Certbot went to hell, cant update debian and NEED certbot 1.9.0 but NOT available anywhere

all i get is a LIST of files: what do i download??

Github is confusing.....

Brian

1 Like

scroll down and read the readme.md

3 Likes

Please note that:

  • Certbot is developed by EFF, not Let's Encrypt;
  • This Community is mainly just volunteers;
  • Perhaps you could use the "pip" instructions to install certbot.
5 Likes

There is also the acme.sh ACME client.

2 Likes

You are not alone. You really are not alone. Perhaps my solution will work for you. Find a spare computer. A laptop will do. Install a newer version of your OS, which will come with a newer version of certbot. rsync /etc/letsencrypt from your server over to the "laptop". You can now run certbot on the "laptop" with --manual (which is what I do). Follow the instructions and create the verification file on your server. Alternatively you can export and nfs mount your webroot to the "laptop" (maintain location and assure root write permissions). You may then also have to rsync your webserver setup directory to the "laptop" for certbot to find the webroot directory. Then you can run certbot from the "laptop" with the --webroot option. The certbot on the "laptop" will write the verification file to your server webroot and will receive the new certificate. rsync /etc/letsencrypt from the "laptop" back to your server. Update certificate links on your server, if that is your normal routine.

1 Like

If PHP works on your server, you could just use CertSage...

3 Likes

I would like to clarify some things:

  • Debian 8 was released in 2015, with a 5 year support window that expired in June 2020.

  • nobody removed support for certbot on Debian 8; the Debian team stopped supporting that platform over a year ago. The Debian volunteers are responsible for porting certbot to Debian and making it available to Debian users, not the certbot or LetsEncrypt volunteers.

  • you are missing critical security updates by not updating your os to one in an active support window.

  • there are numerous ways to install a ssl certificate on an outdated, unsupported, operating system. They include, but are not limited to: manually install a client from source, use another client, and obtain certificates on another machine and transfer them.

  • any proper solution for this problem, however, will always include updating the server to an actively supported operating system, or moving to a server with an actively supported operating system.

8 Likes

I can understand everyone WANTING me to throw Debian 8 in the trash and upgrade to DEB 11 - I NEED 8 because there are plugins on my websites that REQUIRE php, and I can't use php7.3/7.4/8.0 because then my website is TRASH while I figure out how to get plugins that are compliant with 7.3/4/8.

Without making sure my website wont CRASH hard because of not knowing what is compatible with PHP 7.3/7.4 or 8.0 plugin wise, I WILL NOT update everything because:

  1. Deb11 uses Mariadb and I use mysql

  2. Deb11 is NEW and there are things that may NOT and DO NOT work well with my websites. I will check for plugin compatibility, and make sure that my databases wont DIE because of the new versions of SQL and PHP. I upgraded Once before, and it was a blasted NIGHTMARE, so I downgraded to make sure my sites are working and STABLE - I like Deb 11, but I want my system to work without having a problem.

  3. DEB11 has the new Certbot, BUT: Someone decided that we needed a whole bunch of snaps on our systems, and I already use GDebi and Synaptic to install things, and I dont need snapd if that is the ONLY reason to have snapd (snaps) is because of certbot - I had to install python too, and something messed up once.

My system may be EOL as far as the version, but I have learned that you don't MESS with what WORKS! Some people like me don't think that snaps should be needed to run a script that will go out and pull the information IN, and renew domains.

When I have done all of the needed work to insure that my plugins won't crash the websites i have (meaning that php7/8 will be supported) BY the plugins I use, THEN and ONLY THEN will I upgrade to Deb11 full time, and not before. I cant RISK losing what works while I am setup and the sites are running OK, because the older system is EOL - There are others of us who run older systems, and we may need to for a while until we can get that straightened out, and THEN I will run debian 11 :slight_smile:

Thank You :slight_smile:

2 Likes

Are you able to run virtual systems?

