Unable to install Free Lets Encrypt SSL on AWS EC2 - ssl

Im unable to install free lets encrypt SSL on AWS EC2 new instance for a domain.
[ec2-user#ip-XXX-XX-XX-XXX ~]$ wget https://dl.eff.org/certbot-auto
[ec2-user#ip-XXX-XX-XX-XXX ~]$ chmod a+x certbot-auto
[ec2-user#ip-XXX-XX-XX-XXX ~]$ sudo ./certbot-auto --debug -v --server https://acme-v02.api.letsencrypt.org/directory certonly -d domainname.com
Error showing like this -
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.
Here is the server details
NAME="Amazon Linux AMI"
VERSION="2018.03"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2018.03"
PRETTY_NAME="Amazon Linux AMI 2018.03"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2018.03:ga"
HOME_URL="http://aws.amazon.com/amazon-linux-ami/"
Amazon Linux AMI release 2018.03
cpe:/o:amazon:linux:2018.03:ga```
Pls help how to install and use?

Related

Difficulties in installing Qlik Catalog related SW

I am installing Qlik Catalog SW on Linux Read Hat Enterprise 7.9 following the instructions of the installation guide.
I have got the first problem in Tomcat Installation. Basically, I am not able to connect to Tomcat with the browser.
Below is a detailed list of commands I have used.
I have tried it using Firefox.
When trying to install Chrome I got other issues.
Any hints?
*** Installing Chrome ***
# sudo yum install glib
# sudo yum list glibc
# sudo wget https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm
# sudo yum -y install redhat-lsb libXScrnSaver
# sudo yum -y localinstall google-chrome-stable_current_x86_64.rpm
>>>>>>>>>>>>>>>>>>>>>>>
Error: Package: google-chrome-stable-95.0.4638.54-1.x86_64 (/google-chrome-stable_current_x86_64)
Requires: libc.so.6(GLIBC_2.18)(64bit)
<<<<<<<<<<<<<<<<<<<<<<<
*** Installing Tomcat ***
Install wget (if not already installed):
# sudo yum install -y wget
Become the service account user:
# sudo su - qdcuser
Download Apache Tomcat and extract the file in usr/local/qdc:
$ cd /usr/local/qdc
$ wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.38/bin/apache-tomcat-9.0.38.tar.gz
$ tar -xvf apache-tomcat-9.0.38.tar.gz
Overwrite <tomcat home>/conf/server.xml with the version expanded from the Qlik Catalog zip file:
$ cp /tmp/podium/config/tomcat9-server.xml /usr/local/qdc/apache-tomcat-9.0.38/conf/server.xml
Opening ports 8080 and 8443:
# sudo firewall-cmd --zone=public --permanent --add-port=8080/tcp
# sudo firewall-cmd --zone=public --permanent --add-port=8443/tcp
# sudo systemctl restart firewalld.service
Setup Apache Tomcat as a service to automatically start when Linux restarts:
# sudo cp /tmp/podium/config/tomcat.service /etc/systemd/system/
# sudo systemctl daemon-reload
# sudo systemctl enable tomcat.service
Edit the file /etc/systemd/system/tomcat.service to insert the correct user and group names:
# sudo nano /etc/systemd/system/tomcat.service
User=qdcuser
Group=qdcgroup
Start Tomcat manually:
$ cd /usr/local/qdc/apache-tomcat-9.0.38
$ ./bin/startup.sh
Browse to the following URL to verify that Tomcat is running:
https://localhost:8443
>>>>>>>>>>>>>>>>>>>>
Unable to connect
Firefox can’t establish a connection to the server at localhost:8443.
<<<<<<<<<<<<<<<<<<<<<
I too see this issue.. Here is what I think the reason might be..
rpm -qf /usr/lib64/libc.so.6
glibc-2.17-325.el7_9.x86_64
glibc is 2.17 on RHEL 7.9 The developers at google should know this which means it is a bug.
Or. They should provide that library as part of their package and statically link it.
Short answer. For now, until Google figures it out and fixes, I might either remove the package, or skip that package.
To skip..
sudo yum -y update --exclude google-chrome-stable*
To remove... Well.. "sudo yum -y remove google-chrome-stable"
An alternative until google resolve the problem is:
sudo yum update --skip-broken
This can install all updates and ignore chrome

