Certbot Upgrade Not Working

Greetings!

I am running Ubuntu 18.04.1 on a Linode VPS and have been trying to upgrade certbot from 0.23 to 0.30 in order to deal with the TLS-SNI-01 validation end of life issue. (As near as I could tell, this was the best way to address this upcoming challenge to my SSL certificates.)

I have run every command I can find to update and upgrade certbot, and as near as I can tell they have all run successfully. Despite these efforts, however, every time I run certbot --version, the return says Iā€™m still using certbot 0.23.0.

Iā€™ve tried looking for help, but I canā€™t find other people with this particular problem. All my certificates are working fine right now, but it seems as though that will end as early as February 13 if I donā€™t find a solution.

All help is greatly appreciated!

1 Like

What commands have you run?

Is the Certbot PPA enabled?

Does ā€œsudo apt updateā€ work?

What do ā€œapt list --upgradableā€ and ā€œapt policy certbot python3-certbotā€ show?

I have the same problem but on Ubuntu 16.04

I run these commands:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache 

The output from the last command is:
python-certbot-apache is already the newest version (0.28.0-1+ubuntu16.04.1+certbot+3)

but when I run ā€˜certbot --versionā€™, I get:

certbot 0.26.1

ā€œapt list --upgradableā€ returns:

certbot/xenial,xenial 0.28.0-1+ubuntu16.04.1+certbot+4 all [upgradable from: 0.26.1-1+ubuntu16.04.1+certbot+2]

ā€œ apt policy certbot python3-certbot ā€ returns:

certbot:
Installed: 0.26.1-1+ubuntu16.04.1+certbot+2
Candidate: 0.28.0-1+ubuntu16.04.1+certbot+4
Version table:
0.28.0-1+ubuntu16.04.1+certbot+4 500
500 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 Packages
500 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main i386 Packages
*** 0.26.1-1+ubuntu16.04.1+certbot+2 100
100 /var/lib/dpkg/status
python3-certbot:
Installed: 0.26.1-1+ubuntu16.04.1+certbot+2
Candidate: 0.28.0-1+ubuntu16.04.1+certbot+4
Version table:
0.28.0-1+ubuntu16.04.1+certbot+4 500
500 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main amd64 Packages
500 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial/main i386 Packages
*** 0.26.1-1+ubuntu16.04.1+certbot+2 100
100 /var/lib/dpkg/status

@AngelAnichin Try ā€œsudo apt upgradeā€ and, if that doesnā€™t work and it doesnā€™t want to do anything problematic, ā€œsudo apt full-upgradeā€.

1 Like

I believe the certbot PPA is enabled, yes. I can certainly confirm that, though, if necessary.

I have followed all instructions for installing and upgrading from eef and other help articles, but I mostly remember apt-get update and apt-get upgrade. There were others in there last week, but I donā€™t remember them all.

apt list --upgradable returns

certbot/bionic,bionic 0.28.0-1+ubuntu18.04.1+certbot+4 all [upgradable from: 0.23.0-1]
linux-generic/bionic-updates,bionic-security 4.15.0.43.45 amd64 [upgradable from: 4.15.0.23.25]
linux-headers-generic/bionic-updates,bionic-security 4.15.0.43.45 amd64 [upgradable from: 4.15.0.23.25]
linux-image-generic/bionic-updates,bionic-security 4.15.0.43.45 amd64 [upgradable from: 4.15.0.23.25]
netplan.io/bionic-updates,bionic-security 0.40.1~18.04.4 amd64 [upgradable from: 0.36.2]
python3-acme/bionic,bionic 0.28.0-1+ubuntu18.04.1+certbot+3 all [upgradable from: 0.22.2-1]
python3-certbot/bionic,bionic 0.28.0-1+ubuntu18.04.1+certbot+4 all [upgradable from: 0.23.0-1]
python3-certbot-apache/bionic,bionic 0.28.0-1+ubuntu18.04.1+certbot+3 all [upgradable from: 0.23.0-1]
python3-parsedatetime/bionic,bionic 2.4-3+ubuntu18.04.1+certbot+3 all [upgradable from: 2.4-2]

apt policy certbot python3-certbot returns

certbot:
Installed: 0.23.0-1
Candidate: 0.28.0-1+ubuntu18.04.1+certbot+4
Version table:
0.28.0-1+ubuntu18.04.1+certbot+4 500
500 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main amd64 Packages
500 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main i386 Packages
*** 0.23.0-1 500
500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
500 http://us.archive.ubuntu.com/ubuntu bionic/universe i386 Packages
100 /var/lib/dpkg/status
python3-certbot:
Installed: 0.23.0-1
Candidate: 0.28.0-1+ubuntu18.04.1+certbot+4
Version table:
0.28.0-1+ubuntu18.04.1+certbot+4 500
500 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main amd64 Packages
500 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic/main i386 Packages
*** 0.23.0-1 500
500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
500 http://us.archive.ubuntu.com/ubuntu bionic/universe i386 Packages
100 /var/lib/dpkg/status

Thanks Matt! ā€œsudo apt upgradeā€ did the trick. I have certbot 0.28.0 now.

