Join Log in
Score:0
Juraj Bezručka avatar Server

Renew Letsencrypt certificate on Amazon AWS Linux AMI with nginx

ua flag
Juraj Bezručka

I have production and test instances on AWS Linux AMI. On the test instance I am unable to renew letsencrypt certificate with certbot because it requires ACME2 and I am still using old certbot to avoid problems (I use --no-self-upgrade switch, otherwise it used to fail - I found the working setup and have not touched it since).

Production instance probably won't be able to renew certificate because ACME 1 has been turned off on June 1, 2021.

I found some instructions for installing certbot with Apapche, but those did not work for nginx. So I tried to install certbot via yum from epel repository, but it did not work for me. Then I found the recommendation to run it in Docker. I followed these instructions: https://dev.to/benjaminblack/using-docker-to-run-the-latest-versions-of-let-s-encrypt-certbot-and-the-aws-cli-on-debian-stable-ubuntu-lts-2nj2 First I got error notification about missing host zones on Route53. I created hosted zone for my test domain. Now I get this:

Renewing an existing certificate for test.---.com and *.test.---.com

Certbot failed to authenticate some domains (authenticator: dns-route53). The Certificate Authority reported these problems:
  Domain: test.---.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.test.---.com - check that a DNS record exists for this domain

  Domain: test.---.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.test.---.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-route53. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-route53-propagation-seconds (currently 10 seconds).

I also tried to replace option --dns-route53 with --standalone, but immediately I got this error:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I tried to add TXT and A records, but those do not seem to be working without correct setup for new amazon nameservers.

Is it possible to migrate only a test subdomain just to see if it works and to migrate the production domain after it proves reliable? Can I avoid migrating to Amazon routing completely or combine it with current provider?

I have only basic experience with domain settings, so any suggestion or advice is welcome.

333
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.