SSL in production server using docker-compose and a dockerised apache2

I have a docker-compose production environment that comprises 4 different services running in an AWS ec2 instance. Everything is running fine, and one of the services is exposed to the world via mapping the internal private ip address to ec2's public ip address.The exposed service is a laravel-vue.js app running in an apache2 server using the image
FROM php:7.2-apache
and some custom commands below. My employer now bought a domain (not from Amazon route 53 but a different provider) and I want to get an ssl certificate for said domain and use it in my apache server. I have never put an ssl certificate before but i kind of understand the theory. My first step was to redirect the domain name from the provider to the public IP address. Now the app is accessible from the domain name via http instead of visiting an ip address.
I'm not sure what the next step should be. Can I get any ssl certificate e.g. from let's encrypt or digicert and place it in my apache server?Would the ssl work only if issued from the domain provider? In my service, would I only have to change the configuration to allow traffic through ssl and I'm done? My apache server doesn't do any dns, it simply exposes a webroot to port 80 and my docker-compose file forwards that ip address so that it becomes accessible to the world.Do I need to change apache dns settings and include the domain name?
This is my relevant docker-compose file part:
app:
ports:
- "172:31.31.159:80:80"
build:
context: .
dockerfile: app/Dockerfile
stdin_open: true
environment:
APACHE_DOCUMENT_ROOT: /var/www/html/public
depends_on:
- api
- app-db
And here is the dockerfile:
FROM php:7.2-apache
COPY /app /var/www/html
WORKDIR /var/www/html
ENV APACHE_DOCUMENT_ROOT=/var/www/html/public
RUN sed -ri -e 's!/var/www/html!${APACHE_DOCUMENT_ROOT}!g' /etc/apache2/sites-available/*.conf
RUN sed -ri -e 's!/var/www/!${APACHE_DOCUMENT_ROOT}!g' /etc/apache2/apache2.conf /etc/apache2/conf-available/*.conf
# update apt-get
RUN apt-get update
# install the required components
RUN apt-get install -y libmcrypt-dev g++ libicu-dev libmcrypt4 zlib1g-dev git libpq-dev libmagickwand-dev
RUN apt-get install zip unzip
# install the PHP extensions we need
RUN docker-php-ext-install pdo pdo_mysql
#RUN apt-get install php-zip
# delete the lists for apt-get as the take up space we do not need.
RUN rm -rf /var/lib/apt/lists/*
# install composer globally so that you can call composer directly
RUN curl -sSL https://getcomposer.org/installer | php
RUN mv composer.phar /usr/local/bin/composer
RUN composer install --optimize-autoloader --no-dev
# enable apache rewrite
RUN a2enmod rewrite
RUN service apache2 restart
RUN apt-get update && \
apt-get install -y --no-install-recommends gnupg && \
curl -sL https://deb.nodesource.com/setup_10.x | bash - && \
apt-get update && \
apt-get install -y nodejs && \
npm install -g npm
RUN npm install
RUN npm audit fix
RUN npm run production
# set www permissions
RUN chown -R www-data:1001 .
RUN usermod -u 1001 www-data
RUN php artisan config:cache
Feel free to call out any problems with the dockerfile or docker-compose files as this is my first time using them for production.

Installing Apache OpenWhisk using docker-compose on Amazon Linux instance gets stuck at "waiting for the Whisk invoker to come up..."

I am trying to install openwhisk for dev mode using docker compose on Amazon Linux EC2 Instance. I am following this link for doing so https://github.com/apache/incubator-openwhisk -> Get Started.
Although, it has worked for me before once, in this installation, I am facing an issue. These are the steps I followed:
sudo yum update -y
sudo yum install -y docker
sudo service docker start
sudo chkconfig docker on
sudo yum install -y python-pip
sudo pip install docker-compose
This step is because open whisk is using sudo for docker-compose, and based on previous steps, sudo docker-compose -v gives a command not found.
sudo cp /usr/local/bin/docker-compose /bin
sudo yum install -y git
cd ~
git clone https://github.com/apache/incubator-openwhisk-devtools.git
cd incubator-openwhisk-devtools/docker-compose
sudo make quick-start
Update: The problem is that the make command gets stuck at the stage where it is waiting for invokers.
I have not made any changes to any source code, nor I did any other steps before this on the instance. It was a freshly created instance.
Am I missing something in OpenWhisk or EC2 or the combination of both? Any help would be great.
Update: I tried the docker-compose method for installing open whisk on Amazon Linux 1, Amazon Linux 2, Ubuntu 16.04 as well as Ubuntu 14.04. On all platforms, it got stuck at sudo make quick-start where it is waiting for invokers.
Update: Instead of using python-pip for docker-compose installation, used the command from docker website as well.
sudo curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
if docker-compose command is not found it means you didn't install docker-compose correctly.
I don't think you can install docker-compose as a python library using pip
See the instructions here https://docs.docker.com/compose/install/#install-compose
someting like
sudo curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
Or take a look at https://medium.com/#khandelwal12nidhi/docker-setup-on-aws-ec2-instance-c670ff3d5f1b

