How to install certbot via snap on Amazon Linux 2023

Question

I am following this guide on how to Configure SSL/TLS on Amazon Linux 2023. It recommends to obtain a CA-signed certificate using Certbot. And to get Certbot, it's recommended to install Snap.

I have tried several things, not able to install any of prerequisites:

sudo yum install snapd
    Error: Unable to find a match: snapd

sudo amazon-linux-extras install epel
    sudo: amazon-linux-extras: command not found

sudo yum install -y amazon-linux-extras
    Error: Unable to find a match: amazon-linux-extras

Answer 1

There's honestly no good reason to run certbot, which is really just enough code to interact with letsencrpyt and modify a few configuration files, in a snap. Especially if you want it to actually do its job of modifying the system, snap's isolation capabilities aren't useful.

Amazon doesn't recommend using snap to install certbot; that's just this site https://eff-certbot.readthedocs.io/en/stable/install.html#installation which lists it as one of many ways.

You'll be fine just installing the most recent certbot using the pip-method described on the same page. It's a lot less overhead than using snap (really not happy about them recommending that; also, I think their pip-based description has minor bugs). For a quick overview of how that'd work:

https://certbot.eff.org/instructions?ws=nginx&os=pip

# create an isolated python environment for certbot purposes alone
python3 -m venv /opt/certbot

# Modify environment for the current shell only to make python modify
# the virtual environment and not your system libraries
source /opt/certbot/bin/activate

# Install certbot
pip install certbot

That's it. If you later want to run certbot as standalone program,

/bin/bash -c "source /opt/certbot/bin/activate; certbot" 

does that.

You can of course also put that into a shell script, e.g.

/usr/bin/certbot:

#!/bin/bash
source /opt/certbot/bin/activate
/opt/certbot/bin/certbot "$@"

make that executable (chmod 755 /usr/bin/certbot) and henceforth simply use certbot as command.

You might also want to set up a systemd timer to automatically renew your certificates regularly.

That's pretty easy:

1. Make a file /lib/systemd/system/certbot.service with this content

[Unit]
Description=Certbot
Documentation=https://certbot.eff.org/docs

[Service]
Type=oneshot
ExecStart=/bin/bash -c "source /opt/cerbot/bin/activate; certbot -q renew" 
PrivateTmp=true

and one file /lib/systemd/system/certbot.timer with this:

[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true

[Install]
WantedBy=timers.target

_{Source code of this timer straight from the Fedora packaging}

To activate that timer, systemctl enable --now certbot.timer. From there on, your certificates get renewed if necessary automatically.

You might also want to drop an email to AWS support and ask them why they recommend to use some software named "certbot" that every other larger Linux distro just includes (so that you could install via yum install certbot and get all the above done for you), but decide not to include certbot in Amazon Linux 2023 themselves. That seems like a pretty stupid oversight.