Let’s Encrypt certbot-auto support for Amazon Linux is still marked as experimental and as such we occasionally encounter unexpected problems. The most recent one was introduced with certbot-auto 0.19.0. During install or upgrade from previous versions you may get an error like this:
Upgrading certbot-auto 0.18.2 to 0.19.0... Replacing certbot-auto... Creating virtual environment... Installing Python packages... Installation succeeded. Traceback (most recent call last): File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, infrom certbot.main import main File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 9, in import zope.component File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/__init__.py", line 16, in from zope.interface import Interface ImportError: No module named interface
It took me quite a while to figure out that it’s got nothing to do with Zope.
Solution
All that is needed is to run the script with $PYTHON_INSTALL_LAYOUT environment variable unset (or set to empty string).
Unfortunately once the installation or upgrade fails it is necessary to remove the whole installation directory /opt/eff.org/certbot and then re-run with $PYTHON_INSTALL_LAYOUT unset.
Don’t worry about removing /opt/eff.org/certbot – it’s only the code. All the config files are safe under /etc/letsencrypt directory. Unless you remove that you won’t lose any of your configuration 🙂
[Amazon Linux] ~ # PYTHON_INSTALL_LAYOUT="" certbot-auto certonly --webroot -w /srv/vhosts/test.aws.nz -d test.aws.nz FATAL: Amazon Linux support is very experimental at present... if you would like to work on improving it, please ensure you have backups and then run this script again with the --debug flag! Alternatively, you can install OS dependencies yourself and run this script again with --no-bootstrap.
Because we removed /opt/eff.org/certbot and it needs to be installed from scratch so we also need to add the --debug option that’s required on Amazon Linux. Now it works:
[Amazon Linux] ~ # PYTHON_INSTALL_LAYOUT="" certbot-auto certonly --webroot -w /srv/vhosts/test.aws.nz -d test.aws.nz Bootstrapping dependencies for Amazon... (you can skip this with --no-bootstrap) Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for test.aws.nz Using the webroot path /srv/vhosts/test.aws.nz for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/test.aws.nz/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/test.aws.nz/privkey.pem Your cert will expire on 2018-01-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Great, that worked! Time to donate to Let’s Encrypt and/or EFF.org 🙂
The next step is to update the crontab and add the PYTHON_INSTALL_LAYOUT="" hack to the command line, otherwise it will break again once the certificate renewal is attempted:
42 8 * * wed root PYTHON_INSTALL_LAYOUT="" HOME=/root /usr/local/sbin/certbot-auto renew
That’s all 🙂
Good to see someone is using the official LE client, and that it’s getting better. I tried Certbot a couple of years ago and it was unusable. I ended up using ACME to provision Let’s Encrypt certificates on Amazon Linux, I have an article on that here ( https://www.photographerstechsupport.com/tutorials/hosting-wordpress-on-aws-tutorial-part-5-free-https-https2-for-wordpress-using-lets-encrypt-aws/#acme )