SSL
    |Name|Type|TTL|Data|
    | — | — | — | — |
    |www|A|1h|3.7.79.22|
  5. Custom resource records
    |Name|Type|TTL|Data|||
    | — | — | — | — | — | — |
    |@|A|1m|3.7.79.22|Delete|Edit|
    |@|TXT|1m|"_acme-challenge.guptapustakalaya.com"|

Am I missing here something?

1 Like
11

@myedupoint I am now trying acme.sh and receiving the same error that you reported in your first post. I am no pro, but I think that it is related to directory/file permissions in Apache (which I am using).

12

Hi corei8,
did you get solution?

Regards,
myedupoint

13

Hey @myedupoint,

Sorry for the late reply. I am out of state currently.

I did find out that getting LetsEncrypt on Elastic Beanstalk (running Amazon Linux 2) is either impossible or out of my pay rate. I switched to Lightsail. I did not get the error that you had been getting.

I have the certs installed on Ubuntu 18.04. I am using Apache. The issue that I have having is that my connection is not timing out every time I try to access my site. Here is my site.conf file:

# Listen 80

LoadModule wsgi_module /usr/lib/apache2/modules/mod_wsgi.so

User ******

Group www-data

WSGIScriptAlias / /var/www/wsgi_scripts/sdchapelorg.wsgi
WSGIDaemonProcess stdominicchapel python-home=/var/www/sdchapel.org/env python-path=/var/www/sdchapel.org/app threads=5
WSGIRestrictEmbedded On
WSGIProcessGroup stdominicchapel
WSGIApplicationGroup %{GLOBAL}

<VirtualHost *:80>

    ServerAdmin user@email.com

    ServerName stdominicchapel.org
    ServerAlias www.stdominicchapel.org

    ErrorLog /var/www/stdominicchapel.org/logs/error.log
    CustomLog /var/www/stdominicchapel.org/logs/access.log combined

    Alias /static/ /var/www/sdchapel.org/app/static/

    RewriteEngine On
    RewriteCond %{SERVER_NAME} =www.stdominicchapel.org [OR]
    RewriteCond %{SERVER_NAME} =stdominicchapel.org
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

    #WSGIScriptAlias / /var/www/wsgi_scripts/sdchapelorg.wsgi
    #WSGIDaemonProcess stdominicchapel python-home=/var/www/sdchapel.org/env python-path=/var/www/sdchapel.org/app threads=5
    #WSGIRestrictEmbedded On
    #WSGIProcessGroup stdominicchapel
    #WSGIApplicationGroup %{GLOBAL}

    <Directory /var/www/wsgi_scripts>
        Require all granted
    </Directory>

    <Directory /var/www/sdchapel.org>
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    ServerAdmin user@email.com

    ServerName stdominicchapel.org
    ServerAlias www.stdominicchapel.org

    ErrorLog /var/www/stdominicchapel.org/logs/error.log
    CustomLog /var/www/stdominicchapel.org/logs/access.log combined

    Alias /static/ /var/www/sdchapel.org/app/static/

    <Directory /var/www/wsgi_scripts>
        Require all granted
    </Directory>

    <Directory /var/www/sdchapel.org>
        Require all granted
    </Directory>

SSLCertificateFile /etc/letsencrypt/live/stdominicchapel.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/stdominicchapel.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

# enable HTTP/2, if available
Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
# Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

# intermediate configuration
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

#SSLUseStapling On
#SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.