Cerbot and certbot-auto show different versions


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: diserva.de

I ran this command: certbot --version || ./certbot-auto --version

It produced this output: certbot 0.10.2

My web server is (include version): Apache/2.4.10 (Debian)

The operating system my web server runs on is (include version): Debian 8.10 (jessie)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

This is exactly the question. When running “certbot --version”, I get “certbot 0.10.2”, when running “./certbot-auto --version”, I get “certbot 0.31.0”.

The overall question I have is: am I save for discontinuation of ACME TLS-SNI-01?

“certbot renew --dry-run” produces this error when performing the challenges:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert from /etc/letsencrypt/renewal/www.diserva.de.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA… Skipping.

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.diserva.de/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

while “./certbot-auto renew --dry-run” shows no errors.


#2

Hi @fidelio2000

you have installed two different versions. Certbot and Certbot-Auto.

Your certbot-auto is up-to-date, your certbot is expired. So ignore the error of your certbot and use certbot-auto.

PS: Your certificate is ok, has both domain names, both connections are secure.

CN=www.diserva.de
	31.01.2019
	02.05.2019
expires in 66 days	diserva.de, www.diserva.de - 2 entries

So recheck your domain in 40 days if the renew has worked.


#3

Great, thank you for the quick answer. When you say “use certbot-auto”, do I have to actually activate/do/configure anything or am I good to go like that when certbot-auto produces no errors?


#4

I would wait. Your certificate is valide, I don’t know, what you have done. Wait 40 days. Your certbot may crash, but that’s not relevant.

If your certbot-auto has created the current certificate, it will run again.

If not, start certbot-auto one time manual.


#5

There’s probably a cron job and/or systemd timer that runs “certbot -q renew” using the older Certbot package.

Unless you’ve set something up, the newer certbot-auto installation will probably never automatically renew your certificates, and you’ll have to run “path/to/certbot-auto renew” manually, or else your certificates will expire.

You can probably see how it’s set up with:

cat /etc/cron.d/certbot
systemctl cat certbot.service
systemctl cat certbot.timer

It might be a good idea to simply uninstall the Debian certbot package, and set up a modified cron job or timer that runs certbot-auto -q renew.


closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.