0

I have an EC2 VM running Amazon Linux release 2 (Karoo) How can I get certbot?

It comes with the awscli tools installed, which seem to be incompatible with the certbot in epel:

$ sudo bash
# yum install -y epel-release
# yum-config-manager --enable epel
# yum install certbot certbot-dns-route53
# certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d mysite.com
An unexpected error occurred:
ContextualVersionConflict: (botocore 1.13.36 (/usr/lib/python2.7/site-packages), Requirement.parse('botocore<1.6.0,>=1.5.0'), set(['boto3']))
Please see the logfile '/tmp/tmpVO1RPd/log' for more details.

This is briefly discussed here: https://community.letsencrypt.org/t/contextualversionconflict-botocore-1-12-92/94922 and here: https://unix.stackexchange.com/questions/415874/certbot-and-awscli-require-different-versions-of-botocore/456362#456362 but those fixes didn't work for me (and I want to have awscli at the same time).

So I tried to install it in a Python venv, so I could have certbot as well as awscli, but I got this:

$ sudo bash
# yum install pip
# pip install virtualenv
# virtualenv env
# source env/bin/activate
# pip install certbot certbot-dns-route53
# certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d mysite.com
Traceback (most recent call last):
  File "/home/ec2-user/certbot-venv/env/bin/certbot", line 5, in <module>
    from certbot.main import main
  File "/home/ec2-user/certbot-venv/env/lib/python2.7/site-packages/certbot/main.py", line 2, in <module>
    from certbot._internal import main as internal_main
  File "/home/ec2-user/certbot-venv/env/lib/python2.7/site-packages/certbot/_internal/main.py", line 21, in <module>
    from certbot._internal import cert_manager
  File "/home/ec2-user/certbot-venv/env/lib/python2.7/site-packages/certbot/_internal/cert_manager.py", line 16, in <module>
    from certbot._internal import storage
  File "/home/ec2-user/certbot-venv/env/lib/python2.7/site-packages/certbot/_internal/storage.py", line 79, in <module>
    def add_time_interval(base_time, interval, textparser=parsedatetime.Calendar()):
  File "/home/ec2-user/certbot-venv/env/lib/python2.7/site-packages/parsedatetime/__init__.py", line 270, in __init__
    self.ptc = Constants()
  File "/home/ec2-user/certbot-venv/env/lib/python2.7/site-packages/parsedatetime/__init__.py", line 2381, in __init__
    self.locale = get_icu(self.localeID)
  File "/home/ec2-user/certbot-venv/env/lib/python2.7/site-packages/parsedatetime/pdt_locales/icu.py", line 56, in get_icu
    result['icu'] = icu = pyicu.Locale(locale)
AttributeError: 'module' object has no attribute 'Locale'

Does anyone know how to fix? I have tried installing a few different things related to Locale, but no luck yet.

Rich
  • 704
  • 14
  • 30
  • 1
    Beware: EPEL is not compatible with Amazon Linux. If any particular package in EPEL happens to work, it is only coincidental, and cannot be relied upon. This is just one of several reasons I recommend staying away from Amazon Linux (the other major ones being its general lack of stability or quality). – Michael Hampton Jun 12 '20 at 17:10
  • Thanks, I switched to CentOS instead of Amazon Linux and it works better so far – Rich Jun 13 '20 at 08:26
  • @MichaelHampton, in this case, I think this is a bug in certbot / parsedatetime rather than a problem with Amazon Linux – Rich Jun 15 '20 at 15:41

2 Answers2

2

Python 3

This works for me:

yum groupinstall -y "Development Tools"
yum install -y python3-devel libicu-devel
python3 -m venv /opt/certbot-venv
cd /opt/certbot-venv
source bin/activate
pip install --upgrade certbot certbot-dns-route53 pyicu-binary

Then to run it:

source /opt/certbot-venv/bin/activate
certbot renew ...

Python 2

Warning: this will get you an old version of certbot

This is possibly a bug in a dependent lib, "parsedatetime". I have a patch at https://github.com/bear/parsedatetime/issues/251 which fixes this for me.

The following now works for me:

yum install -y python-pip
pip install --upgrade pip
pip install virtualenv pipenv
mkdir /opt/certbot-venv && cd /opt/certbot-venv
virtualenv .
source bin/activate
pip install --upgrade certbot certbot-dns-route53 pyicu-binary

cat >parsedatetime-patch <<'END'
index e09f517..c6f277d 100644
--- a/parsedatetime/pdt_locales/icu.py
+++ b/parsedatetime/pdt_locales/icu.py
@@ -12,13 +12,7 @@ try:
 except NameError:
     pass

-try:
-    import icu as pyicu
-except ImportError:
-    try:
-        import PyICU as pyicu
-    except ImportError:
-        pyicu = None
+import PyICU as pyicu


 def icu_object(mapping):
END
( cd lib/python2.7/site-packages ; git apply ../../../parsedatetime-patch )

(I wonder if downgrading parsedatetime to an older version using pip might be a more reliable approach than patching its sources, but this works for me.)

Rich
  • 704
  • 14
  • 30
1

I switched to CentOS 7 (https://aws.amazon.com/marketplace/pp/B00O7WM7QW), at the suggestion of @Michael Hampton, and it nearly works out of the box.

The following nearly works:

$ sudo bash
# yum install -y awscli certbot certbot-dns-route53

# certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d myapp.com
An unexpected error occurred:
DistributionNotFound: futures>=2.2.0,<4.0.0

# yum install python2-pip
# pip install futures

# certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d myapp.com
... now works

# aws sts get-caller-identity
... also works

... actually, the version of awscli in yum is quite old and missing a few AWS commands. I have reinstalled it via pip and it is a newer version.

but then I then get https://github.com/certbot/certbot/issues/6328

AttributeError: 'module' object has no attribute 'pyopenssl'
Rich
  • 704
  • 14
  • 30