Certbot 0.21.0 Release


We just released Certbot 0.21.0. The changelog for the release is:

0.21.0 - 2018-01-17


  • Support for the HTTP-01 challenge type was added to our Apache and Nginx plugins. For those not aware, Let’s Encrypt disabled the TLS-SNI-01 challenge type which was what was previously being used by our Apache and Nginx plugins last week due to a security issue. For more information about Let’s Encrypt’s change, click here. Our Apache and Nginx plugins will automatically switch to use HTTP-01 so no changes need to be made to your Certbot configuration, however, you should make sure your server is accessible on port 80 and isn’t behind an external proxy doing things like redirecting all traffic from HTTP to HTTPS. HTTP to HTTPS redirects inside your Apache and Nginx configuration are fine.
  • IPv6 support was added to the Nginx plugin.
  • Support for automatically creating server blocks based on the default server block was added to the Nginx plugin.
  • The flags --delete-after-revoke and --no-delete-after-revoke were added allowing users to control whether the revoke subcommand also deletes the certificates it is revoking.


  • We deprecated support for Python 2.6 and Python 3.3 in Certbot and its ACME library. Support for these versions of Python will be removed in the next major release of Certbot. If you are using certbot-auto on a RHEL 6 based system, it will guide you through the process of installing Python 3.
  • We split our implementation of JOSE (Javascript Object Signing and Encryption) out of our ACME library and into a separate package named josepy. This package is available on PyPI and on GitHub.
  • We updated the ciphersuites used in Apache to the new values recommended by Mozilla. The major change here is adding ChaCha20 to the list of supported ciphersuites.


  • An issue with our Apache plugin on Gentoo due to differences in their apache2ctl command have been resolved.

More details about these changes can be found on our GitHub repo:

Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
IMPORTANT: What you need to know about TLS-SNI validation issues
Help test Certbot Apache and Nginx fixes for TLS-SNI-01 outage
Newbie apache-centos7 question
Existing certs from TLS-SNI-01 to HTTP-01 manually- or automatically done
Debian package update?
The 'josepy' distribution was not found and is required by certbot

nice work!! Like the changes


Good work. Any idea how long it will take for this to hit EPEL for CentOS 7?


Nice one. When will http://ppa.launchpad.net/certbot/certbot/ubuntu be updated?


you guys are great! respect! :sunny:


I’m getting close to a few renewals now, so I’ve done yum remove certbot and am switching to certbot-auto, which has brought down 0.21.0 and appears to work.


How are people installing this version on Ubuntu 16.04? It’s been a week and it doesn’t look like the PPA has been updated yet.


@bmw can you provide some estimates for the PPA and other packaged distribution channels?


The maintainer of the Certbot packages in Debian and the Ubuntu PPA wrote this a couple days ago:

Hello! We just finished the migration of 0.20 to Debian testing. I know the TLS-SNI-01 issue makes the 0.21 version more important to get out quickly, and I’m aiming to have it starting to bake in unstable in the next few days. It will probably take at least a week to trickle out to Debian testing, and then from there down to the PPA and (eventually) a stable release update.

On the EPEL/Fedora side of things, I didn’t get an exact estimate, but the maintainers are aware of the changes here and I’d expect them to start working on packaging in the next few days.


I couldn’t wait for the PPA so I installed from github - works for me on Ubuntu 14.04 LTS and 16.04 LTS:

sudo apt-get remove certbot
sudo add-apt-repository --remove ppa:certbot/certbot
cd /opt
sudo git clone https://github.com/certbot/certbot.git
cd certbot
sudo git checkout v0.21.1
sudo ln -s /opt/certbot/certbot-auto /usr/bin/certbot
certbot renew
sudo apt-get autoremove```


Thanks, look like very good improvements


I found 0.21.1 in Ubuntu 16.04 this morning so it made its way down to the PPA.


Is anyone else having issues on Ubuntu 16.04 because the certbot executable tries to run with /usr/bin/python but that’s the python 2 executable and python 3 is /usr/bin/python3? For now, I’ve changed the hashbang line, but that’ll get overwritten anytime I upgrade certbot.



The web page https://certbot.eff.org/#debianjessie-apache needs to be updated. At the moment (2nd March) it just says “Since Certbot is packaged for your system, all you’ll need to do is apt-get the following packages. … then run sudo apt-get install …”

But this isn’t true anymore, since the version of certbot that is currently in the Debian jessie-backports repo is 0.10.2.


Unfortunately 0.10.2 is the most recent version of Certbot that has been packaged for Debian Jessie. We’re hoping that a newer version of Certbot can be uploaded to jessie-backports-sloppy soon. Any updates on that @hlieberman?


Any news on this? I need to add domains to my cert. Apt-Get is only serving certbot 0.19.0 for Ubuntu 16.04


You don’t need to have the most recent version of certbot since the tls-sni-01 issue. You can ‘manually’ tell certbot to use the Apache or nginx installer with the webroot plugin for authentication:

certbot -i apache -a webroot -w /path/to/webroot/of/domainA -d domainA -w /path/to/webroot/of/domainB -d domainB


In a few cases, that might require making a configuration file change (to permit serving static files from /.well-known) that --apache in a newer Certbot might not have required. But it’s a totally valid solution in general.


The PPA has 0.21.1. What is apt-get’s output? If you’re using “apt-get upgrade”, you need to use “apt-get dist-upgrade” this time, some of the libraries were renamed.


Looks like “apt-get dist-upgrade” was the trick, it updated to certbot 0.21.1 and the challenges are now working. Thanks for the swift response!