Running Certbot on CentOS 6.8 w/ Apache 2.4.23

PaulMorel · July 28, 2016, 1:26pm

Hi there,

I’m trying to run Certbot on a test domain before requesting certificates for my main domains and I’m hitting an error. I went through the instructions on https://certbot.eff.org/#centosrhel6-apache

Right now I’m on a dedicated server running CentOS 6.8 and Apache 2.4.23 trying to get a cert for kaboom.site

When I run ./certbot-auto --apache, I get these messages

/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Version: 1.1-20080819
Version: 1.1-20080819
/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py:496: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6
  return e.message
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()

The current letsencrypt.log shows this:

2016-07-28 13:05:29,830:DEBUG:certbot.main:Root logging level set at 30
2016-07-28 13:05:29,830:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-07-28 13:05:29,831:DEBUG:certbot.main:certbot version: 0.8.1
2016-07-28 13:05:29,831:DEBUG:certbot.main:Arguments: ['--apache']
2016-07-28 13:05:29,831:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-07-28 13:05:29,865:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2016-07-28 13:05:29,929:DEBUG:certbot.plugins.disco:No installation (PluginEntryPoint#apache):
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/plugins/disco.py", line 105, in prepare
    self._initialized.prepare()
  File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/configurator.py", line 161, in prepare
    raise errors.NoInstallationError
NoInstallationError
2016-07-28 13:05:29,931:DEBUG:certbot.plugins.selection:No candidate plugin
2016-07-28 13:05:29,931:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None

From my understanding, Certbot doesn’t detect that Apache is actually installed, but is and everything is running smoothly. Here’s the output of httpd -v:

Server version: Apache/2.4.23 (Unix)
Server built:   Jul 25 2016 05:20:20
Cpanel::Easy::Apache v3.34.2 rev9999

I tried searching, but I can’t find a solution. Any ideas?

Thanks,
Paul

pfg · July 28, 2016, 1:54pm

Tried to reproduce this on a clean CentOS 6.8 installation and the apache plugin seems to work.

The only difference I noticed is that you’re running Apache/2.4.23, whereas I got Apache/2.2.15 via yum install httpd, so I suspect the problem is somehow related to that. Can you describe how you installed apache - is this from a third-party RPM repo, or did you compile it yourself? Happy to try reproducing with these steps again to see if I can figure something out.

PaulMorel · July 28, 2016, 2:01pm

If I recall correctly, Apache was installed via EasyApache3 on WHM. I think EasyApache compiles from source. I’m not exactly sure though.

If it matters, I have WHM 56.0.18.

PaulMorel · July 29, 2016, 12:46pm

Would it be advisable to only generate the certs via Certbot and manually add the configs via WHM?

I think this guide is what I’m looking for: https://certbot.eff.org/#centosrhel6-other

I noticed WHM has a “Install an SSL Certificate on a Domain” section where I can paste a Certificate, Private Key and Certificate Authority Bundle.

I think this might be the simplest way. Not sure how the Apache configs are affected though.

pfg · July 29, 2016, 2:12pm

Using one of the certonly plugins (like webroot) and performing the installation manually might indeed be the best option for a control panel. I’m not sure how the certbot-created config would interact with the control panel otherwise.

PaulMorel · July 29, 2016, 5:42pm

Got it to work like this. Certbot worked well with the webroot plugin, and I manually pasted the certs in the control panel.

When the certs are renewed, does the cert.pem file change? If so, I’ll have to repaste the certs in the control panel every 3 months, which isn’t ideal.

pfg · July 29, 2016, 5:56pm

Yep, cert.pem (and potentially chain.pem, though that’s only happened once during Let’s Encrypt’s lifetime and will be quite rare in the future as well) will change with each renewal. There might be scripts out there to automate the installation. I’m not sure if this is the same thing as cPanel, but I seem to recall seeing scripts for that. In addition to that, an official plugin for cPanel is being worked on and will be included with the next release, so you might not have to do this all that often before you get first-party support for Let’s Encrypt.

PaulMorel · July 29, 2016, 6:34pm

Ok good to know. I found this Perl script that seems to do exactly that using the cPanel/WHM API, and I’m trying to understand it before I use it.

The script seems to grab the cert.pem, privkey.pem and chain.pem and send it through the cPanel API. Essentially doing a copy & paste like I did, but via the API instead of manually.

I’m guessing this is a script I’ll have to run as a post-hook. Still trying to figure this out.

EDIT: If I had read the whole post, it already runs the script as post-hook. Nothing to figure out.

Thanks for all the help!

EDIT 2: I can confirm that the Perl script works with a little tweak. i.e. changing letsencrypt-auto for certbot-auto

BregnedalSystems · July 29, 2016, 7:04pm

Cpanel added the AutoSSL in 58 there use lets encrypt

system · August 28, 2016, 7:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.