Certbot update for CentOS 7: use --prefered-chain to select a shorter chain

Just a quick note for CentOS 7 users: I pushed a certbot update yesterday so that you can choose the shorter chain via --preferred-chain. Currently the update is in epel-testing so you need to tell yum to use that repo explicitely.

The update will be available in the regular stable repo in two weeks. You can help getting it into stable by installing the update from epel-testing and leave positive karma there.

More details how to get the update via Fedora bodhi.

Of course I'm still planning to update certbot in EPEL 7 to a much newer version but that is not as easy as we have to transition to Python 3 as a precondition. If you like to know more about the challenge please read my recent post in RHEL/CentOS 7 OpenSSL client compatibility after new chain.

Btw: I'd love to get some regular testers for certbot updates in Fedora/CentOS. Of course we are running certbot's test suite before every release but there are no functional tests. Most certbot updates are pushed to stable without anyone executing certbot even once. So far stuff "just worked" but at some point we might push a broken update just because nobody spent time to test the updates. Even just running certbot on your servers for a few days and checking that regular renewals work would be helpful.

If you have any ideas how I could facilitate a tester community please let me know. For example I could send a post to this forum once we have a new update ready.


I'd also like to thank the certbot team for their efforts:

  • Their automated test suite is a great help to ensure quality.
  • Everyone is really responsive when we need to support older versions of some dependencies (dnspython 1.15 was the most recent once).
  • Brad Warren (@bmw) is great in pointing me to relevant patches, asking for distro input and even took the time to install my patched version.

Thank you very much - without you I would have to spend so much more time providing a useful distro package for Fedora, CentOS and RHEL.


My sincere thanks for enabling preferred-chain in certbot. Didn't have to transition to lego everywhere :wink:

1 Like

I just noticed that the bodhi page does not tell you how to install the update from the testing repo. Run this command as root if you have certbot already installed on your CentOS 7 machine:
# yum update --enablerepo=epel-testing certbot


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.