Invalid X.509 error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot --apache

It produced this output:
ValueError: Invalid version. The only valid version for X509Req is 0

My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Details: with a little messing around I was able to resolve this issue and obtain a valid certificate by changing both calls to set_version() from set_version(2) to set_version(0) in acme/

This is mostly to report a potential bug. I don't know python, and I'm not a particularly competent linux admin, so I apologize if this was an issue with my setup or due to some deprecation, rather than a bug. I figured it was more useful to report the issue/workaround than do nothing.

Thanks. But, the best place to report bugs for Certbot is at their github. That is the most direct path to their devs. ISRG does Let's Encrypt. The EFF does Certbot which is one of many ACME clients.

That said, your version 1.23 is fairly old. The first step would be upgrading to the latest 2.7.4. And, for Ubuntu 18 the recommendation is to use the snap install. See Certbot's install page for instructions (link here)


This issue has been corrected in, merged into certbot v1.29.0 and newer. There is no need to report this old issue, simply upgrading to a newer version will resolve this. Your manual fix is fine as well (but beware that package upgrades may override local modifications.

You only need to do that for the call in make_csr(). The other function generates an actual self-signed certificate, where 2 (= version 3) is correct. Changing this to 0 may break things (as X.509v1 doesn't support extensions).


Thanks for the warning on that. If things go south, I'll try to regenerate the certificate after upgrading my version.


^^ That could use an update too


Tell me about it. This is my first time running linux and I'm still at the "everything is currently working so I'm terrified of changing anything" stage.

1 Like

As a follow-up question, and this is more of a generic linux question, do I need to update my ubuntu version from 18.04 to the newest in order to do update to the most recent version of certbot? I've seen that apt update seems to still leave me a few versions behind the most current with a lot of applications (php, sql, etc.). So far I've assumed that it's because the newest app versions aren't compatible with the older linux version, but is that necessarily true? Is there a way to force the newest version of apps?

There are multiple ways to install (and thus update) certbot. The EFF (who develop certbot) recommends to install certbot via snap on your system. Installing via snap allows you to run the latest version of certbot independent of OS system upgrades.

For advanced users, it's also possible to install certbot via pip, which also allows to run the latest version on many operating systems.

Otherwise, if you want to keep installing certbot via apt, you need to upgrade your distribution, yes. The reason you're currently running an old version is because of Ubuntu's packaging policy: The packages installed via apt are maintained by Debian/Ubuntu maintainers, not by certbot developers. These maintainers generally don't update to newer releases for software stability reasons. The only way to get newer packages this way is by upgrading the operating system.


Thanks for the clarification. That's what I expected but haven't been sure.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.