OKâŚ
Added deb http://ftp.debian.org/debian stretch-backports main to raspi.list as per https://backports.debian.org/Instructions/ then followed instructions at https://certbot.eff.org/lets-encrypt/debianstretch-nginx.html
apt-get update complains about W: GPG error: http://ftp.debian.org/debian stretch-backports InRelease: The following signatures couldnât be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: The repository âhttp://ftp.debian.org/debian stretch-backports InReleaseâ is not signed.
So, did a sudo apt-get install python-certbot-nginx -y --allow-unauthenticated -t stretch-backports
Which resulted in
*** cli.ini (Y/I/N/O/D/Z) [default=N] ? dpkg: error processing package certbot (âconfigure):
end of file on stdin at conffile prompt
dpkg: dependency problems prevent configuration of python3-certbot-nginx:
python3-certbot-nginx depends on certbot (>= 0.25.0~); however:
Package certbot is not configured yet.
dpkg: error processing package python3-certbot-nginx (âconfigure):
dependency problems - leaving unconfigured
dpkg: dependency problems prevent configuration of python-certbot-nginx:
python-certbot-nginx depends on python3-certbot-nginx; however:
Package python3-certbot-nginx is not configured yet.
dpkg: error processing package python-certbot-nginx (âconfigure):
dependency problems - leaving unconfigured
Errors were encountered while processing:
certbot
python3-certbot-nginx
python-certbot-nginx
E: Sub-process /usr/bin/dpkg returned an error code (1)
So still stuck somewhere in betweenâŚsomethingâŚ
Doing dry-run again gives me
** DRY RUN: simulating âcertbot renewâ close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/macquarierealestate.com/fullchain.pem (success)
/etc/letsencrypt/live/swoose.com.au/fullchain.pem (success)
/etc/letsencrypt/live/cfz.com.au/fullchain.pem (success)
/etc/letsencrypt/live/swoose.net/fullchain.pem (success)
** DRY RUN: simulating âcertbot renewâ close to cert expiry
** (The test certificates above have not been saved.)
You should probably include the full path when calling certbot(-auto) to insure which one gets used.
Or just remove the older one if no longer needed.
And which one is the correct one please?
sudo which certbot /usr/bin/certbot
Does that (/usr/bin/certbot) match what is in your cron job?
sudo crontab -l
Or do you use another method to schedule jobs?
Yes it does
test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e âsleep int(rand(43200))â && certbot -q renew
I suppose I should change it to:
test -x /etc/letsencrypt/certbot -a ! -d /run/systemd/system && perl -e âsleep int(rand(43200))â && /etc/letsencrypt/certbot -q renew
[EDIT]
The âI suppose I shouldâŚâ was actually a question 
I think you went in the opposite direction.
I would use:
test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e âsleep int(rand(43200))â && /usr/bin/certbot -q renew
Listed below are some assorted outputs and directory listings. /etc/letsencrypt has only certbot-auto, v0.30.0, and a log file, and lots of subdirectories.
The ârunningâ certbot is in /usr/bin and is v0.28.0 and there is no certbot-auto there.
The only difference I can see in your version of the cron job is to put the /usr/bin path in front of the renew invocation, but if it only exists in /usr/bin anyway, what difference does it make?
