Certbot-auto is deprecated

Hi All,
I have an issue when try to renew the SSL certificate. It worked till now!

My domain is:
prod04.niva.it

I ran this command:
/usr/local/bin/./certbot-auto renew

It produced this output:
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.

My web server is (include version):
Oracle Cloud Server

The operating system my web server runs on is (include version):
Red Hat Enterprise Linux Server release 6.10 (Santiago)

My hosting provider, if applicable, is:
Oracle

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no, I use html folder to manage all webpages

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
cannot see the version. The output gives me the same as the renew option

certbot-auto was just a wrapper script around the Python Certbot application. It has been deprecated and subsequently removed for YEARS now.

If you want to keep using Certbot, the Certbot team recommends to install it using snap (see Certbot Instructions | Certbot). Alternatively (best effort support from the Certbot team), you could use pip (see Certbot Instructions | Certbot), which also was the method the certbot-auto wrapper script used internally.

1 Like

Hi Osiris, thanks for your reply.
I already tried to install it with snap and pip, but it returned me some errors.
For exampe: Snap for release 6 seems that it doesn't exist anymore (https://snapcraft.io/docs/installing-snap-on-centos) so I tried with pip.
So the command I used are:

  1. yum install python34 (on the guide is python3 but with a yum search it doesn't exist)
  2. yum install augeas-libs and the result is "Package augeas-libs-1.0.0-10.el6.x86_64 already installed and latest version"

Anyway I tried to go ahead.

  1. python3 -m venv /opt/certbot/ ... with the folowing output
    "Error processing line 1 of /usr/lib/python3.4/site-packages/distutils-precedence.pth:

Traceback (most recent call last):
File "/usr/lib64/python3.4/site.py", line 167, in addpackage
exec(line)
File "", line 1, in
File "/usr/lib/python3.4/site-packages/_distutils_hack/init.py", line 35
f"Register concerns at {report_url}"
^
SyntaxError: invalid syntax

Remainder of file ignored"

So I think that already here I have an issue.

1 Like

Yes, but it seems not with Certbot, but with your Python environment to begin with. The python -m venv step is not directly Certbot related, but uses the venv module to create a virtual environment to sandbox any Python application, regardless if it's going to be Certbot in the next steps or something else.

If venv doesn't work, then your problem is bigger than just Certbot.

Also, Python 3.4 has been end of life for almost 6 years now! Are you sure you can't update it to something newer? Also, I hope you have Extended Life-cycle Support Add-On for your RHEL 6 :astonished:

1 Like

Hopefully you are aware that CentOS Linux has been discontinued and is not safe to use anymore.

https://blog.centos.org/2023/04/end-dates-are-coming-for-centos-stream-8-and-centos-linux-7/

2 Likes

They claim to run RHEL 6.10, which still is in the "extended life phase" apparently.

1 Like

That is hardly any better. Extended support runs out at the end of the year.

2 Likes

Well, just a little bit. It's not completely unsupported. :stuck_out_tongue:

But running Python 3.4 anno 2024? Wow..

1 Like

With a system that old, it may be easier to use one of the copy-a-file-to-deploy clients that doesn't have much in the way of dependencies, rather than trying to mess with python environments. I've been reasonably happy with lego, and I know acme.sh is pretty popular too (though be aware that it doesn't use Let's Encrypt as its CA by default).

Though upgrading to a newer better-supported system is probably a better long-term solution, certainly.

5 Likes

"necessity" I'd say.

1 Like

...or one of the shell clients, like acme.sh or dehydrated.

2 Likes

So, we agree: acme.sh
[would be the simplest choice]

3 Likes

Thank you all!
Just for clarification, this is an old environment with software developed with PHP 5.3 (yeah I know what you are thinking :sweat_smile:), so will be really difficult to move everything to a new environment.
The release is centos but is an image that Oracle still provides on the cloud :zipper_mouth_face: (yes we have our datacenter on Oracle Cloud). The image name is "Oracle-Linux-6.10-2019.11.12-0".
So at the moment I have no other choise. I need to use this env and make it running hope for not a long time.
You suggest to use acme.sh or dehydrated, if I'm not wrong, but since I'm really not so good with ssl certificates :smiling_face_with_tear:, could you help me?

