Running Certbot on Windows - Phase 1


#1

Hi All

Thought I would share some of the adventures in getting certbot to work on windows.

Quick Summary - I am planning to use this article for Phase 1 of the project and use posts to talk about certain topics

Current Status

  • Tested OSs: Windows 8, Windows 10, Server 2008, Server 2012R2
  • certonly manual and stand alone working
  • renewals - this needs a bit more work however certbot is parsing the renewal files
  • apache and nginx plugins - don’t work due to augeas plugin being a debian only plugin
  • certificates are issue with no issues and the paths are the same as linux /etc/

Key point to cover in this article:

Post 1: Why bother?
Post 2: Pre-Reqs and Environment
Post 3: Installing certbot
Post 4: geteuid() issue and fix
Post 5: e.message() issue and fix (Python 3.6 only)
Post 6: Screenshots of success
Post 7: Windows Server 2012R2 - additional step
Post 8: Run As Administrator to Avoid Symlinks Issues
Post 9: Log.py update for Certbot 0.13.0


Using Let's Encrypt to secure Windows Remote Desktop connections
ACME client suggestion for Apache 2.4 running on Windows 10
Reverse Engineering Certbot Expand Option to Use with Another Client
#2

Why Bother

Having followed the community for some time one of the things I have noticed is the windows clients while being great are not as advanced as their linux counterparts.

Certbot is a fantastic client and having it running on windows seems like a good idea.

Some of the pros:

A) Same syntax and the ability of the community to assist with issues
B) Large effort has gone in to the certbot product and it is one of the more actively developed clients
C) Python is a good language that has good OS independence
D) The layout and plugin structure of certbot allows for further development in the future (windows specific plugins)
E) The coding of certbot is really good (i know there are lots of challenges in the forums but from a coding point of view it’s a solid piece of work)


#3

Pre-Reqs and Environment

I have made a small mistake here as I used Python 3.6 initially.

I ended up doing the following:

Installed Python 2.7 and Python 3.6 create two virtual environments.

I will run through the python 3.6 install build

I prefer to install python in Python36 directory under the root folder (i.e C:)

Once done run python and pip to confirm everything is working

Install virtualenv

pip install virtualenv

You can then run virtualenv to create 2 virtual environments.

Below you can see I have python 2.7 and 3.6 installed and a virtual environment for certbot on python 2.7 and 3.6

If all works well you should be able to run the certbot command and get an error like the one below


#4

Installing Certbot:

run the command below and you should get something like the below

pip install certbot

run the command below to confirm the right packages have been installed

pip freeze


#5

after installing certbot if you run certbot you should get an error like the one below

A brief explanation of the error:

The os.geteuid() method returns the current user ID in linux systems. This is a linux only method (review documentation here https://docs.python.org/3/library/os.html)

In order to work around this we need to replace this method with ‘0’ where ‘0’ is the root user.

Below is a screenshot of the code that affects this and a find and replace method

The files that you need to update are under the python root\Lib\site-packages\certbot

For example in my Python 3.6 environment (installed at C:\Python36)

The files you need to update are:

account.py 2x Instances
cert_manager.py 2x Instances
crypto_util.py 2x Instances
main.py 3x Instances


Running Certbot on Windows - fcntl error & how to fix
#6

e.message() fix for Python 3.6

When running certbot with Python 3.6 you get an error saying that message attribute does not exist

While this is not a critical error it is one worth fixing so you can get useful error messages from certbot

in main.py replace e.mesage with e

sensible error messages


#7


Can't install let's encrypt: «undefined symbol: OPENSSL_sk_num»
#8

Windows Server 2012 R2: Additional Steps

If you are using Windows Server 2012 R2 you need to download the trusted root certificate from Digicert.

This is because they are not installed by deafult on Windows Server 2012R2.

If these certs are not installed then you will get errors when PIP tries to download certain libraries available via https only

More information:

Screenshot of error

Root Certificate to download: DigiCert High Assurance EV Root CA

https://www.digicert.com/digicert-root-certificates.htm#roots

Install Cert:

Confirm Cert is in the right store:

Re-Run The PIP command


#9

Run As Administrator to Avoid Symlinks Issues

If you run into symlink related issues then run PowerShell as administrator. This will allow you to create the needed symlinks.

Symlinks in use:


#10

@cpu @bmw @jsha

what would be the next steps to getting windows registered as a supported OS for certbot (like ubuntu etc)

what are the hurdles?


#11

Wow. Nice work @ahaw021. This is great.

To official support Windows, we’d need some auditing/testing of the code done to find the UNIX specific code that causes issues like geteuid. We’d then need PR(s) fixing things in a way that works correctly on both Windows and UNIX. Ideally, we’d also want some sort of automated testing set up so we know things work reasonably well and to prevent regressions.

If we had Windows support, we’d also like to see support for IIS added, but this could come at a later time.


#12

I’m the developer of Certify the GUI for Let’s Encrypt certs with IIS on windows (https://github.com/webprofusion/certify). I’d like to help out on this so I can optionally use certbot behind the scenes. If there is a current fork of certbot containing window specific experiments let me know, if not I’m happy to start one,


#13

Ideally I think we’d like to see code making Certbot Windows compatible merged into the official repo rather than a separate fork, especially if the necessary changes are as small as ahaw021 made them sound.


#14

Of course, I was wondering if the changes had been committed to an existing fork on github (to then be merged as a PR against the original). So not a real fork, just a work in progress branch.


#15

hi @bmw

how would we go about this?

i logged the request below but would i need to log an issue in github as well?

forgive my ignorance but how do people usually make changes to certbot I know there are beginner problems that people can help out

also would you/certbot team potentially want to own the changes or should i test these first and then upload somewhere?

i don’t code for the public much (i.e. post my code on github etc) so hoping for some pointers on how to add the changes i think would make this work on windows

Andrei


#16

Small Update:

Certbot 0.13.0 has os.geteuid() in the log.py file so this needs to be updated as well


Certbot 0.14.0 Release
#17

@ahaw021,ideally you should open a pull request on the Certbot GitHub repo with the changes that you’d like to see. I’m not sure your familiarity with git or GitHub, but if you need some help here there are plenty of good resources online. If you have trouble, let me know.


#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.