Certbot upgraded but config file set with old version

Help
1

Hi,

3 years ago, I installed and set Certbot on my AWS EC2 instance (for a little personal Node.js application). The version was 0.21.1, and I was using Ubuntu 16.04.3 LTS. Everything was fine (thanks to @sahsanu, his help was precious).

This weekend, I upgraded my instance with Ubuntu 20.04.2 LTS, and I installed the latest version of Certbot (1.13.0) following the instructions here: https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx.

When I ran:

sudo certbot --nginx

After the selection of my domain, I selected 1: Attempt to reinstall this existing certificate. And everything succeeded (I also ran sudo certbot renew --dry-run to make sure).

But in my config file /etc/letsencrypt/renewal/MY.WEBSITE.COM.conf, I still see the old version of Certbot. Here is the content of this file:
(to make it simple, let's use MY.WEBSITE.COM for my domain)

# renew_before_expiry = 30 days
version = 0.21.1
archive_dir = /etc/letsencrypt/archive/MY.WEBSITE.COM
cert = /etc/letsencrypt/live/MY.WEBSITE.COM/cert.pem
privkey = /etc/letsencrypt/live/MY.WEBSITE.COM/privkey.pem
chain = /etc/letsencrypt/live/MY.WEBSITE.COM/chain.pem
fullchain = /etc/letsencrypt/live/MY.WEBSITE.COM/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = nginx
account = XXXXXXXXXXXXXXXXXXX
post_hook = systemctl reload nginx
[[webroot_map]]
MY.WEBSITE.COM = /home/ubuntu/letsencrypt

  1. I assume I have to run a command to set the new certbot version? (as it's not recommended to edit it)

  2. If you have any recommendation to improve my current config file, I'm more than open. Maybe I should add rsa_key_size or something?

  3. In my /etc/cron.d/certbot file, I've got this following content, is it still fine?
    or are there better things to do? (like maybe using SysVinit instead of SystemD or certbot-auto instead of certbot)

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew
  1. I decided to upgrade mainly because I was wondering if the version of certbot I had was outdated and was still using ACMEv1 (my current certificate expires in June, thats's why I'm not sure). Actually, in January, I received an email from Let's Encrypt mentioning:
    (in passing, thanks to Let's Encrypt for sending such emails)

According to our records, your Let's Encrypt software client renewed a TLS/SSL certificate recently using the ACMEv1 protocol`

So I assume it was time to upgrade.
Do we have to expect ACMEv2 protocol to be deprecated in the 2-3 coming years?
(just to have an idea of when I should upgrade certbot again)

Thanks in advance for your help :wink:

2

Don't worry about it.

Its purpose is to act as a safeguard against using an old version of Certbot against a configuration file which was generated by a much newer version of Certbot.

When Certbot next renews the certificate for real, the version will be automatically updated for you.

It looks good to me. Unless there is something you feel is missing, leaving the defaults is just great.

Your system will be relying on the systemd snap.certbot.renew.timer timer now, but having the entry in cron.d probably isn't going to do any harm. Leave it if you want, get rid of it if you want.

I don't think it will ever happen. ACMEv2 was a standardization effort which is now RFC 8555 - Automatic Certificate Management Environment (ACME). Multiple certificate authorities implement it, so it fundamentally changing is unlikely.

ACMEv1 on the other hand has a more ad-hoc, single-CA history was created from an early draft of what eventually turned into ACMEv2.

Never say never of course ... but I think you should be fine.

Well, since you have the snap now which automatically upgrades Certbot, the answer here is hopefully "never" as well.

1 Like
3

Thanks a lot for your detailled reply.

Great!

I agree :slight_smile:

Oh cool! I noticed that unit & activates changed running systemctl list-timers. I now have this

NEXT                        LEFT        LAST                        PASSED       UNIT                         ACTIVATES
Mon 2021-03-29 19:32:00 UTC 9h left     Mon 2021-03-29 02:39:29 UTC 7h ago       snap.certbot.renew.timer     snap.certbot.renew.service

instead of this:

NEXT                         LEFT          LAST                         PASSED       UNIT                         ACTIVATES
Tue 2018-02-06 00:56:08 UTC  5h 1min left  Mon 2018-02-05 12:33:41 UTC  7h ago       certbot.timer                certbot.service

But as I'm not familiar with Snapd (I just read the little description on the official website), I wasn't sure if it was the same thing (with a different name) or if it was more than that. Now, I understand better.

Thanks for the advice.
I assume I can get rid of the entire /etc/cron.d/certbot file, right?

Nice! Thanks for having given me more context.
To tell you everything, I was wondering if it was worth it to try AWS Certificate Manager. But regarding the community (through answers like yours) and how things got easier than before, I'll stay a Let's Encrypt user for a while.

What a great improvement!

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.