1 Like

reason acme.sh is recommended here is it needs almost no dependency, so running on older version doesn't effect it. look at GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol for its document. I'd like to say it want to add export command to use cert for it, not using it direct from acme.sh's internal dir.

4 Likes

Hi Orangepizza, thank you!

I installed acme.sh with no error, doing the following steps:

  1. curl https://get.acme.sh | sh -s email=myemail
  2. acme.sh --renew -d --force

but I received this output error:
" The domain 'prod04.niva.it' seems to already have an ECC cert, let's use it.
[Fri Oct 18 15:28:17 CEST 2024] Renewing: 'mydomain'
[Fri Oct 18 15:28:17 CEST 2024] Renewing using Le_API=https://acme.zerossl.com/v2/DV90
[Fri Oct 18 15:28:17 CEST 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Fri Oct 18 15:28:18 CEST 2024] Single domain='mydomain'
[Fri Oct 18 15:28:19 CEST 2024] Getting webroot for domain='mydomain'
[Fri Oct 18 15:28:19 CEST 2024] Verifying: mydomain
[Fri Oct 18 15:28:20 CEST 2024] Processing. The CA is processing your order, please wait. (1/30)
[Fri Oct 18 15:28:24 CEST 2024] The retryafter=86400 value is too large (> 600), will not retry anymore.
[Fri Oct 18 15:28:24 CEST 2024] Please add '--debug' or '--log' to see more information.
[Fri Oct 18 15:28:24 CEST 2024] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

I already have a Letsencrypt certificate

1 Like

You may want to use --server letsencrypt to use Let's Encrypt instead of the default ZeroSSL (which as you've noticed, seems to be too slow to function at times.)

5 Likes

Thankyou for the info.
Anyway got another error, below:

[root@produzione04 ~]# acme.sh --renew -d mydomain --server letsencrypt
[Fri Oct 18 15:59:03 CEST 2024] The domain 'mydomain' seems to already have an ECC cert, let's use it.
[Fri Oct 18 15:59:03 CEST 2024] Renewing: 'mydomain'
[Fri Oct 18 15:59:03 CEST 2024] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory
[Fri Oct 18 15:59:03 CEST 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Oct 18 15:59:03 CEST 2024] Single domain='mydomain'
[Fri Oct 18 15:59:06 CEST 2024] Getting webroot for domain='mydomain'
[Fri Oct 18 15:59:06 CEST 2024] Verifying: mydomain
[Fri Oct 18 15:59:06 CEST 2024] Pending. The CA is processing your order, please wait. (1/30)
[Fri Oct 18 15:59:10 CEST 2024] mydomain: Invalid status. Verification error details: X.X.X.X: Invalid response from https://mydomain/.well-known/acme-challenge/6umF5tdeUBnnMBnAbJUPIG16JzlwfZujOTjGqCFolXo: 404
[Fri Oct 18 15:59:10 CEST 2024] Please add '--debug' or '--log' to see more information.
[Fri Oct 18 15:59:10 CEST 2024] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

I checked for iptables and are ok, also ACL on oracle cloud are ok.

I did some configuration:

  1. delete the folder of the previus domain from /roor/.acme.sh/
  2. issued a new cert with command " acme.sh --issue -d mydomain -w /var/www/html

Seems that it creates a new certificate from zerossl CA (and it's ok for me)
The cert are in " /root/.acme.sh/mydomain_ecc/

Now I need to link this folder in order to use this new certificate.
I'll update you asap

Perfect guys!
afted the ssl.conf update with the new cert path and apache restart the new certificate in online!

Thank you so much for you support! Have a nice weekend.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.