如何在 Amazon Linux 2023 上通过 snap 安装 certbot

Raz*_*kar 10 certbot amazon-linux snap

I am following this guide on how to Configure SSL/TLS on Amazon Linux 2023. It recommends to obtain a CA-signed certificate using Certbot. And to get Certbot, it's recommended to install Snap.

I have tried several things, not able to install any of prerequisites:

sudo yum install snapd
    Error: Unable to find a match: snapd

sudo amazon-linux-extras install epel
    sudo: amazon-linux-extras: command not found

sudo yum install -y amazon-linux-extras
    Error: Unable to find a match: amazon-linux-extras
Run Code Online (Sandbox Code Playgroud)

Mar*_*ler 9

There's honestly no good reason to run certbot, which is really just enough code to interact with letsencrpyt and modify a few configuration files, in a snap. Especially if you want it to actually do its job of modifying the system, snap's isolation capabilities aren't useful.

Amazon doesn't recommend using snap to install certbot; that's just this site https://eff-certbot.readthedocs.io/en/stable/install.html#installation which lists it as one of many ways.

You'll be fine just installing the most recent certbot using the pip-method described on the same page. It's a lot less overhead than using snap (really not happy about them recommending that; also, I think their pip-based description has minor bugs). For a quick overview of how that'd work:

https://certbot.eff.org/instructions?ws=nginx&os=pip

# create an isolated python environment for certbot purposes alone
python3 -m venv /opt/certbot

# Modify environment for the current shell only to make python modify
# the virtual environment and not your system libraries
source /opt/certbot/bin/activate

# Install certbot
pip install certbot
Run Code Online (Sandbox Code Playgroud)

That's it. If you later want to run certbot as standalone program,

/bin/bash -c "source /opt/cerbot/bin/activate; certbot" 
Run Code Online (Sandbox Code Playgroud)

does that.

You can of course also put that into a shell script, e.g.

/usr/bin/certbot:

#!/bin/bash
source /opt/certbot/bin/activate
/opt/certbot/bin/certbot "$@"
Run Code Online (Sandbox Code Playgroud)

make that executable (chmod 755 /usr/bin/certbot) and henceforth simply use certbot as command.

You might also want to set up a systemd timer to automatically renew your certificates regularly.

That's pretty easy:

  1. Make a file /lib/systemd/system/certbot.service with this content
[Unit]
Description=Certbot
Documentation=https://certbot.eff.org/docs

[Service]
Type=oneshot
ExecStart=/bin/bash -c "source /opt/cerbot/bin/activate; certbot -q renew" 
PrivateTmp=true
Run Code Online (Sandbox Code Playgroud)

and one file /lib/systemd/system/certbot.timer with this:

[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true

[Install]
WantedBy=timers.target
Run Code Online (Sandbox Code Playgroud)

Source code of this timer straight from the Fedora packaging

To activate that timer, systemctl enable --now certbot.timer. From there on, your certificates get renewed if necessary automatically.

您可能还想向 AWS 支持人员发送电子邮件,询问他们为什么建议使用其他每个较大的 Linux 发行版都包含的名为“certbot”的软件(以便您可以通过安装yum install certbot并为您完成上述所有操作),但决定不将 certbot 包含在 Amazon Linux 2023 本身中。这似乎是一个非常愚蠢的疏忽。