sudo /etc/letsencrypt/certbot --version sudo: /etc/letsencrypt/certbot: command not found
sudo certbot --version certbot 0.28.0
sudo /etc/letsencrypt/certbot-auto --version certbot 0.30.0
sudo certbot-auto --version sudo: certbot-auto: command not found
ls -l /usr/bin/cert* -rwxr-xr-x 1 root root 385 Nov 14 11:01 /usr/bin/certbot
ls -l /etc/letsencrypt/cert*
-rwxr-xr-x 1 root root 63562 Jan 4 06:00 /etc/letsencrypt/certbot-auto
-rw-râr-- 1 root root 1906 Jan 9 2018 /etc/letsencrypt/certbot.log
cat /etc/letsencrypt/certbot.log
Traceback (most recent call last):
File â/usr/bin/certbotâ, line 11, in
load_entry_point(âcertbot==0.10.2â, âconsole_scriptsâ, âcertbotâ)()
File â/usr/lib/python2.7/dist-packages/certbot/main.pyâ, line 828, in main
args = cli.prepare_and_parse_args(plugins, cli_args)
File â/usr/lib/python2.7/dist-packages/certbot/cli.pyâ, line 1057, in prepare_and_parse_args
return helpful.parse_args()
File â/usr/lib/python2.7/dist-packages/certbot/cli.pyâ, line 517, in parse_args
parsed_args = self.parser.parse_args(self.args)
File â/usr/lib/python2.7/dist-packages/configargparse.pyâ, line 402, in parse_args
env_vars = env_vars)
File â/usr/lib/python2.7/dist-packages/configargparse.pyâ, line 556, in parse_known_args
self, args=args, namespace=namespace)
File â/usr/lib/python2.7/argparse.pyâ, line 1733, in parse_known_args
namespace, args = self._parse_known_args(args, namespace)
File â/usr/lib/python2.7/argparse.pyâ, line 1968, in _parse_known_args
self._get_value(action, action.default))
File â/usr/lib/python2.7/argparse.pyâ, line 2260, in _get_value
result = type_func(arg_string)
File â/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.pyâ, line 124, in supported_challenges_validator
if cli.set_by_cli(âstandalone_supported_challengesâ):
File â/usr/lib/python2.7/dist-packages/certbot/cli.pyâ, line 198, in set_by_cli
plugin_selection.cli_plugin_requests(detector))
File â/usr/lib/python2.7/dist-packages/certbot/plugins/selection.pyâ, line 236, in cli_plugin_requests
req_auth = set_configurator(req_auth, âstandaloneâ)
File â/usr/lib/python2.7/dist-packages/certbot/plugins/selection.pyâ, line 215, in set_configurator
raise errors.PluginSelectionError(msg.format(repr(previously), repr(now)))
PluginSelectionError: Too many flags setting configurators/installers/authenticators ânginxâ -> âstandaloneâ
OK the confusion is that you have both:
sudo certbot --version certbot 0.28.0
/etc/letsencrypt/certbot-auto --version certbot 0.30.0
You need to choose which one will do the automated renewals.
[edit]
This is a bit concerning:
Please show:
sudo which cerbot
sudo /usr/bin/certbot --version
# sudo which certbot /usr/bin/certbot
sudo /usr/bin/certbot --version certbot 0.28.0
[EDIT]
certbot-auto is v0.30.0 and certbot is v0.28.0 - are they the same thing but renamed in a âlaterâ version?
IF that is the case, I can delete /usr/bin/certbot and use /etc/letsencrypt/certbot-auto instead. If they are not the same, thenâŚwhat?
StrangeâŚ
Where does this come from?:
load_entry_point(âcertbot==0.10.2â, âconsole_scriptsâ, âcertbotâ)
Nonetheless, which one will you be using?:
/usr/bin/certbot [version 0.28.0]
/etc/letsencrypt/certbot-auto [version 0.30.0]
They are two separate programs.
letsencrypt was renamed to certbot - and some systems will run the same program using either name.
Think of certbot-auto as a totally separate certbot program that is in a self-contained environment.
t comes from /etc/letsencrypt/certbot.log
Happy to use v0.30.0...if it is the same thing as "certbot"...see earlier reply edit.
Whatâs /etc/letsencrypt/certbot.log? Can you ls -l /etc/letsencrypt/certbot.log and see when itâs from?
Certbot should normally log to /var/log/letsencrypt/letsencrypt.log.
OK, two separate programsâŚthere is no certbot executable in /etc/letsencrypt - only certbot-auto
ls -l /etc/letsencrypt/certbot.log -rw-râr-- 1 root root 1906 Jan 9 2018 /etc/letsencrypt/certbot.log
So we don't have to worry about it. 