Is it some script for auto renewal of Certbot for WP(MU)?

Ubuntu WPMU/LAMP on AWS and GCLP

I’m wondering did anybody found the way how to ensure auto-renewal of Certbot.

Hi @servicioexpreso,

We have this section in our documentation that explains how to renew the certificate

https://docs.bitnami.com/google/components/apache/#how-to-renew-a-lets-encrypt-certificate-for-your-domain-using-the-certbot-client

You can add this command in a crontab job. You can check this post in order to get more information

Regards,
Jota

Thanks for reply (I read it already). Issue is that:

  • from your ‘Ghost’ link is visible that it is still unclear is it working or not.
  • If it working, why Bitnami didn’t included clear instructions in first link (‘Documentation’)??? I mean, that is the reason to post the topic (it is not in ‘Documentation’).

Hi,

Thanks for the advice. We have plans of updating the guide with the instructions for adding an auto-renewal cron job.

Regarding the previously shared Ghost link, I see that the job is working but there was an issue with pip, which is fixed in a later message.

Hope it helps.

Best regards,

Javier J. Salmerón

This Bitnami documentation is amazing (mess), at least for me.

  1. I want to install it on Google Launchpad and LAMP stack with WP modules (for https)

  2. I did update/upgrade and install of git

  3. cd /tmp

  4. git clone https://github.com/certbot/certbot

  5. cd certbot
    ./certbot-auto

  6. Than … BUMP
    “Failed to find executable apache2ctl in PATH: /opt/bitnami/frameworks/laravel/app/Console:/opt/bitnami/frameworks/cakephp/bin:/opt/bitnami/frameworks/codeigniter/bin:/opt/bitnami/frameworks/symfony/bin:/opt/bitnami/frameworks/zendframework/app/Console:/opt/bitnami/git/bin:/opt/bitnami/varnish/bin:/opt/bitnami/sqlite/bin:/opt/bitnami/php/bin:/opt/bitnami/mysql/bin:/opt/bitnami/apache2/bin:/opt/bitnami/common/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    Certbot doesn’t know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run “certbot-auto certonly” to do so. You’ll need to manually configure your web server to use the resulting certificate.”

  7. So
    ,/certbot-auto certonly (worked)

  8. Now Bitnami say that we should to set Apache, but ‘ln’ is rejected as file exists (BUMP - what it mean?)

  9. Now try to connect https://mydomain.com and get ‘red’ message that https is not secure (private).

WHAT NOW?
To follow instructions to force HTTPS (no logic)? Or what?

This is nightmare. I have couple of questions:

  1. Install certboot in /tmp is hardly great idea if it should to be subject of cron job (server can reboot and delete it) - OR NOT (p.s. - where should be fine to place it???)?
  2. I ‘Ghost’ topic is solution with ‘root’ and I don’t understand “I added the ProxyPass directive in both the port 80 and 443 VirtualHost sections, though I’m not sure both are necessary.”. i mean in LAMP - where to place it and how it should to look?
  3. For me looks that I yet don’t have apache properly pointed to certificates as I have warnings equal like for other domain without certificate (when I try https).

So, somebody can step by step expose for LAMP (WP modules) how to install certboot properly to work - OR NOT? Answers with links for XXX topics are complete useless as all of them are different (and nothing works).

I did all fine, but it still not works as I missed something (most likely - apache). Proves:
A) Valid certificate
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested
and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/mydomain.com.conf)
B) Valid path
user@bitnami-lampstack-dm-xxx:~$ ls -la /opt/bitnami/apache2/conf/server.key
lrwxrwxrwx 1 root root 52 Jun 9 01:55 /opt/bitnami/apache2/conf/server.key -> /etc/letsencrypt/live
/mydomain.com/privkey.pem
user@bitnami-lampstack-dm-xxx:~$ ls -la /opt/bitnami/apache2/conf/server.crt
lrwxrwxrwx 1 root root 54 Jun 9 01:54 /opt/bitnami/apache2/conf/server.crt -> /etc/letsencrypt/live
/mydomain.com/fullchain.pem

WHAT IS WRONG???

Regards https://www.ssllabs.com it looks that I have now two cert files (dummy - invalid and certbot - valid) and most likely first makes entire chain ‘insecure’.

For, me it looks that entire problem is in instruction
sudo ln -s /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt sudo ln -s /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key
as command is rejected because ‘file already exists’.

WHAT NOW?

So, far I figured that main problem is that infrastructure stacks are significantly different from application stacks and all (great part of) instructions for applications simply not working.

If we works with ie LAMP and multiple ie WP modules there is some sort of the ‘double’ apache commands. Specifically, as we need different domains with same IP all is set within the module and main conf file for apache is within the module (/opt/bitnami/apps/myapp/conf/httpd-vhosts.conf) and cert files are within module cert folder.

So, it is useless to point all on cert files within module, when LAMP apache configuration still point to ‘global dummy’ cert files what makes valid cert files invalid (as at least one certificate is ‘invalid’ - all ‘chain’ fail.

Somebody from Bitnami should to explain how to act in any of two scenarios:

A) To disable ‘LAMP central certification chain’ and enable SSL per module/domain
B) How to disable per module dummy certifications and use one certificate for all domains/modules (for SNI issue)

Please be kind and solve this issue.

Hey @servicioexpreso,

The documentation is wrong. I found this out the hard way. If you’re using WordPress, there’s an easier way to do this.

Check out my thread (w/solution)

1 Like

Hi,

In a Bitnami LAMP stack, SSL certificates are configured in /opt/bitnami/apache2/conf/bitnami/bitnami.conf. In that file, there are two lines containing SSLCertificateFile and SSLCertificateKeyFile, which point to the certificate file and the certificate key file, respectively, as explained here.

If you install the WordPress module on top of the LAMP stack, by default, it will operate in “prefix mode”. In this mode, the Apache configuration for the WordPress module is taken from /opt/bitnami/apps/wordpress/conf/httpd-prefix.conf and /opt/bitnami/apps/wordpress/conf/httpd-app.conf. If you configure the application to use a virtual host, it will use /opt/bitnami/apps/wordpress/conf/httpd-vhosts.conf instead, as explained here. In this file, there’s also a piece of configuration for SSL, setting the certificate and key to /opt/bitnami/apps/wordpress/conf/certs/server.crt and /opt/bitnami/apps/wordpress/conf/certs/server.key, respectively.

Depending on whether you configured your module to use virtual hosts or not, you should modify /opt/bitnami/apache2/conf/bitnami/bitnami.conf and/or /opt/bitnami/apps/wordpress/conf/httpd-vhosts.conf in order to enable/disable SSL globally or per module.

Keep in mind that the certificate files must be readable by user daemon to work with our LAMP stack.

Hope it helps.

Best regards,
Alvaro Recio

Thanks. It works with vhosts option.

I was nervous as I found several issues:

  1. certbot on /tmp is bad idea vs cron
  2. ln not working as files exists (so, rename/delete/bak are options, but I needed time to figure it, as in meantime I was faced with next issue - also)
  3. I tried in meantime to use also StartSSl and they didn’t worked (also). Just today late, I found that from 2016 they are ignored by Google and Mozilla.

Hi,

We are glad that you were able to fix the issue. Thanks for your feedback about our documentation. We’re always working on improving the guides we provide and we’ll take into account the issues you pointed out.

If you have any other question, please don’t hesitate to ask.

Best regards,
Alvaro Recio