Cannot start apache automatically with docker

I made a simple custom docker setup for php development. So far everything works as expected. The only thing that I cannot figure out is why apache2 does not start automatically.
Here is my dockerfile:
FROM ubuntu:latest
RUN apt-get update && apt-get install -y apache2 php libapache2-mod-php php-mcrypt php-mysql php-cli php-curl php-xml php-intl php-mbstring git vim composer curl
COPY . /var/www/example
COPY vhost.conf /etc/apache2/sites-available/example.conf
RUN a2ensite example
RUN chown -R www-data:www-data /var/www/example/logs
RUN service apache2 restart
And here is my docker-compose.yml:
version: '2'
services:
app:
build:
context: .
dockerfile: Dockerfile
image: myexampleapp
ports:
- 8080:80
tty: true
And here is the output docker-compose up command:
me#mydell:~/workspace/mydockercompose$ docker-compose up -d --build
Creating network "mydockercompose_default" with the default driver
Building app
Step 1/7 : FROM ubuntu:latest
---> f975c5035748
Step 2/7 : RUN apt-get update && apt-get install -y apache2 php libapache2-mod-php php-mcrypt php-mysql php-cli php-curl php-xml php-intl php-mbstring git vim composer curl
---> Using cache
---> 148c3a9d928a
Step 3/7 : COPY . /var/www/example
---> 1fbc1dbacf1e
Step 4/7 : COPY vhost.conf /etc/apache2/sites-available/example.conf
---> 9c08947b09e9
Step 5/7 : RUN a2ensite example
---> Running in 1ef64defe747
Enabling site example.
To activate the new configuration, you need to run:
service apache2 reload
Removing intermediate container 1ef64defe747
---> ca1c8e7e80fc
Step 6/7 : RUN chown -R www-data:www-data /var/www/example/logs
---> Running in 57b0214be7a0
Removing intermediate container 57b0214be7a0
---> b3b270a36bf4
Step 7/7 : RUN service apache2 restart
---> Running in 09d2b1d3bd91
* Restarting Apache httpd web server apache2
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
...done.
Removing intermediate container 09d2b1d3bd91
---> 19fa9a90f9de
Successfully built 19fa9a90f9de
Successfully tagged myexampleapp:latest
Creating mydockercompose_app_1
It shows clearly that apache was restarted successfully. However it actually does not:
me#mydell:~/workspace/mydockercompose$ docker exec -i -t 20add8ad9895 service apache2 status
* apache2 is not running
I am new to docker, so all suggestions (even if they are not answering this specific question) to improve what I am doing so far are welcome.
Thanks
Docker services have to be running in the foreground. In your Dockerfile, RUN service apache2 restart will start apache as background process. Hence the container will exit.
To run apache in the foreground, add the following to the Dockerfile.
CMD ["/usr/sbin/apachectl", "-D", "FOREGROUND"]
FROM ubuntu:latest
RUN apt-get update && apt-get install -y apache2 php libapache2-mod-php php-mcrypt php-mysql php-cli php-curl php-xml php-intl php-mbstring git vim composer curl
COPY . /var/www/example
COPY vhost.conf /etc/apache2/sites-available/example.conf
RUN a2ensite example
RUN chown -R www-data:www-data /var/www/example/logs
CMD ["/usr/sbin/apachectl", "-D", "FOREGROUND"]
The above answer is probably correct that mentioned that you can start it with:
CMD apachectl -D FOREGROUND
With docker it is sometimes a good idea to use the absolute path to a binary. So for example maybe do this instead:
/usr/sbin/apache2 -D FOREGROUND
I had a look a bit on google to see what other people are doing. I found this example of a dockerfile where the guy mentions a script start.sh:
From here: https://github.com/jacksoncage/apache-docker/blob/master/Dockerfile
EXPOSE 80
ADD start.sh /start.sh
RUN chmod 0755 /start.sh
CMD ["bash", "start.sh"]
Here is the start.sh script: https://github.com/jacksoncage/apache-docker/blob/master/start.sh
Which simply just does:
#!/bin/bash
# Start apache
/usr/sbin/apache2 -D FOREGROUND
Unrelated tip:
Your dockerfile you need to pin the version for Ubuntu.
See: https://nickjanetakis.com/blog/docker-tip-18-please-pin-your-docker-image-versions
Let me know if this helps.
If it help you or anybody, i was preparing working example with complete docker-composer:
https://github.com/marekz/docker-composer-example
FROM ubuntu:18.04
EXPOSE 80
ENV TZ=Europe/Warsaw
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
RUN apt-get update
RUN apt-get upgrade -y
RUN apt-get install -y libapache2-mod-php7.2 php7.2 php7.2-cli php7.2-gd php7.2-intl php7.2-mbstring php7.2-mysql php7.2-xml php7.2-xsl php7.2-bcmath php7.2-zip php-apcu npm lynx
RUN apt-get install -y mysql-client composer screen tmux vim nano iputils-ping
ENTRYPOINT service apache2 restart && bash
By analyzing the statements, I found a solution to my error
File: Dockerfile
FROM debian
RUN apt-get update -qq >/dev/null && apt-get install -y -qq procps telnet apache2 php7.3 -qq >/dev/null
RUN useradd --user-group --create-home --shell /bin/false app
RUN mkdir /data && chown -R app /data && chmod 777 /data
COPY php.conf /etc/apache2/mods-available/php7.3.conf
RUN a2enmod userdir && a2enmod php7.3
Error:
To activate the new configuration, you need to run:
service apache2 reload
Solutions:
FROM debian -> FROM debian:10
The reason was some conflict between the debian system and the php version. The latest version of debian has a newer version of PHP (PHP 7.4 at that time).

