How do I specify the python version when running “certbot-auto” command?


I’m running certbot-auto every day on Ubuntu 14.04.6 LTS (trusty). Works fine for renewing certs. However about a week ago, it started raising warnings about deprecated Python.

/opt/ CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a 2.7.x release that supports hmac.compare_digest as soon as possible.

After apt-get and apt-upgrade, I have Python 2.7.6 (which is apparently native to this version of Ubuntu) and Python 3.4.3.

I’ve been futzing around for hours trying to figure out how to get certbot-auto to use Python 3.4.3, which I am guessing would solve this Python version issue. I see that it should be possible to set the Python version using a virtual environment, but I’m not clear on where to set that and whether the setting will be maintained after automatic updates.

Anyone figured this out?



Well, there’s:

USE_PYTHON_3=1 ./certbot-auto

But I reckon it only controls the version of Python that the bootstrapping script (certbot-auto) uses - the version of Python inside the virtualenv remains the same.

e: I’m wrong - it will also upgrade Python to 3 inside the virtualenv, as long as you remove /opt/ first, so it re-installs it.


Thanks @_az!.

I’m using certbot-auto --version just to get certbot-auto to run and output something.

  1. I renamed opt/ and ran USE_PYTHON_3=1 /usr/lib/certbot/certbot-auto --version. It created a new venv with links to python and python3, no deprecation warning, but it did not output the version.

  2. Okay so now 2.7 is gone and it will use 3, right? Re-ran /usr/lib/certbot/certbot-auto --version (without the prefix). It downgraded the environment to 2.7, displayed the deprecation warning, and output the version (0.32.0).

  3. Repeated step 1, with the prefix; this time it “Hit” a bunch of URLs at, did some packaging stuff, but ultimately decided “0 upgraded, 0 newly installed, 0 to remove and 17 not upgraded” before “Creating virtual environment.” But no version number output.

#3 is repeatable when run after sudo su and when running directly from the /usr/lib/certbot directory.

Did you get to where it was actually producing output using Python 3?


Yeah, I was able to get a functioning certbot-auto installation using both my system’s Python 2.7 (default choice) and Python 3.6.7 (using USE_PYTHON_3=1) installations. That was on Ubuntu 18.10 though.

I just tried in a fresh ubuntu:trusty Docker container as well, and I got behavior matching yours (just halts at Creating virtual environment…).

Adding a verbose flag (-v) reveals an underlying problem:

Creating virtual environment...
The virtual environment was not created successfully because ensurepip is not
available.  On Debian/Ubuntu systems, you need to install the python3-venv
package using the following command.

    apt-get install python3-venv

You may need to use sudo with that command.  After installing the python3-venv
package, recreate your virtual environment.

That package doesn’t exist on Ubuntu Trusty, but python3.4-venv does.

After installing it and trying again, I was able to successfully get Certbot working with Python 3.

Some Certbot developer probably going to read this post and shake their head - it’s probably a very unsupported/untested way to run Certbot.


Thanks, you’re way ahead of me understanding how all this fits together.

When the Certbot developer shakes their head, the sentence will hopefully end with “Why don’t they just do this?” Which is what? In other words, what is the “right” way to run Certbot on Trusty now that Trusty’s native Python is deprecated for some functions? I see that I could use a third-party repository to add Python > 2.7.6 to Trusty ( Others say to use virtualenv, which is what we’re playing with (and would seem safer):

Seems like Certbot could just use the latest Python on the system…


Perhaps - but Trusty is end-of-life in less than one month, which I believe also marks the end of Certbot’s support for it.


Dang, thanks for pointing that out. I built this server less than two years ago so I thought I had a couple years to go. I must have decided not to use the later 16.04 for some reason.

Meanwhile, this seems to work to update existing components and get certbot-auto running on Ubuntu 14.04.6:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install python3.4-venv
sudo mv /opt/ /opt/
USE_PYTHON_3=1 /usr/lib/certbot/certbot-auto --version
/usr/lib/certbot/certbot-auto --version

Thanks very much for your help!

closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.