Certbot 3.0.0 Release!

Hey everyone, we just released Certbot 3.0.0! Despite being a major version bump, the changelog is actually quite modest -- the biggest changes involve deprecating the recently EOL'd Python 3.8, and upgrading our snap to use Python 3.12.

Importantly, because the snap has moved to a newer Python version, it's possible that some snap plugins you use may no longer work! We announced this change at the beginning of October, and although many plugins have updated to be compatible with 3.0, some still haven't. If Certbot detects an outdated snap plugin, it will display this warning:

The following plugins are using an outdated python version and must be updated to be compatible with Certbot 3.0. Please see https://community.letsencrypt.org/t/certbot-3-0-could-have-potential-third-party-snap-breakages/226940 for more information:
 * <some plugin>

If this happens, it means the maintainer of that plugin needs to update their code. Luckily, we've put together a handy checklist for doing this!

And now, your regularly scheduled changelog:

3.0.0 - main

Changed

  • The update_symlinks command was removed.
  • The csr_dir and key_dir attributes on
    certbot.configuration.NamespaceConfig were removed.
  • The --manual-public-ip-logging-ok command line flag was removed.
  • The --dns-route53-propagation-seconds command line flag was removed.
  • The certbot_dns_route53.authenticator module has been removed. This should
    not affect any users of the plugin and instead would only affect developers
    trying to develop on top of the old code.
  • Support for Python 3.8 was deprecated and will be removed in our next planned
    release.

More details about these changes can be found on our GitHub repo.

12 Likes

These lines are confusing to me:

the biggest changes involve moving from the recently EOL'd Python 3.8 to 3.12

Support for Python 3.8 was deprecated and will be removed in our next planned release.

It looks like 3.8 is still supported - as well as 3.9, 3,10, and 3.11. Are you planning to deprecate everything below 3.12 in the next release?

For a moment I thought you're saying that Certbot's snap package will be on core24 and python3.12 -- but py3.10 looks to be the default python version on that...

So I am just really confused by this announcement. Can you elaborate on the planned support and deprecation timelines for 3.8 - 3.12 ?

5 Likes

Oops you're totally right, my wording conflated two different changes:

  1. Certbot 3.0's snap now uses Python 3.12, and so snap plugins which still use Python 3.8 won't be loaded anymore. This is the main backwards-compatibility breaking change of 3.0
  2. We've deprecated support for Python 3.8 more generally throughout the codebase, and will indeed remove support for it in the next release, Certbot 3.1. For non-snap installations, Python 3.9-3.12 will continue to be supported.

Sorry for the confusion, I'll update the main post to better reflect this!

7 Likes

Thanks! This all makes sense now!

6 Likes

Just to gain as much clarity as possible:

  • Will the snap version of certbot 3.x now be installed together with python 3.12?
  • Does the default operating system version of python (for Ubuntu 22.04.5 LTS it is 3.10.12) remain unaffected?

I assume that both are true.

1 Like

That is how I understand snap things to work.

3 Likes

That looks a bit worrying. With certbot 3.0.0, the command

sudo certbot renew --cert-name bausznern.org --dry-run

outputs the following warnings:

 /snap/certbot/4182/lib/python3.12/site-packages/certbot/ocsp.py:238:
 CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
  if not response_ocsp.this_update:
 
 /snap/certbot/4182/lib/python3.12/site-packages/certbot/ocsp.py:240:
 CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
  if response_ocsp.this_update > now + timedelta(minutes=5):
 
 /snap/certbot/4182/lib/python3.12/site-packages/certbot/ocsp.py:242:
 CryptographyDeprecationWarning: Properties that return a naïve datetime object have
 been deprecated. Please switch to next_update_utc.
  if response_ocsp.next_update and response_ocsp.next_update < now -timedelta(minutes=5):

For

sudo certbot renew --cert-name carvaka.de --dry-run

I get this bug which I have never seen before:

- - - - - - - - - - - - - - - - - - - - - - - - - -
 Processing /etc/letsencrypt/renewal/carvaka.de.conf
 - - - - - - - - - - - - - - - - - - - - - - - - - -
 /snap/certbot/4182/lib/python3.12/site-packages/certbot/ocsp.py:238:
 CryptographyDeprecationWarning: Properties that return a naïve datet>
   if not response_ocsp.this_update:
 /snap/certbot/4182/lib/python3.12/site-packages/certbot/ocsp.py:240:
 CryptographyDeprecationWarning: Properties that return a naïve datet>
   if response_ocsp.this_update > now + timedelta(minutes=5):
 /snap/certbot/4182/lib/python3.12/site-packages/certbot/ocsp.py:242:
 CryptographyDeprecationWarning: Properties that return a naïve datet>
   if response_ocsp.next_update and response_ocsp.next_update < now -timedelta(minutes=5):
 Simulating renewal of an existing certificate for carvaka.de and www.carvaka.de

 Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: www.carvaka.de
  Type:   dns
  Detail: DNS problem: server failure at resolver looking up A for www.carvaka.de; DNS problem: server failure at resolver looking up AAA>

 Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve>

 Failed to renew certificate carvaka.de with error: Some challenges have failed.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 All simulated renewals failed. The following certificates could not be renewed:
   /etc/letsencrypt/live/carvaka.de/fullchain.pem (failure)
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Those warnings are a known issue and the Certbot team plans to have it fixed in 3.1.0. It does not affect Certbot except for these warning messages.

Please open a new thread with regard to this error, as it has nothing to do with Certbot itself.

If you'd like, I can split your post into a new thread.

1 Like

Question about versioning: Is it possible to go back to the latest certbot 2.x snap version?

Yes, see this thread: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc. if not response_ocsp.this_update: · Issue #9967 · certbot/certbot · GitHub

sudo snap revert certbot --revision 3834
4 Likes

Yes. Both are true.

Only snap deployment is materially affected by this release.

The new snap deployment upgrades the snap core, which now uses Python 3.12. Snap maintains it's own version of Python, which is only used by snap and is sideloaded next to the System Python. The snap deployments are configured to use the snap Python installation and not the system python installation.

The system Python is entirely unaffected.

This is the same as how Python.org distributes binaries that install in /usr/local/lib/python/{version} or similar - while the OS packages are installed in /usr/lib/python/{version} or similar.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.