Certbot not found

i installed letsencrypt on my ubuntu 16.04 machine with following command.
sudo apt-get install letsencrypt
Now, i want to define a cronjob to automatically renew my certs with following line.
certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
But i always get the error, that the command certbot could not be found.
If i use letsencrypt instead of certbot everything works fine as long as i dont use the --pre-hook and --post-hook.
How to install certbotor is there an alternative command for letsencrypt to define such hooks?
Thanks
For me the following commands working fine.
Install snap
sudo apt update
sudo apt install snapd
Install Core
sudo snap install core
Install Certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Renew Certbot
sudo certbot renew --dry-run
Follow the official instructions and install certbot with
sudo apt install certbot python3-certbot-nginx
or, in newer Ubuntus that have snap, with
sudo snap install --classic certbot
It will be available in $PATH after that.
Ok i found the solution..
git clone git#github.com:certbot/certbot.git
cd certbot
./certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start"
This worked for me. I have to specify full path when running certbot with elevated privileges
sudo /snap/bin/certbot renew --dry-run
TL;DR
Although I have /snap/bin in my $PATH
echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/games:/snap/bin
But without providing full path it does not work with sudo. It throws the following error
certbot renew --dry-run
The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
and it also works if I (while having /snap/bin in root's $PATH as well) switch to power user
sudo -i
and then run any certbot command
Kindly note I'm on debian 10 and using snapd as package manager according to the tutorial https://certbot.eff.org/lets-encrypt/snap-nginx.
As explained here https://unix.stackexchange.com/questions/245772/why-running-command-as-sudo-returns-command-not-found this is kinda expected and approved of behaviour:
sudo tries to be safe when executing external commands. the usual
workaround is to specify the complete pathname of the program. It's
also more secure; it you don't specify the path, it's conceivable that
an attacker could create another program that will be run with root
permissions.
Going on reading further I can see that my PATHs are different
env | grep ^PATH
sudo env | grep ^PATH
There are several solutions (use custom sudo or change sudo $PATH) provided at the thread Command not found when using sudo so one does not have to specify full path.
try to remove using snap
sudo snap remove certbot
and then install again with
sudo snap install --classic certbot
You can try Let's Certbot.
Let's Certbot is a tool builds automated scripts base on Certbot for obtaining, renewing, deploying SSL certificates.
It supports docker and non-docker environments.
GitHub: https://github.com/jinhucheung/letscertbot
try this
sudo ~/.certbot/bin/certbot certonly --webroot