Certbot has detected that apache version < 2.4.11 or compiled against openssl < 1.0.2l

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: test.bslbeam.co.uk

I ran this command: sudo certbot --apache

It produced this output: Certbot has detected that apache version < 2.4.11 or compiled against openssl < 1.0.2l. Since these are deprecated, the configuration file being installed at /etc/letsencrypt/options-ssl-apache.conf will not receive future updates. To get the latest configuration version, update apache.

My web server is (include version): Server version: Apache/2.4.65 (Ubuntu)
Server built: 2025-07-26T17:41:22

The operating system my web server runs on is (include version): Ubuntu 24.04.3 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 4.2.0

In addition, I'm not sure if you'd need the openssl version: OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)

I'm confused about the error, as I appear to have the most recent Apache 2 version, although I'm not knowledgeable enough to say whether it is compiled against the openssl that is on my system, or something else! Thanks

2

That's a first for me.

What does this show? Use the log file name for a Certbot run that fails. There may be multiples if you've tried it again since then

cat /var/log/letsencrypt/letsencrypt.log | grep 'version'
2 Likes
3

While not the <2.4.11 from the warning (not an error as far as I know), your webserver identifies itself as "Apache/2.4.58 (Ubuntu)". Not 2.4.65.

Are you sure the IP address et c. are set to the server you're expecting the connections to go cq. running Certbot on the server you're expecting to have Apache 2.4.65?

1 Like
4

Apologies. I suddenly thought it's Sunday and it might take a while to get a response, so I tried reinstalling the server from scratch, and for some reason it installed 2.4.58 this time!

EDIT: However, still getting the same error with certbot

5

Given my message to Osiris, that Apache is now 2.4.58, the output below seems to make sense:

2025-08-10 14:27:03,614:DEBUG:certbot._internal.main:certbot version: 4.2.0
2025-08-10 14:27:03,667:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.58
2025-08-10 14:27:03,781:WARNING:certbot_apache._internal.configurator:Certbot has detected that apache version < 2.4.11 or compiled against openssl < 1.0.2l. Since these are deprecated, the configuration file being installed at /etc/letsencrypt/options-ssl-apache.conf will not receive future updates. To get the latest configuration version, update apache.

6

Not so sure, because if I download and unpack the Ubuntu apache-bin package, its mod_ssl.so file is linked to OpenSSL 3 it seems when I do a ldd on it:

libssl.so.3 => /usr/lib64/libssl.so.3

So no OpenSSL 1 nor Apache <2.4.11?

If you're familiar with programming in Python, you could perhaps debug this specific function in /usr/lib/python3.13/site-packages/certbot_apache/_internal/configurator.py assuming you have Python 3.13 (probably not, as you're running Ubuntu :stuck_out_tongue:) and Ubuntu puts its Python packages in that specific directory. If not, you might need to look around a little bit. The specific function is pick_apache_config() and the relevant code starts on line 165.

3 Likes
7

Thanks. Unfortunately, I have no experience with Python at all :slightly_frowning_face:

8

Yes, apart from the warning message that looks fine.

I just ran a test with Certbot 4.2 with Apache 2.4.58 (Ubuntu 22) and did not get that warning.

I even started without an options-ssl-apache.conf file and a new domain for new request

@Osiris knows Certbot internals (and python) far better than I do. I've pretty much exhausted my ideas apart from reporting it at the EFF's github for certbot. That will attract attention from their dev team: GitHub - certbot/certbot: Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

I'd guess it is more related to openssl version detection than Apache but that's just my gut feel.

3 Likes
9

Thanks. I'm trying to use the most recent versions of everything but maybe I should try Ubuntu 22.04

10

I doubt very much that would help. The one you use is very popular as is Certbot. Something unusual but hard to guess.

It is just a warning and all should be working well. Are there actual problems with HTTPS connections?

