LetsEncrypt certbot and Lightsail

Although not directly supported, it’s quite possible to use the LetsEncrypt certbot client on Amazon Lightsail Linux.

First of all … what is LetsEncrypt?

Let’s Encrypt is a free service that offers basic SSL certificates any web site.  The certificates are good for 90 days but can be renewed indefinitely. With the proper software, the installation & renewal of the certificates can be fully automated.

There are a few things to be aware of and workarounds that need to be done.

First, download the certbot-auto client itself…

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
cp certbot-auto /usr/local/bin
./certbot-auto

When you first run certbot-auto, it will warn you that Amazon Linux support is experimental, but there is a way to install it.

FATAL: Amazon Linux support is very experimental at present…
if you would like to work on improving it, please ensure you have backups
and then run this script again with the –debug flag!
Alternatively, you can install OS dependencies yourself and run this script
again with –no-bootstrap.

So, run the client again with the debug flag ‘–debug’.

./certbot-auto --debug

At this point the client will download & install some dependencies.

Once the dependencies are downloaded & installed, it will do some additional setup to get things ready.

If you encounter this error …

Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 12, in <module>
    import josepy as jose
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__init__.py", line 44, in <module>
    from josepy.interfaces import JSONDeSerializable
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py", line 8, in <module>
    from josepy import errors, util
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py", line 4, in <module>
    import OpenSSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/rand.py", line 12, in <module>
    from OpenSSL._util import (
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
ImportError: No module named cryptography.hazmat.bindings.openssl.binding

… you’ll need to copy some files into a different directory.

You will probably get this error after certbot-auto upgrades itself also.  As such, I suggest creating a script to copy the necessary files and running it after upgrading.

#!/bin/sh

BASE=/opt/eff.org/certbot/venv

cp -a $BASE/lib64/python2.7/* $BASE/lib/python2.7

Because certbot-auto normally upgrades itself when running (if there is an update), and this error can be encountered after the upgrade, I suggest not allowing certbot-auto to self-upgrade during normal operation.  You can do this by adding the ‘–no-self-upgrade’ flag on any automated operation (cron job, etc).

certbot-auto renew --quiet --no-self-upgrade

You’ll want to run certbot-auto manually now and then, without the ‘–no-self-upgrade’ flag to install any updates.  I suggest doing this at least once a month.

Leave a Reply

Your email address will not be published.