I ran this command: sudo ./certbot-auto renew --debug
My web server is (include version): Apache 2.4
The operating system my web server runs on is (include version): Amazon Linux
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
Hi–am running a production webserver with certbot-auto installed, getting ready to renew this week. The website was migrated to this server a few months ago, and the current cert was brought over in the migration intact (didn’t run certbot, in other words, just moved the files).
Am wondering if I can just run “sudo certbot-auto renew --debug” and expect it to work right. Can I do a dry run first and check?
I tried the dry run renew tonight, please tell me what my server is trying to say here. It can’t find a module somewhere? How do I fix this?
[ec2-user@ip-172-31-10-63 ~]$ ./certbot-auto renew –dry-run
Requesting to rerun ./certbot-auto with root privileges...
Upgrading certbot-auto 0.22.0 to 0.23.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
from certbot.main import main
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main .py", line 10, in <module>
import josepy as jose
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__ini t__.py", line 41, in <module>
from josepy.interfaces import JSONDeSerializable
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/inter faces.py", line 8, in <module>
from josepy import errors, util
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util. py", line 4, in <module>
import OpenSSL
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__in it__.py", line 8, in <module>
from OpenSSL import rand, crypto, SSL
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/rand .py", line 12, in <module>
from OpenSSL._util import (
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/_uti l.py", line 6, in <module>
from cryptography.hazmat.bindings.openssl.binding import Binding
ImportError: No module named cryptography.hazmat.bindings.openssl.binding
There are some binaries in /opt/eff.org/certbot that probably don’t like being moved to a different server. You can safely rm -rf /opt/eff.org/certbot and then rerun certbot-auto and it will recreate this directory for you.
Well, the outcome wasn’t what I expected. First I ran: sudo rm -rf /opt/eff.org/certbot
Then I ran: sudo ./certbot-auto renew --dry-run
and the server said this:
FATAL: Amazon Linux support is very experimental at present...
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!
Alternatively, you can install OS dependencies yourself and run this script
again with --no-bootstrap.
What do you suggest? This is a production server so I don’t want to cause any issues. The certificate expires on Saturday, I was hoping to renew it tonight but am unsure of the best way to proceed.
Well, I tried just reissuing the cert by running certbot and it failed. Here’s what I got in response:
[ec2-user@ip-172-31-10-63 ~]$ sudo ./certbot-auto --debug
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: swansislandcompany.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for swansislandcompany.com
Waiting for verification...
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
sys.exit(main())
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1266, in main
return config.func(config, plugins)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1031, in run
certname, lineage)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 118, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 374, in obtain_and_enroll_certificate
self.config)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/storage.py", line 1014, in new_lineage
"archive directory exists for " + lineagename)
CertStorageError: archive directory exists for swansislandcompany.com
Please see the logfiles in /var/log/letsencrypt for more details.
Thanks for your suggestions. I finally solved this by removing the entire /etc/letsencrypt directory and then running certbot-auto. It took two tries, but the second time was the charm and I have a new 90-day cert. This time it might actually renew correctly, too! Is it as simple as setting up your server to automatically run certbot-auto renew on a regular basis?
