After my web host enabled HTTPS on my main website through Let’s Encrypt, I thought that it would be nice to do the same for my private web server running on my Raspberry Pi 1 (model B). I already had a certificate for the Apache server running on my Pi provided by StartSSL, but Let’s Encrypt is a neater solution. I had some problems with this, so my solution is under the fold.
So the first thing I had to do was to remove the existing SSL configuration that’s managed by Debian and restart Apache:
$ sudo a2dissite default-ssl
$ sudo apache2ctl graceful
Now I’m ready to let Let’s Encrypt manage my certificates from now on.
The Let’s Encrypt website directed me to the EFF’s certbot tool, which gave fairly straightforward instructions, augmented by a blog post that I found, with instructions especially for the RPi. However, when I downloaded certbot and ran it from my Pi, it complained about missing libraries:
$ cd bin $ wget https://dl.eff.org/certbot-auto $ chmod a+x certbot-auto $ ./certbot-auto --apache Checking for new version... Requesting root privileges to run certbot... sudo /home/<username>/.local/share/letsencrypt/bin/letsencrypt --apache The apache plugin is not working; there may be problems with your existing configuration. The error was: NotSupportedError('Apache plugin support requires libaugeas0 and augeas-lenses version 1.2.0 or higher, please make sure you have you have those installed.',)
Further googling suggested that although I had libaugeas0
and augeas-lenses
installed, they were the wrong versions, and that I needed the backported repository for Raspian. Okay, fine, add that to my sources.list and try again. This time, it chugs for quite some time before eventually fails with the error Illegal instruction
.
This turns out to be because the version of libaugeas0
installed by my package manager doesn’t support the ARMv6 architecture of the Raspberry Pi 1. So now it turns out that I have to compile the relevant package from source myself. Thankfully, someone else has already done the hard work and had the commands that I needed. Of course, it wasn’t without hitches: there were some missing dependencies that I had to add through my package manager.
The final set of commands that I entered were:
$ sudo apt-get remove libaugeas0 augeas-tools libaugeas-dev
$ sudo apt-get install libreadline6-dev libxml2-dev
$ cd /tmp
$ wget http://download.augeas.net/augeas-1.6.0.tar.gz
$ tar -zxf augeas-1.6.0.tar.gz
$ cd augeas-1.6.0
$ CFLAGS='-march=armv6 -mfpu=vfp -mfloat-abi=hard' CPPFLAGS='-march=armv6 -mfpu=vfp -mfloat-abi=hard' ./configure
$ CFLAGS='-march=armv6 -mfpu=vfp -mfloat-abi=hard' CPPFLAGS='-march=armv6 -mfpu=vfp -mfloat-abi=hard' make
$ sudo make install
Trying Certbot again after this still failed, this time complaining that it couldn’t find libaugeas. Yes, that’s right, the one that I just compiled from source. It didn’t help that the log files were put into a directory that I couldn’t read, although that was easily fixed:
$ sudo chmod 755 /var/log/letsencrypt
The problem with not being able to find the library was solved by deleting the Python virtual environment that had been installed in $HOME/.local and rerunning Certbot. This recreated the environment (including reinstalling libaugeas, through apt-get, but I let it do it and it was fine) and finally got Let’s Encrypt running:
$ rm -rf $HOME/.local
$ cd $HOME/bin
$ ./certbot-auto --apache
I was able to follow the instructions on screen and my RPi web server is now running an SSL certificate provided by Let’s Encrypt. The final thing to do is to set it to auto-renew (as the certificates themselves only last for 90 days). Certbot can automatically check if certificates require renewal for you and do all the hard work. The EFF recommend that this check be run twice a day at random minutes past the hour, so I added the following line to my crontab:
11 06,18 * * * $HOME/bin/certbot-auto renew --quiet --no-self-upgrade
So the whole point of Let’s Encrypt is that it’s seamless and easy to use. Getting it running took most of my afternoon, but once the damn program actually ran, it was just a matter of minutes to get the certificate itself set up and installed. And now that it’s done, and I should never need to worry about updating my SSL certificate on my RPi again.
Hi Raj,
Thank you so much for this post! I encountered the exact same issue on my Raspberry Pi – I was unable to install the Let’s Encrypt Cert due to some silly packages not being available. Thanks again!
John
Thanks for putting together this post. Now my Raspberry Pi, running Owncloud has a real certificate.
Regards,
Terry
Thank you for the post, it was really useful, it’s what made it work for my raspberry.
One note, I had to remove the /root/.local/ ( rm -rf /root/.local ) folder also and only then it worked.
Ta very much! That got things working.
Seems like someone developing Raspbian Stretch figured this out
“./certbot-auto –apache”
worked immediately (other methods on other sits suggesting an apt-get install with stretch-backports failed horribly)
I’m glad they’ve got it sorted in Stretch! The instructions above were for Wheezy
I try this solution. I have the same probleme after reinstall cerbot “Illegal Instruction”. Do you run this process recently ?
Sorry, I’ve not done this 2016, I’ve got a newer model Pi now running Stretch.
I find a solution.
1. I install augeas in last version 1.10.1
2. I install certbot-auto with –no-bootstrap option. With this dependencies aren’t install and certbot work fine.
Thanks for your help.