search

awsdocs / amazon-lightsail-developer-guide

The open source version of the Amazon Lightsail docs. To submit feedback or requests for changes, submit an issue or make changes and submit a pull request.
Other
211 stars 192 forks source link

Question: Is a manual renew required when using Certbot for SSL? #6

Closed benwurth closed 3 years ago

benwurth commented 4 years ago

In the article Tutorial: Using Let’s Encrypt SSL certificates with your WordPress instance in Amazon Lightsail it says in Step 9 that the certificate needs to be manually renewed every 90 days.

After I followed the instructions in the article, I found that the certbot tool had installed a cronjob at /etc/cron.d/certbot that attempts to renew my certificate twice a day.

With this cronjob, do I still need to manually renew the certificate every 90 days? And if not, does the article need to be updated to reflect this fact?

rlatino commented 4 years ago

It could be that certbot has been updated. When I wrote the article, I checked cron and saw no job had been added. I then attempted to add a cron job that would run certbot every day, but it failed every time. A web search revealed that cerbot did not support automatic renewal w/DNS verification, so we opted to note a "manual process" instead of an automated one. I will research this soon and get back to you to determine if indeed an automated option is now available. Please stay tuned.

rlatino commented 4 years ago

@benwurth After some testing, I've determined that the certbot cron job that you mentioned will not automatically renew your certificate. This is because we instruct users to run certbot using a manual authentication method. So when the auto renew performs, you may get an error stating that "--manual-auth-hook" script was not provided. That script needs to automatically add the new verification DNS record to your DNS zone, which is not something that we can document for every customer scenario since customers use various DNS hosting providers. Here's the error that I see when performing a dry run (sudo certbot renew --dry-run) of the certbot auto renew:

Attempting to renew cert (***.com) from /etc/letsencrypt/renewal/***.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError(An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.,). Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/***.com/fullchain.pem (failure)

If you want to learn more about the pre and post validation hooks for certbot, see the following documentation. This might provide you some insight on how to configure your own manual auth hook script:

https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks

In closing, documentation for auto renewal of a certificate is something that I will try to tackle soon. Stay tuned for that. I will follow up in the future if/when we do publish revised documentation that includes auto renewal steps.

nro-bot commented 4 years ago

I finally sat down today and got this to work (I think / hope) -- I don't understand in detail what's happening (beyond that it's frustrating to do the manual process / get lots of reminder emails every two months), so I can't say how this might have to change depending on people's DNS configs.

Hopefully it will be useful to others. I think this should be preferred approach over the --manual , possibly (I think renewing more frequently is better?)

I used the lego tool here https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach In case the link dies, here is the contents (some light modifications)

Steps

Install Lego

cd /tmp
curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -
tar xf lego*.tar.gz
sudo mkdir -p /opt/bitnami/letsencrypt
sudo mv lego /opt/bitnami/letsencrypt/lego

Generate Certs

DOMAIN=blah.com
EMAILADD=foo@blah.com
sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/letsencrypt/lego --tls --email="$EMAILADD" --domains="$DOMAIN" --domains="www.$DOMAIN" --path="/opt/bitnami/letsencrypt" run

Install certs to apache

sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/$DOMAIN.key /opt/bitnami/apache2/conf/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/$DOMAIN.crt /opt/bitnami/apache2/conf/server.crt

sudo chown root:root /opt/bitnami/apache2/conf/server*
sudo chmod 600 /opt/bitnami/apache2/conf/server*

sudo /opt/bitnami/ctlscript.sh start

Create auto-renewal bash script & install to cron job

Below, the cron job runs on the 1st of each month.