2 Likes

Unless your server get hacked due to unfixed remote exploits.. :roll_eyes:

Also, almost everything you say makes sense. Nobody wants a dysfunctional site due to incompatibilities. That said, usually one would make sure all the required steps are already done before a OS version becomes EOL. That's just proper system administration if you'd ask me. Also, usually one would have a production system and a testing system, so one can find out if stuff works or not without messing up the production system.

In any case, you can't expect software engineers to keep on supporting EOL systems. So while it may be your choice not to upgrade yet (for somewhat understandable reasons), it may have other
consequences such as unsupported software.

2 Likes

OK: I have acme.sh, and i have stuff in /etc/letsencrypt. So I have a config file for my domain, and I wanted to know where you get this piece:

Location for all your certs, these can either be on the server (full path nam$

or using ssh /sftp as for the ACL

#DOMAIN_CERT_LOCATION="/etc/ssl/buddy-baker.us.crt" # this is domain cert
#DOMAIN_KEY_LOCATION="/etc/ssl/buddy-baker.us.key" # this is domain key
#CA_CERT_LOCATION="/etc/ssl/chain.crt" # this is CA cert
#DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
#DOMAIN_PEM_LOCATION="" # this is the domain key, domain cert and CA cert

Do I pull that from the /etc/apache2 directory for example, or do I get that from the lines that say in my buddy-baker.us-le-ssl.conf:

SSLCertificateFile /etc/letsencrypt/live/www.buddy-baker.us/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.buddy-baker.us/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

I have 4 domains DOT US, DOT COM, DOT ORG and DOT INFO: I am wondering what to put in there for keys/certs?

Can someone let me know what I have to do?

Brian

1 Like

There are plenty of "right answers".
[there is no set requirement - short of being placed into a secure location (and it doesn't wreak any havoc]

That said, it seems like you want a seamless transition from certbot to acme.sh [without any Apache modifications]
If so, I would proceed with caution [backup things before making any changes].
It seems possible to obtain certs via both ACME clients.
Then:

  • shutdown certbot
  • relink the entries in
    /etc/letsencrypt/live/{cert-name}/
    to
    /root/.acme.sh/{cert-name[-ecc]}/
  • restart Apache
    [if all works, then uninstall certbot]
  • ensure acme.sh is set to renew all your sets via scheduled task
  • have a :beer: (or four)!
2 Likes

@rg305 is the one or four kegs or growlers of :beer: or :beers:
Just want to get the units correct. :rofl:

2 Likes

Das KEG / TANKARD!

:beer:

2 Likes

Thanks for the clarification :grinning_face_with_smiling_eyes:

2 Likes

Doing this gives me:

Total 228
-rw-r--r-- 1 root root 183 Dec 2 10:14 account.conf
-rwxr-xr-x 1 root root 209858 Dec 2 10:14 acme.sh
-rw-r--r-- 1 root root 78 Dec 2 10:14 acme.sh.env
lrwxrwxrwx 1 root root 39 Dec 2 10:33 {buddy-baker.us[-ecc] -> /etc/letsencrypt/live/{buddy-baker.us}/
drwxr-xr-x 2 root root 4096 Dec 2 10:14 deploy
drwxr-xr-x 2 root root 4096 Dec 2 10:14 dnsapi
drwxr-xr-x 2 root root 4096 Dec 2 10:14 notify
root@cardinal:~/.acme.sh#

Question: why is my domain now {buddy-baker.us[-ecc] what is the function of the curly braces and the [-ecc]? is there a way to link that without the -ecc, or am I doing somthing wrong? It looks like the linkage took, but dont understand the -ecc in the domain

Thanks,

Brian

1 Like

that's because you requested certificate with ecdsa key, and as there are some configuration that use both rsa and ecdsa certificate it can't remove prefix without name colliding

1 Like

Hello:

tried the following link - It failed: why?

root@cardinal:/etc/letsencrypt/live# ln -s /etc/letsencrypt/live/{buddy-baker.com}/ /root/.acme.sh/{buddy-baker.com[-ecc]}/
ln: target ‘/root/.acme.sh/{buddy-baker.com[-ecc]}/’ is not a directory: No such file or directory
root@cardinal:/etc/letsencrypt/live#

Any ideas?

