Can't renew with certbot-auto; can't get instructions to install certbot

fpeelo · April 17, 2024, 7:58pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:castleknockscouts.ie

I ran this command:../certbot-auto certonly --manual

It produced this output:Skipping bootstrap because certbot-auto is deprecated on this system.
../certbot-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.

My web server is (include version):Apache 2.4.55

The operating system my web server runs on is (include version):Linux, version unknown. But I am not running certbot-auto on the server, but on a Linux Mint 21.3 machine. I usually run certbot-auto, get certificates and upload them. But I upgraded to 21.3 recently. I believe it's based on Ubuntu 22.4, and the latest Ubuntu on Certbot Instructions | Certbot seems to be 20, so I cannot get instructions on how to install certbot!!!

My hosting provider, if applicable, is:letshost.ie

I can login to a root shell on my machine (yes or no, or I don't know):yes, but on the Linux Mint 21.3 machine, not on letshost's server

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):cpanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot-auto --version does not print a version, it says: "Your system is not supported by certbot-auto anymore". So I do not know the version.

MikeMcQ · April 17, 2024, 8:06pm

The install for Ubuntu 22.4 is same as for 20

I am not sure the install for snapd is the same under Linux Mint as for native Ubuntu so follow the instructions on canonical's website about snapd

Or, use pip but if snap install works that may be easier to maintain

Bruce5051 · April 17, 2024, 8:08pm

Try running from the command line uname -a.

MikeMcQ · April 17, 2024, 8:13pm

You might also want to look at CertSage. It may have been introduced after you setup your existing method.

It is designed for cPanel so might be easier than your upload process and managing certbot

fpeelo · April 17, 2024, 9:15pm

Thanks Mike!

From the instructions page, I thought it would be trying to install certbot on the server, which I don't have access for. I just wanted a certbot on my own laptop. So I'd just wasted over an hour trying to find out what version of Linux the hoster was using, and so on. Your instructions for installing certbot got me over a mental block pushing me in that direction.

So I started following your advice and went for Ubuntu 20, it was leading me towards snapd. Now, it seems recent Linux Mint versions have an explicit ban on snapd; there is a file
/etc/apt/preferences.d/nosnap.pref
to prevent it from being installed using apt. That scares me a bit. I tried looking up pip. But then light dawned - I could install certbot with sudo apt install certbot

And certbot worked fine that way, generated the keys, I could upload them on cpanel and now our group leader will be happy for a couple of months. (More if I don't drop the ball in July and let the certs expire again.)

Presumably eff would like me to use snapd to get a fresher version of certbot than might be in the lm repositories, would that be right? But I think generating the certs and uploading them this way works, am I leaving my site open to some sort of attack by using an older certbot?

fpeelo · April 17, 2024, 9:20pm

Thanks for your reply Bruce, but no. I don't have command line access to the server, only to the machine that would be running certbot, and as noted that's Linux Mint 21.3

Turns out my problem was only with Certbot Instructions | Certbot; it seemed only to want to give instructions for installing on the server and I can't do that. In the end, sudo apt install certbot got me sorted.

fpeelo · April 17, 2024, 9:22pm

CertSage page is now bookmarked. Will look into that before the expiry of tonights certificates.
Thanks again!

rg305 · April 18, 2024, 4:05am

The instructions are the same for servers as for non-servers.
The instructions are geared towards being able to run the client and get a cert.
[where/how you choose to use the cert(s), after that, is up to you]

schoen · April 18, 2024, 5:43am

Also helpful in many contexts is lsb_release -a (less details about the kernel, but more detail about the OS distributor).

fpeelo · April 18, 2024, 7:42am

It was not clear to me on the instructions page that certbot could be run on a non-server; in fact the instructions and help pages seem very clear that it is to be run on the server. The instructions start with looking for information about the server which I was unable to find and, in the end, which were not needed. A statement near the start of Certbot Instructions | Certbot or Get Help | Certbot saying what certbot is - i.e. a tool that provides certificates and can be run automatically on the server or on non-servers - would have saved me a couple of hours and I would not have been bothering you at all.

fpeelo · April 18, 2024, 7:50am

Thanks, that's a handy one to know. I used cat /etc/issue for the distro name info in my original post, but as stated that was for the computer I wanted to run certbot on - not the server which is what the instructions page was asking about as a barrier before getting any instructions. Fortunately, the information turns out not to be needed.

Bruce5051 · April 18, 2024, 4:10pm

FYI - Seems to be only true for linux not OpenBSD.