Setting up & running letsencrypt a.k.a. certbot on CentOS / RHEL 5 systems


Getting letsencrypt to run on an ancient CentOS  or Red Hat Enterprise Linux 5 system (they still tend to appear in the wild from time to time) can be a major headache. I took some notes during the setup, I hope you find the useful (you'll need some basic Unix admin skills in order to follow this recipe, so caution is advised as you go through the procedure). 


Important: You'll need to use Python 2.7.8, anything beyond that version will
die with an invalid certificate error during the certbot setup phase. 

# compile openssl from source:

mkdir -p /server/src && cd /server/src


tar xvzf openssl-1.0.1t.tar.gz && cd openssl-1.0.1t

./config --prefix=/server/openssl-1.0.1t shared --openssldir=/server/openssl-1.0.1t/openssl

make depend && make && make install

# create a softlink for convenience 

ln -s /server/openssl-1.0.1t /server/openssl

# Get Python 2.7.8

cd /server/src && wget

tar xvzf Python-2.7.8.tar.gz

cd python-2.7.8

# set up compile environment

export LDFLAGS=-"Wl,-rpath=/server/openssl/lib -L/server/openssl/lib -L/server/openssl/lib64/"

export LD_LIBRARY_PATH="/server/openssl/lib/:/server/openssl/lib64"

export CPPFLAGS="-I/server/openssl/include -I/server/openssl/include/openssl"

./configure --prefix=/server/python-2.7.8

make && make install

# create softlink, adjust PATH

ln -s /server/python-2.7.8 /server/python; export PATH=/server/python/bin:$PATH

# install pip in new python version

wget --no-check-certificate


# install virtualenv, wheel

pip install virtualenv wheel

# git-clone certbot (latest version)

 cd /server/src/ ; git clone

# Request a certificate manually (certonly)

cd certbot; ./letsencrypt-auto certonly --manual -d my.server.tld 

# configuring your webserver of choice is left as an exercise for the reader.


2 thoughts on “Setting up & running letsencrypt a.k.a. certbot on CentOS / RHEL 5 systems

  1. Tom

    On Centos five, the letsencrypt keeps checking for packages, and drops an error…
    maybe an additional switch is needed for letsencrypt to skip checking …

    -bash-3.2# ./letsencrypt-auto certonly –manual -d xxxx
    Bootstrapping dependencies for RedHat-based OSes…
    yum is /usr/bin/yum
    Loaded plugins: fastestmirror, priorities, replace
    Loading mirror speeds from cached hostfile

  2. nunya

    This isnt to bad of a howto except that it doesnt actually work. With older CentOS’s 5 to 5.5 etc, Apache does not have the required SSL support that certbot uses. You should mention this so that people dont 5 weeks trying to figure out why you had to use the –manual switch.

    Invalid command ‘SSLStrictSNIVHostCheck’, perhaps misspelled or defined by a module not included in the server configuration <— This is the only reason why manual switch is needed.

Leave a Reply

Your email address will not be published. Required fields are marked *