Certbot setup on CentOS 7

In order to learn more about devops, I took it upon myself a year ago to automate the process of setting up and publishing this Jekyll blog to a cloud service. One of the things I wanted to achieve was to learn how to automate the process of generating SSL certificates using certbot.

It didn’t dawn on me till much later that the whole idea of using certbot is to automate the renewal process, which is when I got stuck.

If you follow the instructions on the certbot website, it would install an older version of pyOpenSSL using yum through the epel-release repo, which causes conflict errors such as ‘Import OpenSSL not found’ when the certbot binary is run. In addition, the python version is locked at 2.7.5 which is not updatable.

I realised that if I could install and run an up-to-date version of python, I could perhaps be able to install and run certbot through pip. After some research, I decided to install the latest version of python 2 which would work alongside the system version.

Installing python

Below are the commands I ran to install python 2.7.14

 1 # Only if you have installed certbot through yum previously
 2 yum remove pyOpenSSL
 3 
 4 # Needed later to build certbot
 5 yum install openssl-devel python-devel
 6 
 7 yum update
 8 
 9 yum groupinstall -y "development tools"
10 
11 # dependencies for building python
12 yum install -y zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel expat-devel
13 
14 wget  http://python.org/ftp/python/2.7.14/Python-2.7.14.tar.xz
15 
16 tar xf Python-2.7.14.tar.xz
17 
18 cd Python-2.7.14
19 
20 ./configure --prefix=/usr/local --enable-unicode=ucs4 --enable-shared LDFLAGS="-Wl,-rpath /usr/local/lib"
21 
22 # Using make altinstall here so we don't override the system python
23 make && make altinstall

If successful, you should get /usr/local/bin/python2.7. The next step would be to install pip:

1 wget https://bootstrap.pypa.io/get-pip.py
2 
3 python2.7 get-pip.py

The above should install pip2.7.

Virtualenv setup

The next step would be to setup virtualenv so we can use python2.7.14 in its own isolated environment without any conflicts with the system python. Then we can install and build cerbot:

 1 pip2.7 install virtualenv
 2 
 3 # create a virtualenv in your home directory called mycertbot
 4 virtualenv mycertbot
 5 
 6 # activate the virtualenv
 7 source ~/mycerbot/bin/activate
 8 
 9 # should show 2.7.14
10 python --version
11 
12 pip install cerbot

If successful, the certbot binary should be within ~/mycertbot/bin/cerbot

To test that it works, you can do a dry-run using certbot:

1 sudo ~/mycertbot/bin/certbot certonly --dry-run --webroot -w /home/web/site/.well-known/acme-challenge -d mydomain.com -d www.mydomain.com

From above, I’m using the certonly command to generate the certs for each of the domains listed. I’m also using the webroot authenticator.

This means that I only need to supply a directory where cerbot can have access to for storing its acme challenge tokens. In this mode, Certbot does not update or modify the server config files. You would have to do so manually.

Certbot has support for various plugins including nginx and apache. However, I am unable to get it to work properly during the renewal process. I will document the renewal process in the follow up article.

To generate the certificates for the first time, run the command above without the dry-run flag:

1 sudo ~/mycertbot/bin/certbot certonly --webroot -w /home/web/site/.well-known/acme-challenge -d mydomain.com -d www.mydomain.com

After a successful run, the certificates should be within /etc/letsencrypt/live/mydomain.com.

That’s my approach for solving the python dependencies errors when install certbot on centos7.

Hope it helps someone. Happy Hacking!