Saturday, 27 August 2016

Let’s Encrypt for the Raspberry Pi (model B)

After my web host enabled HTTPS on my main website through Let’s Encrypt, I thought that it would be nice to do the same for my private web server running on my Raspberry Pi 1 (model B). I already had a certificate for the Apache server running on my Pi provided by StartSSL, but Let’s Encrypt is a neater solution.  I had some problems with this, so my solution is under the fold.

So the first thing I had to do was to remove the existing SSL configuration that’s managed by Debian and restart Apache:

$ sudo a2dissite default-ssl
$ sudo apache2ctl graceful

Now I’m ready to let Let’s Encrypt manage my certificates from now on.

The Let’s Encrypt website directed me to the EFF’s certbot tool, which gave fairly straightforward instructions, augmented by a blog post that I found, with instructions especially for the RPi.  However, when I downloaded certbot and ran it from my Pi, it complained about missing libraries:

$ cd bin
$ wget
$ chmod a+x certbot-auto
$ ./certbot-auto --apache
Checking for new version...
Requesting root privileges to run certbot...
   sudo /home/<username>/.local/share/letsencrypt/bin/letsencrypt --apache
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NotSupportedError('Apache plugin support requires libaugeas0 and augeas-lenses version 1.2.0 or higher, please make sure you have you have those installed.',)

Further googling suggested that although I had libaugeas0 and augeas-lenses installed, they were the wrong versions, and that I needed the backported repository for Raspian.  Okay, fine, add that to my sources.list and try again.  This time, it chugs for quite some time before eventually fails with the error Illegal instruction.

This turns out to be because the version of libaugeas0 installed by my package manager doesn’t support the ARMv6 architecture of the Raspberry Pi 1.  So now it turns out that I have to compile the relevant package from source myself.  Thankfully, someone else has already done the hard work and had the commands that I needed.  Of course, it wasn’t without hitches: there were some missing dependencies that I had to add through my package manager.

The final set of commands that I entered were:

$ sudo apt-get remove libaugeas0 augeas-tools libaugeas-dev
$ sudo apt-get install libreadline6-dev libxml2-dev
$ cd /tmp
$ wget
$ tar -zxf augeas-1.6.0.tar.gz
$ cd augeas-1.6.0
$ CFLAGS='-march=armv6 -mfpu=vfp -mfloat-abi=hard' CPPFLAGS='-march=armv6 -mfpu=vfp -mfloat-abi=hard' ./configure
$ CFLAGS='-march=armv6 -mfpu=vfp -mfloat-abi=hard' CPPFLAGS='-march=armv6 -mfpu=vfp -mfloat-abi=hard' make
$ sudo make install

Trying Certbot again after this still failed, this time complaining that it couldn’t find libaugeas.  Yes, that’s right, the one that I just compiled from source.  It didn’t help that the log files were put into a directory that I couldn’t read, although that was easily fixed:

$ sudo chmod 755 /var/log/letsencrypt

The problem with not being able to find the library was solved by deleting the Python virtual environment that had been installed in $HOME/.local and rerunning Certbot.  This recreated the environment (including reinstalling libaugeas, through apt-get, but I let it do it and it was fine) and finally got Let’s Encrypt running:

$ rm -rf $HOME/.local
$ cd $HOME/bin
$ ./certbot-auto --apache

I was able to follow the instructions on screen and my RPi web server is now running an SSL certificate provided by Let’s Encrypt. The final thing to do is to set it to auto-renew (as the certificates themselves only last for 90 days).  Certbot can automatically check if certificates require renewal for you and do all the hard work.  The EFF recommend that this check be run twice a day at random minutes past the hour, so I added the following line to my crontab:

11 06,18 * * * $HOME/bin/certbot-auto renew --quiet --no-self-upgrade

So the whole point of Let’s Encrypt is that it’s seamless and easy to use.  Getting it running took most of my afternoon, but once the damn program actually ran, it was just a matter of minutes to get the certificate itself set up and installed.  And now that it’s done, and I should never need to worry about updating my SSL certificate on my RPi again.


John Jackson says:

Hi Raj,

Thank you so much for this post! I encountered the exact same issue on my Raspberry Pi – I was unable to install the Let’s Encrypt Cert due to some silly packages not being available. Thanks again!


Terry Field says:

Thanks for putting together this post. Now my Raspberry Pi, running Owncloud has a real certificate.


Dan Mihai Ile says:

Thank you for the post, it was really useful, it’s what made it work for my raspberry.
One note, I had to remove the /root/.local/ ( rm -rf /root/.local ) folder also and only then it worked.

James says:

Ta very much! That got things working.

Chris Dock says:

Seems like someone developing Raspbian Stretch figured this out

“./certbot-auto –apache”

worked immediately (other methods on other sits suggesting an apt-get install with stretch-backports failed horribly)

Raj says:

I’m glad they’ve got it sorted in Stretch! The instructions above were for Wheezy

rinty35 says:

I try this solution. I have the same probleme after reinstall cerbot “Illegal Instruction”. Do you run this process recently ?

Raj says:

Sorry, I’ve not done this 2016, I’ve got a newer model Pi now running Stretch.

rinty35 says:

I find a solution.
1. I install augeas in last version 1.10.1
2. I install certbot-auto with –no-bootstrap option. With this dependencies aren’t install and certbot work fine.

Thanks for your help.

Leave a comment

RSS feed for comments on this post | TrackBack URL

Powered by WordPress

%d bloggers like this: