Although not directly supported, it’s quite possible to use the LetsEncrypt certbot client on Amazon Lightsail Linux.
First of all … what is LetsEncrypt?
Let’s Encrypt is a free service that offers basic SSL certificates any web site. The certificates are good for 90 days but can be renewed indefinitely. With the proper software, the installation & renewal of the certificates can be fully automated.
There are a few things to be aware of and workarounds that need to be done.
First, download the certbot-auto client itself…
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto cp certbot-auto /usr/local/bin ./certbot-auto --install-only
When you first run certbot-auto, it will warn you that Amazon Linux support is experimental, but there is a way to install it.
FATAL: Amazon Linux support is very experimental at present…
if you would like to work on improving it, please ensure you have backups
and then run this script again with the –debug flag!
Alternatively, you can install OS dependencies yourself and run this script
again with –no-bootstrap.
So, run the client again with the debug flag ‘–debug’.
./certbot-auto --debug --install-only
At this point the client will download & install some dependencies.
Once the dependencies are downloaded & installed, it will do some additional setup to get things ready.
If you encounter this error …
Traceback (most recent call last): File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module> from certbot.main import main File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 12, in <module> import josepy as jose File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__init__.py", line 44, in <module> from josepy.interfaces import JSONDeSerializable File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py", line 8, in <module> from josepy import errors, util File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py", line 4, in <module> import OpenSSL File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import rand, crypto, SSL File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/rand.py", line 12, in <module> from OpenSSL._util import ( File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/_util.py", line 6, in <module> from cryptography.hazmat.bindings.openssl.binding import Binding ImportError: No module named cryptography.hazmat.bindings.openssl.binding
… you’ll need to copy some files into a different directory.
You will probably get this error after certbot-auto upgrades itself also. As such, I suggest creating a script to copy the necessary files and running it after upgrading.
#!/bin/sh BASE=/opt/eff.org/certbot/venv cp -a $BASE/lib64/python2.7/* $BASE/lib/python2.7
Because certbot-auto normally upgrades itself when running (if there is an update), and this error can be encountered after the upgrade, I suggest not allowing certbot-auto to self-upgrade during normal operation. You can do this by adding the ‘–no-self-upgrade’ flag on any automated operation (cron job, etc).
certbot-auto renew --quiet --no-self-upgrade
You’ll want to run certbot-auto manually now and then, without the ‘–no-self-upgrade’ flag to install any updates. I suggest doing this at least once a month.
Update to this post:
Certbot-auto has been deprecated, but there is a new way to install certbot.
Check out https://certbot.eff.org/lets-encrypt/pip-apache
You can also install DNS authenticators, like route53, using this method. Just do
sudo /opt/certbot/bin/pip install certbot-dns-route53