Debian packages held back from backports


I'm running Debain 9.4 and saw last month the letsencypt packages were held back from backports.

The following packages have been kept back:
certbot (0.19.0-1~bpo9+1 => 0.21.1-1~bpo9+1)
python-acme (0.19.0-1~bpo9+1 => 0.21.1-1~bpo9+1)
python-certbot-nginx (0.19.0-1~bpo9+1 => 0.21.1-1~bpo9+1)
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

Is there any important functionality needed in the backports?

Best wishes, Soph.

Some time ago, for security reasons the tls-sni-01 challenge was disabled by Let’s Encrypt (with exceptions for some special cases involving renewals).

At the time, Certbot’s nginx and apache plugins depended on that challenge, so those plugins could not be used to issue certificates for new domains.

This was fixed in Certbot version 0.21.0 which adds support for the http-01 challenge to the nginx and apache plugins.

There was also a fix in 0.21.1 for a minor security issue around the functionality that automatically generates HTTP-to-HTTPS redirects.

You can review the changelog yourself to see if there’s anything else there that you care about.

I don’t know why your packages are being kept back, sorry.

1 Like

@bmw or @hlieberman can probably shed some light on the above. I think the Debian package for a recent release of Certbot made it depend on Python 3 (instead of Python 2.7). If I recall correctly that may be causing “held back” for some people.

1 Like

What command did you run? apt, apt-get and aptitude have commands that won’t resolve complex dependency changes, and commands that will.

E.g. if you used “apt-get upgrade”, use “apt-get dist-upgrade”.

Good point. I always used apt-get upgrade.

Thank you everybody for repying and shedding light on this.

I think my original certs used the deprecated tns-sni-01 plugin. Currently my renewals are broken, but this has been commented on in another existing thread.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.