New certificate for aws ec2


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: feed.hamptons-international.com

I ran this command: sudo ./certbot-auto certonly --cloudflare-dns --email nick.weavers@supadu.com -d feed.hamptons-international.com

It produced this output:certbot: error: unrecognized arguments: --cloudflare-dns

My web server is (include version): Apache 2.2.34

The operating system my web server runs on is (include version):Linux ip-172-31-34-158 4.14.77-69.57.amzn1.x86_64 #1 SMP Tue Nov 6 21:32:55 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:AWS

I can login to a root shell on my machine (yes or no, or I don’t know):no, but have sudo

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

I am running AWS beanstalk with a single ec2 instance. AWS’ Certificate Manager doesn’t handle this use case. If my ec2 fails for any reason, there is a lot of stuff that gets set up during deployment, and I wanted to include an unattended certbot installation. I ended up installing certbot-auto because the EPEL packages didn’t contain it.

What I would like to do is, if the ec2 instance gets terminated for any reason and a new one is spawned, it should get a new certificate and then run a cron job every 12 hours to try and renew it.
My DNS records are held by CloudFlare and I can create a TXT record for DNS authentication, but I can’t see to make that work. I want this to run unattended in the “boot script” so how would I specify the key/value to certbot to be compared against the TXT record automatically for unattended validation?

Thanks for any help that can be given.


#2

Did you mean to use ‘–dns-cloudflare’?

In addition, do you have the cloudflare dns plugin installed? If you’re using Amazon Linux, you’ll have to do extra work to get the DNS plugin’s installed. They aren’t included in Amazon Linux’s repos.

david


#3

Hi David, I did indeed. Thanks for pointing that one out.

Can you point me at any good information on installing the DNS plugins on Amazon Linux? I did a Google search, but it didn’t come up with much that was closely related.

Nick


#4

You could checkout a copy of the github repository and install from there, but other than that I really can’t give advise in that respect.

I use Amazon Route53 for DNS on the only domain I use wildcards with … I used https://github.com/jed/certbot-route53 to create a script that did the DNS updates.


#5

Here’s a process I have found to work as far as installing certbot and the dns-cloudflare plugin on my AWS ec2 running Amazon Linux, but although the plugin installation seems to have worked, when I do a “sudo ./certbot-auto plugins” dns-cloudflare is not listed.

$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ sudo ./certbot-auto --debug --install-only

$ cd /opt/eff.org/certbot/venv
$ source bin/activate
$ sudo pip install certbot-dns-cloudflare
    Collecting certbot-dns-cloudflare Downloading 
 https://files.pythonhosted.org/packages/1b/e0/0edc86f09e7a563a8753dd1fc55481fe5cae22c5c1f2142aa0f8337cce93/certbot_dns_cloudflare-0.29.1-py2.py3-none-any.whl
...

Installing collected packages: funcsigs, pbr, six, mock, zope.interface, chardet, idna, certifi, urllib3, asn1crypto, enum34, pycparser, cffi, ipaddress, cryptography, PyOpenSSL, requests, requests-toolbelt, pytz, pyrfc3339, josepy, acme, future, parsedatetime, ConfigArgParse, zope.hookable, zope.proxy, zope.deferredimport, zope.deprecation, zope.event, zope.component, certbot, jsonlines, cloudflare, certbot-dns-cloudflare Found existing installation: six 1.8.0 Uninstalling six-1.8.0: Successfully uninstalled six-1.8.0 Found existing installation: chardet 2.0.1 DEPRECATION: Uninstalling a distutils installed project (chardet) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project. Uninstalling chardet-2.0.1: Successfully uninstalled chardet-2.0.1 Found existing installation: urllib3 1.8.2 Uninstalling urllib3-1.8.2: Successfully uninstalled urllib3-1.8.2 Running setup.py install for pycparser … done Found existing installation: requests 1.2.3 Uninstalling requests-1.2.3: Successfully uninstalled requests-1.2.3 Running setup.py install for future … done Running setup.py install for ConfigArgParse … done Running setup.py install for zope.hookable … done Running setup.py install for zope.proxy … done Running setup.py install for cloudflare … done Successfully installed ConfigArgParse-0.13.0 PyOpenSSL-18.0.0 acme-0.29.1 asn1crypto-0.24.0 certbot-0.29.1 certbot-dns-cloudflare-0.29.1 certifi-2018.11.29 cffi-1.11.5 chardet-3.0.4 cloudflare-2.1.0 cryptography-2.4.2 enum34-1.1.6 funcsigs-1.0.2 future-0.17.1 idna-2.8 ipaddress-1.0.22 josepy-1.1.0 jsonlines-1.2.0 mock-2.0.0 parsedatetime-2.4 pbr-5.1.1 pycparser-2.19 pyrfc3339-1.1 pytz-2018.7 requests-2.21.0 requests-toolbelt-0.8.0 six-1.12.0 urllib3-1.24.1 zope.component-4.5 zope.deferredimport-4.3 zope.deprecation-4.4.0 zope.event-4.4 zope.hookable-4.2.0 zope.interface-4.6.0 zope.proxy-4.3.1 You are using pip version 9.0.3, however version 18.1 is available. You should consider upgrading via the ‘pip install --upgrade pip’ command.`

$ deactivate
$ cd ~ $
$ sudo ./certbot-auto plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT

* nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I don’t see any glaring issues reported but the final section of the plugin install says:

Successfully installed ConfigArgParse-0.13.0 PyOpenSSL-18.0.0 acme-0.29.1 asn1crypto-0.24.0 certbot-0.29.1 certbot-dns-cloudflare-0.29.1 certifi-2018.11.29 cffi-1.11.5 chardet-3.0.4 cloudflare-2.1.0 cryptography-2.4.2 enum34-1.1.6 funcsigs-1.0.2 future-0.17.1 idna-2.8 ipaddress-1.0.22 josepy-1.1.0 jsonlines-1.2.0 mock-2.0.0 parsedatetime-2.4 pbr-5.1.1 pycparser-2.19 pyrfc3339-1.1 pytz-2018.7 requests-2.21.0 requests-toolbelt-0.8.0 six-1.12.0 urllib3-1.24.1 zope.component-4.5 zope.deferredimport-4.3 zope.deprecation-4.4.0 zope.event-4.4 zope.hookable-4.2.0 zope.interface-4.6.0 zope.proxy-4.3.1

and there is no mention of cloudflare in that list despite the message
“Running setup.py install for cloudflare … done”
just prior to it.

Can anyone help?


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.