$ sudo nano /opt/bitnami/letsencrypt/scripts/renew-certificate.sh

    #!/bin/bash

    DOMAIN=blah.com
    EMAILADD=foo@blah.com
    sudo /opt/bitnami/ctlscript.sh stop apache
    sudo /opt/bitnami/letsencrypt/lego --tls --email="$EMAILADD" --domains="$DOMAIN" --domains="www.$DOMAIN" --path="/opt/bitnami/letsencrypt" run
    sudo /opt/bitnami/ctlscript.sh start apache

$ sudo chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
$ sudo crontab -e

    0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

DONE

Example output from cert generation step

$ sudo /opt/bitnami/letsencrypt/lego --tls --email="$EMAILADD" --domains="$DOMAIN" --domains="www.$DOMAIN" --path="/opt/bitnami/letsencrypt" run

2020/05/28 02:56:42 No key found for account foo@blah.com. Generating a P384 key.
2020/05/28 02:56:42 Saved key to /opt/bitnami/letsencrypt/accounts/acme-v02.api.letsencrypt.org/foo@blah.com/keys/foo@blah.com.key
2020/05/28 02:56:42 Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you accept the TOS? Y/n
Y
2020/05/28 02:56:48 [INFO] acme: Registering account for foo@blah.com
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/opt/bitnami/letsencrypt/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2020/05/28 02:56:48 [INFO] [BLAH.com, www.BLAH.com] acme: Obtaining bundled SAN certificate
2020/05/28 02:56:49 [INFO] [BLAH.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1234524237
2020/05/28 02:56:49 [INFO] [www.BLAH.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/0234524238
2020/05/28 02:56:49 [INFO] [BLAH.com] acme: use tls-alpn-01 solver
2020/05/28 02:56:49 [INFO] [www.BLAH.com] acme: use tls-alpn-01 solver
2020/05/28 02:56:49 [INFO] [BLAH.com] acme: Trying to solve TLS-ALPN-01
2020/05/28 02:56:54 [INFO] [BLAH.com] The server validated our request
2020/05/28 02:56:54 [INFO] [www.BLAH.com] acme: Trying to solve TLS-ALPN-01
2020/05/28 02:57:01 [INFO] [www.BLAH.com] The server validated our request
2020/05/28 02:57:01 [INFO] [BLAH.com, www.BLAH.com] acme: Validations succeeded; requesting certificates
2020/05/28 02:57:01 [INFO] [BLAH.com] Server responded with a certificate.

Notes

json

If I go to https://acme-v02.api.letsencrypt.org/acme/authz-v3/1234524238

I see something like

{
  "identifier": {
    "type": "dns",
    "value": "www.blah.com"
  },
  "status": "valid",
  "expires": "2020-06-27T02:56:55Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "valid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1234524238/rqeKUQ",
      "token": "IZeEmX3y0BRWLukATdoQ4mygpfYrm4XNqwOzT012345",
      "validationRecord": [
        {
          "hostname": "www.blah.com",
          "port": "443",
          "addressesResolved": [
            "34.123.45.678"
          ],
          "addressUsed": "34.123.45.678"
        }
      ]
    }
  ]
}

certbot-auto

I was NOT able to get certbot-auto or nor bncert-tool to work. Somehow I think the former worked three months ago, as per https://metablogue.com/scripts-automate-aws-lightsail-wordpress-install/, 

/opt/bitnami/letsencrypt/certbot-auto renew

But when I tried this time around the script did not exist. Manually install certbot-auto and running the renew command ran into the issues above (manual autho hook not provided)

Related: https://forums.aws.amazon.com/thread.jspa?threadID=309684

subdomains

I am not sure why I am doing all this... especially since it works on my main wordpress blog at domain.com, but there is no SSL on my second blog at domain.com/myblog2. That's fine, that second blog is a static site, mostly. Still, annoying, something I'll have to dump time into figuring out another day. And, I guess the above process does not do wildcards, so it only applies to BLAH.com and www.BLAH.com but not *.BLAH.com. 

$ sudo /opt/bitnami/letsencrypt/lego --tls --email="$EMAILADD" --domains="$DOMAIN" --domains="*.$DOMAIN" --path="/opt/bitnami/letsencrypt" run

2020/05/28 04:10:10 Could not obtain certificates:
    error: one or more domains had a problem:
[*.BLAH.com] [*.BLAH.com] acme: could not determine solvers

?! Websites!

rlatino commented 3 years ago

@nouyang if you are still looking for an automated solution for SSL cert renewal on your Lightsail instance, then we have published a doc to use the Bitnami HTTPS configuration tool (bncert), which is bundled with all "Certified by Bitnami" instances available in Lightsail. That tool streamlines the cert request and implementation process, and then automates the renewal for you. Go here to read that doc: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-enabling-https-on-wordpress