With Certbot, securing websites using SSL certificates is no more a daunting task.

Certbot comes as a free, open-source software tool and enabling Let’s Encrypt certificates for websites completes with few clicks. To automate SSL creation, we need to install Certbot on Amazon Linux EC2 instances.

However, the problems with Certbot due to outdated Virtualenv version or faulty files are something that we fix regularly as part of our Server Management Services.

In this write-up, we’ll see how our Support Engineers install Certbot and fix related errors in AWS.

 

How we install Certbot on Amazon Linux 2

Let’s check on how we install Certbot on Amazon Linux servers.

By default, Amazon EC2 instances deny all traffic to the server. Thus, it deny the traffic to secure https port 443 too. Therefore, we make sure to open ports 80 (HTTP) and 443 (HTTPS) on the server before starting the installation of LetsEncrypt SSL. For this, our Cloud Experts modify the security group allotted to the instance as shown:

Further, the steps to install Certbot varies depending upon the web server in use. For example, commands differ when you have Apache or Nginx web server. Let’s check on how our Support Engineers uses the commands to encrypt data transfer.

In Apache

1. Initially, we install Certbot packages and dependencies in the Apache server using the following command.

yum install -y certbot python2-certbot-apache

2. Then, we run Certbot.

certbot

3. Next, we enter an email address and a contact address.

4. We complete the installation by following each step in installation procedure.

5. After that, we configure automated certificate renewal by using Cron Job, For that, we use the following command,

00 3 13 * * * root certbot renew --no-self-upgrade

6. Finally, we restart the Cron daemon. Thus, certbot automatically renew the website SSL certificate.

Letsencrypt certificate expires every 90 days. And, failing to renew site SSL on time will stop serving secure communication. The cron setup will eliminate the need to renew the certificate manually. And, the web server continuously encrypt data.

 

For Nginx on Amazon Linux

1. We start with the installation of Certbot by connecting to the instance as EC2 user.

ssh -i ~/.ssh/my-aws.pem ec2-user@52.yy.111.xxx

curl -O https://dl.eff.org/certbot-auto

chmod +x certbot-auto

mv certbot-auto /usr/local/bin/certbot-auto

 

2. Then, we run Certbot.

certbot-auto certonly --standalone -d example.com

3. And, we enter an email address.

4. Next, we modify nginx.conf and by adding the following lines and replacing the domain name with the customer’s domain name.

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name localhost;
root /usr/share/nginx/html;

Again, we set the additional parameters including the path to the SSL certificate files, SSL session timeout values, protocols, etc.

ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
# It is *strongly* recommended to generate unique DH parameters
# Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
#ssl_dhparam "/etc/pki/nginx/dhparams.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;

Here, we take special care while adding Transport Layer Security aka TLS support in the server. We make sure to disable the weak TLS protocols and weak SSL algorithms

5. At last, we restart Nginx.

service nginx start

That completes Certbot installation and now we can set up SSL on the websites.

 

How we fixed common errors with Certbot

Although the Certbot setup looks fairly straight-forward, often users experience problems with it. Now, let’s check on how our Support Engineers resolve errors related to Certbot.

 

1. Problems with Virtualenv Version

Recently, one of our customers had an error while running certbot-auto in his AWS instance. The error said.

Traceback (most recent call last):
File "/usr/bin/virtualenv", line 6, in <module>
from pkg_resources import load_entry_point
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3049, in <module>
@_call_aside
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3033, in _call_aside
f(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3062, in _initialize_master_working_set

On checking, our Support Engineers found this error caused due to the installed version of Virtualenv. Certbot was using an older version. So we fixed this error by uninstalling Virtualenv and installed the latest version. For that, we used the following commands.

pip uninstall virtualenv

pip install virtualenv

Similarly, reinstalling Virtualenv can also be done by deleting the files called /virtualenv* in /usr/bin and doing a reinstall using

/usr/bin/easy_install virtualenv

 

2. Faulty files

Similarly, another customer contacted us with a problem while doing Certbot setup on his AWS account. He couldn’t install Certbot on few of his instances, while the installation went fine on other instances on the same Node server.

Here, our Support Engineers first compared the Apache configuration of working instances with the not working ones. Finally, we found that this problem was caused with faulty /dev/random file.

Commands like Certbot, ssh, ssh-keygen, OpenSSL, etc. work based on the random string generation on the server. Any problem with random string returns error while running these commands.

Therefore, we solved this error by removing the old /dev/random file and then symlinking /dev/random to /dev/urandom.

To remove the old /dev/random file, we used

mv -iv /dev/random /dev/random-old

Then we created a symbolic link with the following command.

ln -s /dev/urandom /dev/random

That solved the error and Certbot started working again.

[Do you get trouble with Certbot installation? Our Linux Experts can fix it for you.]

 

Conclusion

In a nutshell, Certbot automates SSL installation. However, while installing Certbot on the Amazon Linux servers, users may get errors because of outdated Virtualenv Version and faulty files. Today, we saw how our Support Engineers fixed these errors.



Source link

Author

Write A Comment