Does Apache have any startup warnings in error_log or from this?

sudo apache2ctl -t -D DUMP_VHOSTS
3 Likes
11

I actually aborted when I got the warning, so haven't created a cert yet. I was concerned that the conf file wouldn't get updated and I'd like to keep this up as long as the LTS server is supported.

Thanks for the assurances though

1 Like
12

It is not updated often. You can see it here: certbot/certbot-apache/src/certbot_apache/_internal/tls_configs at main · certbot/certbot · GitHub

The most recent substantive change was to turn off ssl session tickets but not sure if that was recent or long ago (I didn't research). Looks like perhaps some cosmetic formatting changes along the way too.

Certbot follows the conventions here: Mozilla SSL Configuration Generator

I don't think it is harmful to proceed and then post at the EFF Github to get it resolved properly. In the meantime you have easy ways to check for (rare) changes to that. This may just turn out to be a quirk or regression in Certbot. If it is something odd in your install that would be worth sharing here so we can more quickly help others who see it. I've never seen this message before and I read pretty much every thread posted :slight_smile:

3 Likes
13

More than 5 years ago :wink: (relevant change that is)

3 Likes
14

Thanks both. Looks like, given my lack of ability to delve deeper, I should ignore the warning and forge ahead.

15

Sure, you might add the line below to that options file. Then it would be functionally the same

SSLSessionTickets       off

I don't know the circumstances by which Certbot would overlay it. To be extra safe you could make you own copy of that and change the include in Apache to refer to that new one.

I still think it is worthwhile for you to post about this at the EFF github for Certbot.

2 Likes
16

Sorry for bumping, but I just wanted to say I hit the same issue here on Ubuntu 24.04 with cerbot installed via Snap, so you're not alone with seeing this message:

Certbot has detected that apache version < 2.4.11 or compiled against openssl < 1.0.2l. Since these are deprecated, the configuration file being installed at /etc/letsencrypt/options-ssl-apache.conf will not receive future updates. To get the latest configuration version, update apache.

2025-08-22 12:03:30,047:DEBUG:certbot._internal.main:certbot version: 4.2.0
2025-08-22 12:03:30,162:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.58

openssl version reports 3.0.13

2 Likes
17

The EFF maintains Certbot. The same advice applies that posting an issue on their github is best for this problem: GitHub · Where software is built

Their developers do not often review threads in this forum. We often help with common Certbot problems (and even tricky ones) but given the elapsed time it looks like no one here has any further advice for this one.

3 Likes
18

I've got a somewhat fortuitous workaround to this problem that I want to share.
I have no idea of why it worked, but it did, and so it may help others with the same problem.
Thank you,
Gus

Info:

Ubuntu 24.04, apache 2.4.58, openssl 3.0.13, snap 2.71,
certbot 4.2.0 (installed with snap) here,
all standard from apt packages.
I've got the same warning message reported by Sherratt, and quit the Letsencript certificate installation ("c" = cancel option).
However, it seems to have installed or partially installed Letsencript certificate
(which I had to remove manually, see below).

At that point my apache2 server did NOT have the ssl module activated.

Workaround:

I enabled the apache2 ssl module:

a2enmod ssl

When I tried to install the Letsencript certificate again, it told me it was already
installed (probably partially, even though I canceled the installation, as mentioned above).

So, I removed manually the bits and pieces of the (partially ?) installed Letsencript certificate using these guidelines (since I used snap the
command to remove python-certbot-apache is not applicable).
In particular, I deleted the thee letsencript directories mentioned in the guidelines.

Then I tried again to install the certificate with snap:

certbot certonly --apache

This time it worked perfectly.

Comment:

Although this sequence of events (failure/partial install of Letsencript / Apache2 ssl module enabling / success installing Letsencript) may seem very fortuitous,
it may be a workaround for the problem.
However, the very same sequence of events may suggest a bug in the snap
version of certbot, and hopefully where it is in the code.
Maybe this can help the certbot developers to debug it.

19

The Certbot team has developed a fix due in next update

3 Likes
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.