Amazon Linux 2 Image and LAMP
I recently migrated a LAMP server from Amazon Linux to an Amazon Linux 2 image. Several reasons for why I needed this including it has systemd.
More here: https://aws.amazon.com/amazon-linux-2/
High level steps around mysql database, wordpress and static html migration was pretty smooth as I have done this multiple times. The only notable things to report on were:
1. You are probably going from a php5.x world to php7.x world and that could cause a few problems. In my case some older php gallery software threw multiple DEPRECATED problem so I had to work through them case by case.
2. I had a problem with php and mpm.
3. Certbot/Let's Encrypt does not recognize Amazon Linux 2 from /etc/issue and fails.
LAMP Install:
Pretty much followed this without issues.
# yum update -y
# amazon-linux-extras install lamp-mariadb10.2-php7.2
# yum install -y httpd php mariadb-server php-mysqlnd
# systemctl enable httpd
# usermod -a -G apache ec2-user
# chown -R ec2-user:apache /var/www
# chmod 2775 /var/www && find /var/www -type d -exec sudo chmod 2775 {} \;
# find /var/www -type f -exec sudo chmod 0664 {} \;
# echo "<?php phpinfo(); ?>" > /var/www/html/phpinfo.php
MPM Issue:
There may be other or better ways to solve this I have not had time to investigate further.
# systemctl start httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
# systemctl status httpd.service -l
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: failed (Result: exit-code) since Tue 2018-05-29 13:35:34 UTC; 1min 21s ago
Docs: man:httpd.service(8)
Process: 12701 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 12701 (code=exited, status=1/FAILURE)
May 29 13:35:34 ip-172-31-48-7.ec2.internal systemd[1]: Starting The Apache HTTP Server...
May 29 13:35:34 ip-172-31-48-7.ec2.internal httpd[12701]: [Tue May 29 13:35:34.378884 2018] [php7:crit] [pid 12701:tid 140520257956032] Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. You need to recompile PHP.
May 29 13:35:34 ip-172-31-48-7.ec2.internal httpd[12701]: AH00013: Pre-configuration failed
# pwd
/etc/httpd/conf.modules.d
# cp 00-mpm.conf /tmp
# vi 00-mpm.conf
# diff 00-mpm.conf /tmp/00-mpm.conf
11c11
< LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
---
> #LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
23c23
< #LoadModule mpm_event_module modules/mod_mpm_event.so
---
> LoadModule mpm_event_module modules/mod_mpm_event.so
# systemctl restart httpd
# ps -ef | grep http
root 9735 1 0 13:42 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 9736 9735 0 13:42 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 9737 9735 0 13:42 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 9738 9735 0 13:42 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 9739 9735 0 13:42 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 9740 9735 0 13:42 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
CERTBOT:
On the old server delete certs.
# /opt/eff.org/certbot/venv/local/bin/certbot delete [..] ------------------------------------------------------------------------------- Deleted all files relating to certificate blog.domain.com. -------------------------------------------------------------------------------
On the new server install certs.
# yum install mod_ssl # wget https://dl.eff.org/certbot-auto # chmod a+x certbot-auto # ./certbot-auto --debug Sorry, I don't know how to bootstrap Certbot on your operating system!
Work around the fact that certbot does not know about Amazon Linux 2 yet.
# yum install python-virtualenv python-augeas # ./certbot-auto --debug --no-bootstrap Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Error while running apachectl configtest. AH00526: Syntax error on line 100 of /etc/httpd/conf.d/ssl.conf: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty How would you like to authenticate and install certificates? ------------------------------------------------------------------------------- 1: Apache Web Server plugin - Beta (apache) [Misconfigured] 2: Nginx Web Server plugin - Alpha (nginx) ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 ------------------------------------------------------------------------------- The selected plugin encountered an error while parsing your server configuration and cannot be used. The error was: Error while running apachectl configtest. AH00526: Syntax error on line 100 of /etc/httpd/conf.d/ssl.conf: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
Have to fix ssl first apparently certbot need a generic localhost cert.
# openssl req -new -x509 -nodes -out localhost.crt -keyout localhost.key # mv localhost.crt localhost.key /etc/pki/tls/certs/ # mv /etc/pki/tls/certs/localhost.key /etc/pki/tls/private/ # systemctl restart httpd
Now try again.
# ./certbot-auto --debug --no-bootstrap Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate and install certificates? ------------------------------------------------------------------------------- 1: Apache Web Server plugin - Beta (apache) 2: Nginx Web Server plugin - Alpha (nginx) ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): E@MAIL.com [..] Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: blog.domain.com ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Performing the following challenges: http-01 challenge for blog.domain.com Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/httpd/conf.d/vhost-le-ssl.conf Deploying Certificate to VirtualHost /etc/httpd/conf.d/vhost-le-ssl.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting vhost in /etc/httpd/conf.d/vhost.conf to ssl vhost in /etc/httpd/conf.d/vhost-le-ssl.conf ------------------------------------------------------------------------------- Congratulations! You have successfully enabled https://blog.domain.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=blog.domain.com ------------------------------------------------------------------------------- [..]
Test your site here:
https://www.ssllabs.com/ssltest/analyze.html?d=blog.domain.com&latest
