Since my Ubuntu server 18.04 LTS is 32bits, I cannot apt-update to newer versions of certbot and thus I am still running certbot 0.31.0. Also migrating my system to 64bits is not in near reach.
Would it be possible to build a recent certbot from sources ? I git cloned the certbot repo to my machine. But I'm lost when looking into the root of the distribution directory. So many different certbots. No Makefile, not the typical README with install instructions. It's a closed book to me.
You better use alternative ACME client, for example acme.sh.
The problem is not certbot itself (certbot is only a bunch of python scripts which does not need to be compiled), but supported python version. Latest version certbot requires python 3.6+.
(correction: requires python 3.7+)
I have:
# python3 --version
Python 3.6.9
#
Where do I find acme.sh ?
If you followed the pip instructions linked above, you could install Certbot v1.23.0. Not amazingly new, but waaaay newer than 0.31.0. Support for Python 3.6 was removed in the following release.
More pertinently, Ubuntu 18.04 is EOL and no longer receiving any updates, so you should move off it as soon as you can anyway.
If you are stuck with 32-bit for some reason, you could replace Ubuntu 18.04 with Debian 12, which still produces installation media for 32-bit hardware and packages the relatively recent Certbot v2.1.0.
But were there breaking changes introduced in subsequent versions?
The website is just acme.sh
There are breaking changes in certbot itself between 1.x and 2.x.
Not really, you can still subscribe to (pay for) ESM support.
use venv if needed Certbot Instructions | Certbot
It began so promising, but now:
running build_ext
running build_rust
=============================DEBUG ASSISTANCE=============================
If you are seeing a compilation error please try the following steps to
successfully install cryptography:
1) Upgrade to the latest pip and try again. This will fix errors for most
users. See: https://pip.pypa.io/en/stable/installing/#upgrading-pip
2) Read https://cryptography.io/en/latest/installation/ for specific
instructions for your platform.
3) Check our frequently asked questions for more information:
https://cryptography.io/en/latest/faq/
4) Ensure you have a recent Rust toolchain installed:
https://cryptography.io/en/latest/installation/#rust
Python: 3.6.9
platform: Linux-3.13.0-160-generic-i686-with-Ubuntu-18.04-bionic
pip: n/a
setuptools: 59.6.0
setuptools_rust: 1.1.2
rustc: n/a
=============================DEBUG ASSISTANCE=============================
error: can't find Rust compiler
If you are using an outdated pip version, it is possible a prebuilt wheel is available for this package but pip is not able to install from it. Installing from the wheel would avoid the need for a Rust compiler.
To update pip, run:
pip install --upgrade pip
and then retry package installation.
If you did intend to build this package from source, try installing a Rust compiler from your system package manager and ensure it is on the PATH during installation. Alternatively, rustup (available at https://rustup.rs) is the recommended way to download and update the Rust compiler toolchain.
This package requires Rust >=1.48.0.
----------------------------------------
ERROR: Failed building wheel for cryptography
Failed to build cryptography
ERROR: Could not build wheels for cryptography, which is required to install pyproject.toml-based projects
#
After installing
apt install rustc
apt install cargo
I ended up in more errors saying python 3.6 not supported and
warning: /tmp/pip-install-8ypoloxf/cryptography_446acb05a5704ef9a09bf09ba0f4c252/src/rust/target/release/build/cryptography-rust-e9ae9ad16ce6710b/out/_openssl.c:57:10: fatal error: Python.h: No such file or directory
warning: #include <Python.h>
warning: ^~~~~~~~~~
warning: compilation terminated.
Will give it another try with Python 3.7 if that is possible at all.
I abandoned this attempt and reinstalled the 0.31.0 package again.
With having certbot removed and reinstalled again, are my related scripts or whatever takes care for the cert renewal every 90 days, gone now?
You can check your certs and their profiles with this:
sudo certbot certificates
You can check your renew command with
sudo certbot renew --dry-run
Omit sudo in above commands if not needed
And, you can check whether a renew is scheduled using the instructions here:
https://eff-certbot.readthedocs.io/en/stable/using.html#automated-renewals
Thanks. It turned out that the certificates were still there.
But
# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The requested apache plugin does not appear to be installed
Attempting to renew cert (mydomain.de) from /etc/letsencrypt/renewal/mydomain.de.conf produced an unexpected error: The requested apache plugin does not appear to be installed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.de/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.de/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
It looks like you might also need to install the certbot-apache plugin, then.
But I'll second the notion above that with older systems, you might want a different client that can be easily installed with minimal other dependencies, like maybe something from the Bash or Go sections of the client list.
And of course be aware that even with a certificate, if you're not up-to-date on security patches, then you can't guarantee that connections to your server are "secured" in any sense.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.