Client version 0.4.0 has been released


Version 0.4.0 of the Let’s Encrypt client has just been released to
PyPI. This is easily the biggest client release since public beta began.
New features in this release include:

  • The new verb/subcommand renew can be used to renew your existing certificates as they approach expiration. Running letsencrypt renew will examine all existing certificate lineages and determine if any are less than 30 days from expiration. If so, the client will use the settings provided when you previously obtained the certificate to renew it. The subcommand finishes by printing a summary of which renewals were successful, failed, or not yet due.

  • A --dry-run flag has been added to help with testing configuration without affecting production rate limits. Currently supported by the renew and certonly subcommands, providing --dry-run on the command line will obtain certificates from the staging server without saving the resulting certificates to disk.

  • Major improvements have been added to letsencrypt-auto. This script has been rewritten to include full support for Python 2.6, the ability for letsencrypt-auto to update itself, and improvements to the stability, security, and performance of the script.

  • Support for Apache 2.2 has been added to the Apache plugin.

A more complete list of changes can be found at:


Error running git pull this morning:

Updating 982e03c…27b0cb0
error: Your local changes to the following files would be overwritten by merge:
Please, commit your changes or stash them before you can merge.

I’ve made no local changes whatsoever.

And in case it matters, I’m on a centos 7.2 x64 vps.


This release won’t run here(Amazon Linux). The thing is the LE Python will look for dist-packages inside .local/…/lib/python
but there are missing packages in .local/…/lib64/python. In the 0.3 client I would be able to fix this prior to ran the client and it will ran ok… but in the 0.4 I can’t do that because it will recreate .local everytime, killing my fix.


@Fsantiago1979, I’m not sure why you got that but you should be able to run git diff to see what changes it thinks there are, or git reset --hard to get rid of them before the git pull.


I’m still having issues with Amazon Linux:

[letsencrypt]# ./letsencrypt-auto --help --debug
Checking for new version…
Creating virtual environment…
Installing Python packages…
Requesting root privileges to run letsencrypt…
/root/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade --help --debug
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 7, in
from letsencrypt.cli import main
File “/root/.local/share/letsencrypt/local/lib/python2.7/dist-packages/letsencrypt/”, line 21, in
import OpenSSL
File “/root/.local/share/letsencrypt/local/lib/python2.7/dist-packages/OpenSSL/”, line 8, in
from OpenSSL import rand, crypto, SSL
File “/root/.local/share/letsencrypt/local/lib/python2.7/dist-packages/OpenSSL/”, line 11, in
from OpenSSL._util import (
File “/root/.local/share/letsencrypt/local/lib/python2.7/dist-packages/OpenSSL/”, line 6, in
from cryptography.hazmat.bindings.openssl.binding import Binding
ImportError: No module named cryptography.hazmat.bindings.openssl.binding


see the git diff:


@Fsantiago1979, what’s going on here is that the new letsencrypt-auto script is self-updating. It appears that it has downloaded updates that git is unaware of causing the problem.

git is no longer required to use letsencrypt-auto, so with this in mind, you have a couple options:

  1. Copy letsencrypt-auto to a different location and delete the directory containing letsencrypt git repo. Alternatively, you can just redownload letsencrypt-auto from GitHub.
  2. Don’t do a git pull. Now the only piece of the repo letsencrypt-auto uses is the script itself, which will update itself when necessary. You can leave your copy of the repo as is and letsencrypt-auto will keep you up to date.


That works for me. Thanks.


does “letsencrypt renew” take into account rate limiting if you have more than 5 certificates?


Hi @Fsantiago1979, rate limiting is enforced on the server side, so there is no difference in the ability to issue a certificate (or not) with letsencrypt renew compared to any other method. Currently renewals are not treated differently from new issuances for rate limiting purposes, although this is supposed to change in a future version of the CA software.


Thank you.

Can you specify what gets renewed when using renew or does it only run through everything?

I have more than 5 certs per domain in some instances and right now their renewals are spread out via separate, per subdomain cron jobs to avoid rate limiting.


Currently you can’t. We would like to add a way to specify this in the future.


Switching Python version in my EC2 instance fixed it for me:
Amazon AWS release notes