Error creating SSL cert with LetsEncrypt certbot on Amazon Linux

Question

I'm trying to setup a free LetsEncrypt SSL certificate for a web server (Apache) running on an AWS EC2 instance running Amazon Linux (2017.09) using the certbot software. I can't seem to get it from the repos so I've grabbed it from https://dl.eff.org/certbot-auto.

I'm running the following command:

sudo ./certbot-auto --debug certonly

and I'm getting the following output and error:

Bootstrapping dependencies for Amazon... (you can skip this with
--no-bootstrap)  
yum is /usr/bin/yum  
yum is hashed (/usr/bin/yum)  
Loaded plugins: priorities, update-motd, upgrade-helper 1005 packages excluded due to repository priority protections  
Package matching gcc-4.8.3-3.20.amzn1.noarch already installed.   
Checking for update. Package matching 1:openssl-1.0.1k-15.99.amzn1.x86_64 already installed.  
Checking for update.  
Package ca-certificates-2015.2.6-65.0.1.16.amzn1.noarch already installed and latest version Package python27-devel-2.7.12-2.120.amzn1.x86_64 already installed and latest version  
Package matching python27-virtualenv-12.0.7-1.13.amzn1.noarch already installed. Checking for update.  
Package matching python27-pip-6.1.1-1.23.amzn1.noarch already installed. Checking for update.  
Package 1:mod_ssl-2.2.34-1.15.amzn1.x86_64 already installed and latest version Resolving Dependencies
--> Running transaction check
---> Package augeas-libs.x86_64 0:1.0.0-5.7.amzn1 will be installed
---> Package libffi-devel.x86_64 0:3.0.13-16.5.amzn1 will be installed
---> Package openssl-devel.x86_64 1:1.0.1k-15.99.amzn1 will be installed
--> Processing Dependency: openssl(x86-64) = 1:1.0.1k-15.99.amzn1 for package: 1:openssl-devel-1.0.1k-15.99.amzn1.x86_64
--> Processing Dependency: krb5-devel(x86-64) for package: 1:openssl-devel-1.0.1k-15.99.amzn1.x86_64
---> Package python27-tools.x86_64 0:2.7.12-2.120.amzn1 will be installed
---> Package system-rpm-config.noarch 0:9.0.3-42.28.amzn1 will be installed
--> Running transaction check
---> Package krb5-devel.x86_64 0:1.14.1-27.41.amzn1 will be installed
--> Processing Dependency: krb5-libs(x86-64) = 1.14.1-27.41.amzn1 for package: krb5-devel-1.14.1-27.41.amzn1.x86_64
--> Processing Dependency: libkadm5(x86-64) = 1.14.1-27.41.amzn1 for package: krb5-devel-1.14.1-27.41.amzn1.x86_64
--> Processing Dependency: libverto-devel for package: krb5-devel-1.14.1-27.41.amzn1.x86_64
--> Processing Dependency: libcom_err-devel for package: krb5-devel-1.14.1-27.41.amzn1.x86_64
--> Processing Dependency: keyutils-libs-devel for package: krb5-devel-1.14.1-27.41.amzn1.x86_64
--> Processing Dependency: libselinux-devel for package: krb5-devel-1.14.1-27.41.amzn1.x86_64
---> Package openssl-devel.x86_64 1:1.0.1k-15.99.amzn1 will be installed
--> Processing Dependency: openssl(x86-64) = 1:1.0.1k-15.99.amzn1 for package: 1:openssl-devel-1.0.1k-15.99.amzn1.x86_64
--> Running transaction check
---> Package keyutils-libs-devel.x86_64 0:1.5.8-3.12.amzn1 will be installed
---> Package krb5-devel.x86_64 0:1.14.1-27.41.amzn1 will be installed
--> Processing Dependency: krb5-libs(x86-64) = 1.14.1-27.41.amzn1 for package: krb5-devel-1.14.1-27.41.amzn1.x86_64
---> Package libcom_err-devel.x86_64 0:1.42.12-4.40.amzn1 will be installed
---> Package libkadm5.x86_64 0:1.14.1-27.41.amzn1 will be installed
--> Processing Dependency: krb5-libs(x86-64) = 1.14.1-27.41.amzn1 for package: libkadm5-1.14.1-27.41.amzn1.x86_64
---> Package libselinux-devel.x86_64 0:2.1.10-3.22.amzn1 will be installed
--> Processing Dependency: libsepol-devel >= 2.1.5-1 for package: libselinux-devel-2.1.10-3.22.amzn1.x86_64
--> Processing Dependency: pkgconfig(libsepol) for package: libselinux-devel-2.1.10-3.22.amzn1.x86_64
---> Package libverto-devel.x86_64 0:0.2.5-4.9.amzn1 will be installed
---> Package openssl-devel.x86_64 1:1.0.1k-15.99.amzn1 will be installed
--> Processing Dependency: openssl(x86-64) = 1:1.0.1k-15.99.amzn1 for package: 1:openssl-devel-1.0.1k-15.99.amzn1.x86_64
--> Running transaction check
---> Package krb5-devel.x86_64 0:1.14.1-27.41.amzn1 will be installed
--> Processing Dependency: krb5-libs(x86-64) = 1.14.1-27.41.amzn1 for package: krb5-devel-1.14.1-27.41.amzn1.x86_64
---> Package libkadm5.x86_64 0:1.14.1-27.41.amzn1 will be installed
--> Processing Dependency: krb5-libs(x86-64) = 1.14.1-27.41.amzn1 for package: libkadm5-1.14.1-27.41.amzn1.x86_64
---> Package libsepol-devel.x86_64 0:2.1.7-3.12.amzn1 will be installed
---> Package openssl-devel.x86_64 1:1.0.1k-15.99.amzn1 will be installed
--> Processing Dependency: openssl(x86-64) = 1:1.0.1k-15.99.amzn1 for package: 1:openssl-devel-1.0.1k-15.99.amzn1.x86_64
--> Finished Dependency Resolution  
Error: Package: libkadm5-1.14.1-27.41.amzn1.x86_64 (amzn-main)
           Requires: krb5-libs(x86-64) = 1.14.1-27.41.amzn1
           Installed: krb5-libs-1.15.1-8.43.amzn1.x86_64 (@amzn-updates/latest)
               krb5-libs(x86-64) = 1.15.1-8.43.amzn1
           Available: krb5-libs-1.14.1-27.41.amzn1.x86_64 (amzn-main)
               krb5-libs(x86-64) = 1.14.1-27.41.amzn1 Error: Package: krb5-devel-1.14.1-27.41.amzn1.x86_64 (amzn-main)
           Requires: krb5-libs(x86-64) = 1.14.1-27.41.amzn1
           Installed: krb5-libs-1.15.1-8.43.amzn1.x86_64 (@amzn-updates/latest)
               krb5-libs(x86-64) = 1.15.1-8.43.amzn1
           Available: krb5-libs-1.14.1-27.41.amzn1.x86_64 (amzn-main)
               krb5-libs(x86-64) = 1.14.1-27.41.amzn1 Error: Package: 1:openssl-devel-1.0.1k-15.99.amzn1.x86_64 (amzn-main)
           Requires: openssl(x86-64) = 1:1.0.1k-15.99.amzn1
           Installed: 1:openssl-1.0.2k-7.103.amzn1.x86_64 (@amzn-main/latest)
               openssl(x86-64) = 1:1.0.2k-7.103.amzn1
           Available: 1:openssl-1.0.1k-15.99.amzn1.x86_64 (amzn-main)
               openssl(x86-64) = 1:1.0.1k-15.99.amzn1  
You could try using --skip-broken to work around the problem  
You could try running: rpm -Va --nofiles --nodigest  
Could not install OS dependencies. Aborting bootstrap!