Brian

1 Like

OK: I think the error with that command I mentioned was because of spacing: so I used:

ln -s /etc/letsencrypt/live/{www.buddy-baker.us-0001}/ /root/.acme.sh/{www.buddy-baker.us-0001[-ecc]

and just replaced the domain names for all [.us, .com, .org .info] and I did all of the directories listed below:

root@cardinal:/etc/letsencrypt/live# ls -l
total 36
drwxr-xr-x 2 root root 4096 Nov 3 14:02 buddy-baker.com
drwxr-xr-x 2 root root 4096 Nov 3 14:02 buddy-baker.info
drwxr-xr-x 2 root root 4096 Nov 3 14:02 buddy-baker.org
drwxr-xr-x 2 root root 4096 Nov 3 14:02 buddy-baker.us
drwxr-xr-x 2 root root 4096 Nov 3 14:02 buddy-baker.us-0001
-rw-r--r-- 1 root root 740 Nov 3 14:02 README
drwxr-xr-x 2 root root 4096 Nov 3 14:02 www.buddy-baker.com
drwxr-xr-x 2 root root 4096 Nov 3 14:02 www.buddy-baker.org
drwxr-xr-x 2 root root 4096 Nov 3 14:02 www.buddy-baker.us

I now have a directory /root/.acme.sh that looks like THIS:

root@cardinal:~/.acme.sh# ls -l
total 232
-rw-r--r-- 1 root root 183 Dec 2 10:14 account.conf
-rwxr-xr-x 1 root root 209858 Dec 2 10:14 acme.sh
-rw-r--r-- 1 root root 78 Dec 2 10:14 acme.sh.env
lrwxrwxrwx 1 root root 40 Dec 2 11:25 {buddy-baker.com[-ecc] -> /etc/letsencrypt/live/{buddy-baker.com}/
lrwxrwxrwx 1 root root 41 Dec 2 11:27 {buddy-baker.info[-ecc] -> /etc/letsencrypt/live/{buddy-baker.info}/
lrwxrwxrwx 1 root root 40 Dec 2 11:26 {buddy-baker.org[-ecc] -> /etc/letsencrypt/live/{buddy-baker.org}/
lrwxrwxrwx 1 root root 39 Dec 2 10:33 {buddy-baker.us[-ecc] -> /etc/letsencrypt/live/{buddy-baker.us}/
drwxr-xr-x 2 root root 4096 Dec 2 10:14 deploy
drwxr-xr-x 2 root root 4096 Dec 2 10:14 dnsapi
drwxr-xr-x 2 root root 4096 Dec 2 10:14 notify
-rw-r--r-- 1 root root 262 Dec 2 11:17 script-change-acme.sh
lrwxrwxrwx 1 root root 44 Dec 2 11:30 {www.buddy-baker.com[-ecc] -> /etc/letsencrypt/live/{www.buddy-baker.com}/
lrwxrwxrwx 1 root root 44 Dec 2 11:32 {www.buddy-baker.org[-ecc] -> /etc/letsencrypt/live/{www.buddy-baker.org}/
lrwxrwxrwx 1 root root 48 Dec 2 11:37 {www.buddy-baker.us-0001[-ecc] -> /etc/letsencrypt/live/{www.buddy-baker.us-0001}/
lrwxrwxrwx 1 root root 43 Dec 2 11:34 {www.buddy-baker.us[-ecc] -> /etc/letsencrypt/live/{www.buddy-baker.us}/
root@cardinal:~/.acme.sh#

Now will try a restart of apache2 and see what happens, after checking for a cron for this :wink:

Will advise

Brian

1 Like

OK: I have the cron, and she looks like this:

46 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

Do you recommend that i change that so I get output somewhere?

Also, commanded a "service apache2 restart" - all appears OK: No Errors seen
Brian

1 Like