Amazon linux certbot nginx

Install Certbot on Amazon Linux – A smart way to enable LetsEncrypt

With Certbot, securing websites using SSL certificates is no more a daunting task.

Certbot comes as a free, open-source software tool and enabling Let’s Encrypt certificates for websites completes with few clicks. To automate SSL creation, we need to install Certbot on Amazon Linux EC2 instances.

However, the problems with Certbot due to outdated Virtualenv version or faulty files are something that we fix regularly as part of our Server Management Services.

In this write-up, we’ll see how our Support Engineers install Certbot and fix related errors in AWS.

How we install Certbot on Amazon Linux 2

Let’s check on how we install Certbot on Amazon Linux servers.

By default, Amazon EC2 instances deny all traffic to the server. Thus, it deny the traffic to secure https port 443 too. Therefore, we make sure to open ports 80 (HTTP) and 443 (HTTPS) on the server before starting the installation of LetsEncrypt SSL. For this, our Cloud Experts modify the security group allotted to the instance as shown:

Further, the steps to install Certbot varies depending upon the web server in use. For example, commands differ when you have Apache or Nginx web server. Let’s check on how our Support Engineers uses the commands to encrypt data transfer.

In Apache

1. Initially, we install Certbot packages and dependencies in the Apache server using the following command.

yum install -y certbot python2-certbot-apache

3. Next, we enter an email address and a contact address.

4. We complete the installation by following each step in installation procedure.

5. After that, we configure automated certificate renewal by using Cron Job, For that, we use the following command,

00 3 13 * * * root certbot renew --no-self-upgrade

6. Finally, we restart the Cron daemon. Thus, certbot automatically renew the website SSL certificate.

Letsencrypt certificate expires every 90 days. And, failing to renew site SSL on time will stop serving secure communication. The cron setup will eliminate the need to renew the certificate manually. And, the web server continuously encrypt data.

For Nginx on Amazon Linux

1. We start with the installation of Certbot by connecting to the instance as EC2 user.

ssh -i ~/.ssh/my-aws.pem ec2-user@52.yy.111.xxx curl -O https://dl.eff.org/certbot-auto chmod +x certbot-auto mv certbot-auto /usr/local/bin/certbot-auto

certbot-auto certonly --standalone -d example.com

3. And, we enter an email address.

4. Next, we modify nginx.conf and by adding the following lines and replacing the domain name with the customer’s domain name.

Again, we set the additional parameters including the path to the SSL certificate files, SSL session timeout values, protocols, etc.

ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem"; ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem"; # It is *strongly* recommended to generate unique DH parameters # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048 #ssl_dhparam "/etc/pki/nginx/dhparams.pem"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP; ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf;

Here, we take special care while adding Transport Layer Security aka TLS support in the server. We make sure to disable the weak TLS protocols and weak SSL algorithms

5. At last, we restart Nginx.

That completes Certbot installation and now we can set up SSL on the websites.

How we fixed common errors with Certbot

Although the Certbot setup looks fairly straight-forward, often users experience problems with it. Now, let’s check on how our Support Engineers resolve errors related to Certbot.

1. Problems with Virtualenv Version

Recently, one of our customers had an error while running certbot-auto in his AWS instance. The error said.

Traceback (most recent call last):
File «/usr/bin/virtualenv», line 6, in
from pkg_resources import load_entry_point
File «/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py», line 3049, in
@_call_aside
File «/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py», line 3033, in _call_aside
f(*args, **kwargs)
File «/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py», line 3062, in _initialize_master_working_set

On checking, our Support Engineers found this error caused due to the installed version of Virtualenv. Certbot was using an older version. So we fixed this error by uninstalling Virtualenv and installed the latest version. For that, we used the following commands.

pip uninstall virtualenv pip install virtualenv

Similarly, reinstalling Virtualenv can also be done by deleting the files called /virtualenv* in /usr/bin and doing a reinstall using

/usr/bin/easy_install virtualenv

2. Faulty files

Similarly, another customer contacted us with a problem while doing Certbot setup on his AWS account. He couldn’t install Certbot on few of his instances, while the installation went fine on other instances on the same Node server.

Here, our Support Engineers first compared the Apache configuration of working instances with the not working ones. Finally, we found that this problem was caused with faulty /dev/random file.

Commands like Certbot, ssh, ssh-keygen, OpenSSL, etc. work based on the random string generation on the server. Any problem with random string returns error while running these commands.

Therefore, we solved this error by removing the old /dev/random file and then symlinking /dev/random to /dev/urandom.

To remove the old /dev/random file, we used

mv -iv /dev/random /dev/random-old

Then we created a symbolic link with the following command.

ln -s /dev/urandom /dev/random

That solved the error and Certbot started working again.

[Do you get trouble with Certbot installation? Our Linux Experts can fix it for you.]

Conclusion

In a nutshell, Certbot automates SSL installation. However, while installing Certbot on the Amazon Linux servers, users may get errors because of outdated Virtualenv Version and faulty files. Today, we saw how our Support Engineers fixed these errors.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

2 Comments

I am unable to upgrade ACME v1 to v2 on Amazon Linux with nginx.
Can you please help me on this? Reply

Hi there, We are happy to help you. To contact our support team, please initiate a chat from the icon at right-bottom. Reply

Источник

How to install NGINX as Reverse Proxy and configure Certbot on Amazon Linux 2023

In today’s digital landscape, the importance of securing your web server and website cannot be overstated. One of the ways to achieve this is by using an HTTPS protocol, which encrypts the data transmitted between the server and client, ensuring that the information is safe from prying eyes. One of the most popular web servers used to achieve this is NGINX, which offers a robust and efficient platform for serving web content. In this article, we will walk you through the process of installing and configuring NGINX on an Amazon Linux 2023 instance, as well as setting up Certbot to obtain and renew SSL/TLS certificates for your website, ensuring that your website remains secure and trustworthy. Whether you are a seasoned web developer or a novice, this article will provide you with the knowledge and skills you need to secure your website on the AWS cloud.