I know it's said that Amazon Linux is not properly supported in the way that other distros are for certbot, but maybe someone can help me figure out a workaround?

If Amazon Linux isn't supported, use one of the [dozens of other options](https://letsencrypt.org/docs/client-options/). acme.sh is likely to be the easiest. — ceejayoz, Feb 14 '18 at 19:10
@ceejayoz Any experience with acme.sh yourself? The docs on github look thorough, but I was just wondering if everything is above board... — RTF, Feb 14 '18 at 19:22
Yes, I've used acme.sh (and know others who have) on older Linux boxes that don't like the official client. It's the alternative client I've seen most recommended and has about 5k stars on Github. — ceejayoz, Feb 14 '18 at 19:24
Sounds good, and supports Route 53, which is DNS I'm using. Sort of puts this question in limbo tho — RTF, Feb 14 '18 at 19:34
Run `yum distro-sync` to fix your package brokenness first. And for the love of Gawd stop using Amazon Linux. — Michael Hampton, Feb 14 '18 at 20:09

score 2 · Accepted Answer · answered Feb 14 '18 at 19:41

2

If you're on an unsupported operating system, your best bet is going to be using one of the third-party clients for Let's Encrypt.

My personal preference is acme.sh.

answered Feb 14 '18 at 19:41

ceejayoz

32,910
7
82
106

Error creating SSL cert with LetsEncrypt certbot on Amazon Linux

1 Answers1