How to disable warning: "Your system is not supported by certbot-auto anymore."

My domain is:
sorry, I can't bring myself to post a customers domain here and let the world know how outdated their server is (read further an you'll probably understand).

I ran this command:
./certbot/certbot-auto renew --quiet

It produced this output:
stdout:
Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
stderr:
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
utils.PersistentlyDeprecated2018,

My web server is (include version):
Apache/2.4.7 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 14.04.6 LTS

My hosting provider, if applicable, is:
I'm sure that's irrelevant here

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.9.0

Hi,

is there a way to disable the warning "Your system is not supported by certbot-auto anymore."?

Please let's not have a discussion about security and the importance of updates in this thread. I am well aware of that and I have already discussed the issue with the customer. In it's current desolate state, the particular system is not updatable anymore (from economic point of view). Snap is installed but not working. The only good thing is that the server isn't very exposed and it at least managed to stay under attacker's radar until now as it seems.

Kind regards

1 Like

You could downgrade the discontinued certbot-auto script to a version where your system wasn't deprecated any longer and run it with the --no-self-upgrade option.

A different (and probably better) option would be to install certbot through pip using the pip instructions on the certbot site: Certbot - Pip Apache

Note that certbot too doesn't support Python 2.7 any longer as far as I know. But I hope Ubuntu 14.04.6 LTS has Python 3+ support?

2 Likes

Thank you very much for your reply.

Python = 2.7.6

I fear pip install won't be possible. I am too scared to make too many changes to that system.

1 Like

Hi @bugblatterbeast

Certbot may be the wrong tool.

Check other clients.

Perhaps acme.sh.

1 Like

It should also have Python 3.4: http://releases.ubuntu.com/14.04/ubuntu-14.04.6-server-amd64.manifest

However, support for Python 3.4 has also been dropped from certbot :stuck_out_tongue:

Although some dependencies might be required to be installed globally, certbot itself would be installed in a Python virtual environment.

1 Like

Thank you both very much.

The customer already agreed to have a new server set up. However it will take a while until all the customised services will be transferred. He asked me if it would be possible to switch off those certbot warnings until then.

I will take some time to look into the acme.sh solution and decide between that and the downgrade. I don't want to spend too much effort on this sinking ship.

I'll let you know how it worked out.

Thanks again and have a nice holiday. Kind regards

1 Like

Another "solution" is to ignore the warning, as it's just that: a warning. Especially as a new server is already being set up.

1 Like

One option not mentioned is that you may invoke the underlying installation of Certbot directly via /opt/eff.org/certbot/venv/bin/certbot.

2 Likes

Hm, that's even a better option! I was just typing a post about removing the warning from certbot-auto script, but indeed, the script doesn't do anything any longer anyway.. So it's a great idea to just bypass it altogether :slight_smile:

1 Like

Thanks all!

This:
/opt/eff.org/certbot/venv/bin/certbot renew --quiet
got rid of the stdout message but the stderr is still showing.

If I'd run
/opt/eff.org/certbot/venv/bin/letsencrypt renew --quiet 2> /dev/null
would that lead to losing information about problems with cert renewal?

1 Like

It seem so:

server renewal # certbot renew --cert-name le-test-01.example.com --dry-run -q
Challenge failed for domain le-test-01.example.com
Failed to renew certificate le-test-01.example.com with error: Some challenges have failed.
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/le-test-01.example.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
server renewal # certbot renew --cert-name le-test-01.example.com --dry-run -q 2>/dev/null
server renewal # 

However, you could pipe stderr to stdout and grep the deprecation warning line(s) away like so:

server renewal # certbot renew --cert-name le-test-01.example.com --dry-run -q 2>&1 | grep -v CryptographyDeprecationWarning
Challenge failed for domain le-test-01.example.com
Failed to renew certificate le-test-01.example.com with error: Some challenges have failed.
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/le-test-01.example.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
server renewal # 

If there are a multiple of lines, you could grep those out with specific grep -v targets too of course :slight_smile:

2 Likes

Very smart idea to use the inversive grep.

It were two lines and this did it:
/opt/eff.org/certbot/venv/bin/letsencrypt renew --quiet 2>&1 | grep -v "CryptographyDeprecationWarning\|utils.PersistentlyDeprecated"

Thanks everyone!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.