Raz*_*kar 10 certbot amazon-linux snap
I am following this guide on how to Configure SSL/TLS on Amazon Linux 2023. It recommends to obtain a CA-signed certificate using Certbot. And to get Certbot, it's recommended to install Snap.
I have tried several things, not able to install any of prerequisites:
sudo yum install snapd
Error: Unable to find a match: snapd
sudo amazon-linux-extras install epel
sudo: amazon-linux-extras: command not found
sudo yum install -y amazon-linux-extras
Error: Unable to find a match: amazon-linux-extras
There's honestly no good reason to run certbot, which is really just enough code to interact with letsencrpyt and modify a few configuration files, in a snap. Especially if you want it to actually do its job of modifying the system, snap's isolation capabilities aren't useful.
Amazon doesn't recommend using snap to install certbot; that's just this site https://eff-certbot.readthedocs.io/en/stable/install.html#installation which lists it as one of many ways.
You'll be fine just installing the most recent certbot using the pip-method described on the same page. It's a lot less overhead than using snap (really not happy about them recommending that; also, I think their pip-based description has minor bugs). For a quick overview of how that'd work:
https://certbot.eff.org/instructions?ws=nginx&os=pip
# create an isolated python environment for certbot purposes alone
python3 -m venv /opt/certbot
# Modify environment for the current shell only to make python modify
# the virtual environment and not your system libraries
source /opt/certbot/bin/activate
# Install certbot
pip install certbot
That's it. If you later want to run certbot as standalone program,
/bin/bash -c "source /opt/cerbot/bin/activate; certbot"
does that.
You can of course also put that into a shell script, e.g.
/usr/bin/certbot:
#!/bin/bash
source /opt/certbot/bin/activate
/opt/certbot/bin/certbot "$@"
make that executable (chmod 755 /usr/bin/certbot) and henceforth simply use certbot as command.
You might also want to set up a systemd timer to automatically renew your certificates regularly.
That's pretty easy:
[Unit]
Description=Certbot
Documentation=https://certbot.eff.org/docs
[Service]
Type=oneshot
ExecStart=/bin/bash -c "source /opt/cerbot/bin/activate; certbot -q renew"
PrivateTmp=true
and one file /lib/systemd/system/certbot.timer with this:
[Unit]
Description=Run certbot twice daily
[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true
[Install]
WantedBy=timers.target
Source code of this timer straight from the Fedora packaging
To activate that timer, systemctl enable --now certbot.timer. From there on, your certificates get renewed if necessary automatically.
您可能还想向 AWS 支持人员发送电子邮件,询问他们为什么建议使用其他每个较大的 Linux 发行版都包含的名为“certbot”的软件(以便您可以通过安装yum install certbot并为您完成上述所有操作),但决定不将 certbot 包含在 Amazon Linux 2023 本身中。这似乎是一个非常愚蠢的疏忽。
| 归档时间: |
|
| 查看次数: |
4883 次 |
| 最近记录: |