On AWS EC2 instances, sometimes we run into an issue or two, in particular, in dealing with Let’s Encrypt certification.
To be frank, auto-renew has been very difficult, but it seems like the issue has gradually become clear: we need to install and update PIP; and then, the AWS linux puts this into the “wrong” place, or at least, certbot goes to the wrong place to get at it.
The TL:DR on this issue is: AWS fails to update your Let’s Encrypt certificates… so whattaya gonna do, huh?
The below instructions should get you working.
The Problem
You installed Let’s Encrypt on AWS EC2 instance. It was working just fine. Until, you ran
cd /opt/letsencrypt
./certbot-auto renew
This does not work, though, and instead returns an output which ends with:
from zope.interface import Interface
ImportError: No module named interface
Steps to Resolve This
As previously explained here, this could be resolved by re-installing and updating PIP (which should still be done) but even then, this would sometimes fail.
So the first steps are to make sure PIP is installed and working and up to date, and also virtualenv, too, like so:
First up, update the system.
sudo -i
yum update -y
Then we update PIP and virtualenv.
sudo -i
pip install --upgrade pip
pip install virtualenv --upgrade
Then you could give this a spin:
cd /opt/letsencrypt
./certbot-auto renew
This can often result in still getting the error above.
Trying
./certbot-auto --debug renew
At this stage may be helpful, as this can get things updated, and also show you other errors. That said, if it fails, the chances are you need to tell Let’s Encrypt where your 64 bit install really is… to do this:
\cp -r /opt/eff.org/certbot/venv/lib64/* /opt/eff.org/certbot/venv/lib/
Then try this again:
cd /opt/letsencrypt
./certbot-auto renew
SUCCESS!! Or at least, this has always worked to update Let’s Encrypt for me, to the extent where I’ve pushed some of this into my cron script for certificate renewals on some EC2 instances, which are ticking away nicely.
Works for you?
Leave a comment below if this works, or doesn’t work, for you. Its how the internet can work to help a brother or sister out in a moment when otherwise face would be slamming into desk! If you have an even better solution, please do post that 🙂
If you would just like us to fix it for you, then contact us and we’ll get you a price.
The above process will also resolve the following error which has a similar root cause in AWS – tested and worked on 3 October 2018:
`from cryptography.hazmat.bindings.openssl.binding import Binding
ImportError: No module named cryptography.hazmat.bindings.openssl.binding`