No new versions in PPA for Ubuntu / Upgrade

I have received an email that I should update my certbot client (certbot 0.31.0 on Ubuntu 16) til 01.06. I tried to update but there are no new versions in the PPA. I checked the website and it’s still the recommend way to install certbot (source: https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx)

What is the recommended way to upgrade the certbot client currently? Or is there any timeline/plan to publish latest versions to the PPA?

0.31.0 is growing long in the tooth, but it’s new enough. You don’t need something newer.

Why did the email say that you needed to upgrade?

It’s likely that the settings need to be changed, or the system is not running the current packages.

This is the email I received. Based on the user agent it looks like it’s using 0.31.0.

Can you run:

grep ^server /etc/letsencrypt/cli.ini /etc/letsencrypt/renewal/*

And also:

sudo apt update
apt list --upgradeable

It’s possible that Certbot is configured to use the old API, even though you’re running a version that supports the new API and uses it by default.

It also might be possible that one of Certbot’s constituent packages is an older version. (I don’t remember if that can happen with the package you’re using.)

Yes, it looks like it’s using v1.

grep ^server /etc/letsencrypt/cli.ini /etc/letsencrypt/renewal/*
/etc/letsencrypt/renewal/site.com.conf:server = https://acme-v01.api.letsencrypt.org/directory

apt list --upgradeable
libdrm2/xenial-updates 2.4.91-2~16.04.1 amd64 [upgradable from: 2.4.76-1~ubuntu16.04.1]
open-vm-tools/xenial-updates 2:10.2.0-3~ubuntu0.16.04.1 amd64 [upgradable from: 2:10.0.7-3227872-5ubuntu1~16.04.2]
python-cryptography/xenial 1.9-1+ubuntu16.04.1+certbot+2 amd64 [upgradable from: 1.2.3-1ubuntu0.2]
python-openssl/xenial,xenial 17.3.0-1~0+ubuntu16.04.1+certbot+1 all [upgradable from: 0.15.1-2ubuntu0.2]
python-parsedatetime/xenial,xenial 2.4-3+ubuntu16.04.1+certbot+3 all [upgradable from: 1.4-1]
python-requests/xenial,xenial 2.18.1-1+ubuntu16.04.1+certbot+1 all [upgradable from: 2.9.1-3ubuntu0.1]
python-urllib3/xenial,xenial 1.21.1-1+ubuntu16.04.1+certbot+1 all [upgradable from: 1.13.1-2ubuntu0.16.04.3]
python3-requests/xenial,xenial 2.18.1-1+ubuntu16.04.1+certbot+1 all [upgradable from: 2.9.1-3ubuntu0.1]
python3-urllib3/xenial,xenial 1.21.1-1+ubuntu16.04.1+certbot+1 all [upgradable from: 1.13.1-2ubuntu0.16.04.3]
ubuntu-minimal/xenial-updates 1.361.4 amd64 [upgradable from: 1.361.1]

Would you mind editing /etc/letsencrypt/renewal/site.com.conf with a text editor, to either remove the server line, or change the “v01” to “v02”? (Removing it or editing it would both work, since the v02 URL is the default now anyway.)

If you don’t want to, you could run a Certbot command to reissue the certificate and update the config.

None of those packages listed are parts of Certbot. (Though they are dependencies of Certbot.)

2 Likes

Thanks! I have removed the line and will see if it works with the next renewal (dry-run seems to go to the v2 url). There is also configuration for standalone_supported_challenges = “tls-sni-01,http-01” and I am not sure if there are new challenges with v2 that should be listed here? I left it as is.

--dry-run with a sufficiently recent version of Certbot uses the ACMEv2 staging URL regardless of whether you’re configured to use the ACMEv1 or ACMEv2 production URLs. It’s good to confirm that it works, but it doesn’t itself prove that Certbot will use the right production URL next time.

You probably don’t need to do anything with that line. It shouldn’t be doing any harm. (It’s probably not doing anything useful, either.)

Let’s Encrypt removed the TLS-SNI-01 challenge type, and added the TLS-ALPN-01 challenge type. (But it doesn’t depend on which API version you use.)

Certbot doesn’t support TLS-ALPN-01 yet (though recent versions have started work on it).

I assume your Certbot installation is using HTTP-01 now and will happily continue doing so into the future.

I assume you’re probably not using the “manual” plugin, the only one that supports both DNS-01 and HTTP-01 validation. For example, if you’re using the “webroot” plugin, it only implements HTTP-01, so the standalone_supported_challenges setting – if it’s even applied; I’m not sure – wouldn’t change anything.

Old versions of Certbot saved default settings into the renewal configuration files, so they always had a few dozen lines of stuff you didn’t change and have never heard of. Newer versions more or less only save settings you’ve modified, but if your installation has been around a while, the files may still have some unnecessary cruft, like server or standalone_supported_challenges.

(The standalone_supported_challenges setting was even renamed a long time ago; the old name was entirely removed at some point after 0.31.0.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.