Certbot 0.21.0 Release


We just released Certbot 0.21.0. The changelog for the release is:

0.21.0 - 2018-01-17


  • Support for the HTTP-01 challenge type was added to our Apache and Nginx plugins. For those not aware, Let’s Encrypt disabled the TLS-SNI-01 challenge type which was what was previously being used by our Apache and Nginx plugins last week due to a security issue. For more information about Let’s Encrypt’s change, click here. Our Apache and Nginx plugins will automatically switch to use HTTP-01 so no changes need to be made to your Certbot configuration, however, you should make sure your server is accessible on port 80 and isn’t behind an external proxy doing things like redirecting all traffic from HTTP to HTTPS. HTTP to HTTPS redirects inside your Apache and Nginx configuration are fine.
  • IPv6 support was added to the Nginx plugin.
  • Support for automatically creating server blocks based on the default server block was added to the Nginx plugin.
  • The flags --delete-after-revoke and --no-delete-after-revoke were added allowing users to control whether the revoke subcommand also deletes the certificates it is revoking.


  • We deprecated support for Python 2.6 and Python 3.3 in Certbot and its ACME library. Support for these versions of Python will be removed in the next major release of Certbot. If you are using certbot-auto on a RHEL 6 based system, it will guide you through the process of installing Python 3.
  • We split our implementation of JOSE (Javascript Object Signing and Encryption) out of our ACME library and into a separate package named josepy. This package is available on PyPI and on GitHub.
  • We updated the ciphersuites used in Apache to the new values recommended by Mozilla. The major change here is adding ChaCha20 to the list of supported ciphersuites.


  • An issue with our Apache plugin on Gentoo due to differences in their apache2ctl command have been resolved.

More details about these changes can be found on our GitHub repo:

Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
Help test Certbot Apache and Nginx fixes for TLS-SNI-01 outage
IMPORTANT: What you need to know about TLS-SNI validation issues
Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
Newbie apache-centos7 question
Existing certs from TLS-SNI-01 to HTTP-01 manually- or automatically done

nice work!! Like the changes


Good work. Any idea how long it will take for this to hit EPEL for CentOS 7?


Nice one. When will http://ppa.launchpad.net/certbot/certbot/ubuntu be updated?


you guys are great! respect! :sunny:


I’m getting close to a few renewals now, so I’ve done yum remove certbot and am switching to certbot-auto, which has brought down 0.21.0 and appears to work.


How are people installing this version on Ubuntu 16.04? It’s been a week and it doesn’t look like the PPA has been updated yet.


@bmw can you provide some estimates for the PPA and other packaged distribution channels?


The maintainer of the Certbot packages in Debian and the Ubuntu PPA wrote this a couple days ago:

Hello! We just finished the migration of 0.20 to Debian testing. I know the TLS-SNI-01 issue makes the 0.21 version more important to get out quickly, and I’m aiming to have it starting to bake in unstable in the next few days. It will probably take at least a week to trickle out to Debian testing, and then from there down to the PPA and (eventually) a stable release update.

On the EPEL/Fedora side of things, I didn’t get an exact estimate, but the maintainers are aware of the changes here and I’d expect them to start working on packaging in the next few days.


I couldn’t wait for the PPA so I installed from github - works for me on Ubuntu 14.04 LTS and 16.04 LTS:

sudo apt-get remove certbot
sudo add-apt-repository --remove ppa:certbot/certbot
cd /opt
sudo git clone https://github.com/certbot/certbot.git
cd certbot
sudo git checkout v0.21.1
sudo ln -s /opt/certbot/certbot-auto /usr/bin/certbot
certbot renew
sudo apt-get autoremove```


Thanks, look like very good improvements


I found 0.21.1 in Ubuntu 16.04 this morning so it made its way down to the PPA.


Is anyone else having issues on Ubuntu 16.04 because the certbot executable tries to run with /usr/bin/python but that’s the python 2 executable and python 3 is /usr/bin/python3? For now, I’ve changed the hashbang line, but that’ll get overwritten anytime I upgrade certbot.