Disclaimer

In this article, only NGINX and Certbot will be installed for educational purposes. The configuration of NGINX may not be production ready.

Preconditions

Install NGINX

First of all, let’s connect via SSH to our EC2 instance:

Next, execute these commands to install NGINX and enable on startup:

$ sudo yum install nginx $ sudo systemctl enable nginx && sudo systemctl start nginx 

Now, let’s assume that we want to configure NGINX to act as a reverse proxy on port 80 for a service running on port 5555.

Let’s open the NGINX configuration file:

sudo nano /etc/nginx/nginx.conf 

And let’s modify the server configuration by changing the value of YOUR_DOMAIN with the domain name associated with the EC2 instance (if any), and EC2_PRIVATE_IPV4_ADDRESS with the private IPv4 address of the EC2 instance, which can be retrieved from the AWS control panel:

 server < listen 80; listen [::]:80; server_name ; location / < proxy_pass http://:5555; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; > > 

After saving and closing the file, let’s run a test to verify if the configuration is valid and restart the process:

$ sudo nginx -t $ sudo systemctl restart nginx 

Now, if the configuration is correct, it should be possible to reach our service through the address http:// or http:// .

Install Cerbot

For installing Certbot and enabling HTTPS on NGINX, we will rely on Python. So, first of all, let’s set up a virtual environment:

$ sudo python3 -m venv /opt/certbot/ $ sudo /opt/certbot/bin/pip install --upgrade pip 

Afterwards, run this command to install Certbot:

$ sudo /opt/certbot/bin/pip install certbot certbot-nginx 

Now, execute the following command to ensure that the certbot command can be run:

sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot 

Finally, run the following command to obtain a certificate and let Certbot automatically modify the NGINX configuration, enabling HTTPS:

After following the certificate generation wizard, we will be able to access our EC2 instance via HTTPS using the address https:// or https:// .

Set up automatic renewal

To enable Certbot to automatically renew the certificates, it is sufficient to add a cron job by running the following command:

$ echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null 

Источник

HTTPS with Certbot for Nginx on Amazon Linux

Here’s how you can configure Certbot for Nginx on Amazon Linux.

Create an EC2 instance on AWS

Make sure that the port 443 (SSL) and 22 (SSH) is open. In this tips, let’s assume that we chose to use Amazon Linux.

Install Certbot

$ ssh -i ~/.ssh/my-aws.pem ec2-user@52.193.111.xxx $ curl -O https://dl.eff.org/certbot-auto $ chmod +x certbot-auto $ sudo mv certbot-auto /usr/local/bin/certbot-auto

Install Nginx

$ sudo yum install nginx -y (Nginx must be stopped during Certbot installation) $ sudo service nginx stop

Configure your domain to point to the EC2 instance

You can do it with Route53 or any other domain registrars.

Run Certbot

ec2-user on Amazon Linux sets /usr/local/bin as a part of $PATH so let’s simply run following command:

(become a root user) $ sudo su - (Amazon Linux support is currently experimental, so don't forget to add "--debug" option. This will update the script itself when you run it for the first time) # certbot-auto certonly --standalone -d example.com (You'll be asked to enter your email address) (Finally, you'll get a message like following) IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2016-mm-dd. To obtain a new version of the certificate in the future, simply run Certbot again. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

Modify Nginx Configuration

Assuming that following commands are executed as root.

# cd /etc/nginx/ # cp nginx.conf nginx.conf.org (Modify nginx.conf) # vi nginx.conf (The diff will be followings) # diff nginx.conf nginx.conf.org 85,89c85,117 < server < < listen 443 ssl; < listen [::]:443 ssl; < server_name localhost; < root /usr/share/nginx/html; --- ># Settings for a TLS enabled server. > # > # server < ># listen 443 ssl; > # listen [::]:443 ssl; > # server_name localhost; > # root /usr/share/nginx/html; > # > # ssl_certificate «/etc/pki/nginx/server.crt»; > # ssl_certificate_key «/etc/pki/nginx/private/server.key»; > # # It is *strongly* recommended to generate unique DH parameters > # # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048 > # #ssl_dhparam «/etc/pki/nginx/dhparams.pem»; > # ssl_session_cache shared:SSL:1m; > # ssl_session_timeout 10m; > # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > # ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP; > # ssl_prefer_server_ciphers on; > # > # # Load configuration files for the default server block. > # include /etc/nginx/default.d/*.conf; > # > # location / < ># > > # > # error_page 404 /404.html; > # location = /40x.html < ># > > # > # error_page 500 502 503 504 /50x.html; > # location = /50x.html < ># > > # > 91,115d118 < ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem"; < ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem"; < # It is *strongly* recommended to generate unique DH parameters < # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048 < #ssl_dhparam "/etc/pki/nginx/dhparams.pem"; < ssl_session_cache shared:SSL:1m; < ssl_session_timeout 10m; < ssl_protocols TLSv1 TLSv1.1 TLSv1.2; < ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP; < ssl_prefer_server_ciphers on; < < # Load configuration files for the default server block. < include /etc/nginx/default.d/*.conf; < < location / < < > < < error_page 404 /404.html; < location = /40x.html < < >< < error_page 500 502 503 504 /50x.html; < location = /50x.html

Let’s restart nginx after the change:

Источник