The email ā€œAction required: Letā€™s Encrypt certificate renewalsā€ that I received had this in it:

ā€œIf youā€™re a Certbot user, you can find more information here:
How to stop using TLS-SNI-01 with Certbotā€

When you follow the link you get these instructions:

" If the version is less than 0.28, you need to upgrade your Certbot. Visit https://certbot.eff.org/ and follow the instructions for your webserver and OS."

When you follow that link you get the commands to install Certbot. But they do not upgrade the version.

Perhaps another email should be sent with more clear instructions on how to upgrade an existing Certbot installation.

1 Like

FAILED

Then:

WORKED

Maybe the instructions should be updated to include this "possibility" ?

sudo apt upgrade worked for me!

sudo apt-get upgrade just wouldnā€™t upgrade certbot to 0.28

thanks!

1 Like

Worked for our websites

If Ubuntu 18.04

apt install certbot python3-certbot python-certbot-apache

certbot --version
certbot 0.28.0

If CentOS7

yum update certbot python-certbot-apache python2-certbot python2-acme

certbot --version
certbot 0.29.1

However, cat /etc/letsencrypt/renewal/MySite.conf. Continue to show:

version = 0.26.1

Is it normal?

Yes, the renewal file is only updated AFTER a cert renewal - not on certbot update.

3 Likes

This is a good idea, I mentioned it to the Certbot devs. I don't think comparing apt update to apt upgrade is really the right thing - update fetches a newer list of available packages, while upgrade actually installs the newer packages. I think the underlying issue is this:

  sudo apt-get install python-certbot-apache 

If you already have python-certbot-apache installed, that command will upgrade python-certbot-apache, but it won't upgrade python-certbot. I think adding python-certbot to the list probably makes sense so that the instructions keep people up to date even if they've already got the software installed.

I think there's an additional factor -- when python-certbot-apache got replaced with a transitional dummy package for python3-certbot-apache, it stopped having a dependency on a specific version of any other packages, so I think (re)installing it makes apt less prone to upgrading anything else.

1 Like

Doh! [that was my mistake]

I meant to compare:
apt upgrade
with
apt-get upgrade

One seems to work ā€œbetter/differentlyā€ than the other (at times).

Interesting. Iā€™m fairly confident that apt upgrade does exactly the same thing as apt-get upgrade. If you have documentation otherwise I would be interested to read it.

Two people in this thread have said the results differ:

Good point!

@gmarzloff, can you confirm whether the command that was not working for you was sudo apt-get upgrade? Could it have been sudo apt-get update?

@rg305: According to https://itsfoss.com/apt-vs-apt-get-difference/, both apt upgrade and apt-get upgrade have the functionality ā€œUpgrades all upgradable packages.ā€ If youā€™re suggesting that one behaves differently, thatā€™s a pretty significant claim ā€“ Iā€™d want to dig deeper before making that claim.

1 Like

All things being equal, things would be equalā€¦
So maybe they arenā€™t equal.
Hard to setup a test for this though.

@jsha I followed the instructions here hoping to upgrade from 0.23 to 0.28.

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot python-certbot-apache 

apt-get update didnā€™t work. Iā€™m over 75% certain I tried apt-get upgrade which didnā€™t work either. When I ran apt upgrade, certbot --version showed 0.28. I wish I could be more precise on the method but I was trying a lot of different commands trying to find a solution.

1 Like

No problem, I appreciate you adding the extra detail! FYI, apt-get update and apt update never install new software, they just download new lists of software. So Iā€™m not surprised that update didnā€™t fix the issue. Both apt-get upgrade and apt upgrade should have fixed the issue; weā€™ll keep an eye out for similar reports, in case there really is an issue with one of the upgrade variants.

Also itā€™s worth noting that weā€™ve already updated https://certbot.eff.org/lets-encrypt/ubuntubionic-apache based on the feedback in this thread. Specifically where it used to say:

  $ sudo apt-get install python-certbot-apache 

Now it says:

  $ sudo apt-get install certbot python-certbot-apache

Which should be more correct. Thanks for your feedback, hopefully youā€™ve made things a bit easier for everyone else!

1 Like

This worked for me too!

sudo apt upgrade
certbot 0.28.0

Thanks all for the help; Iā€™m all set at this point.

2 Likes