Certbot utilizes the requests library (module) in Python, for making https requests. HTTPs relies on the root CAs for the TLS/SSL chain-of-trust, to make secure requests. Normally these root CAs would be at a base level in an OS or part of a client browser, but in order to do it within Python via the requests library, the library needs the bundle of SSL Root Certificate Authorities (CAs). This older version of Python that this older version Certbot uses, did not have the new Root CA (ISRG Root X1) that Certbot now uses. Therefore, an update to the Python requests package was necessary, to get an updated Root CA bundle
$ certbot --versioncertbot 1.7.0
$ pip --versionpip 20.0.2 from /usr/local/lib/python3.5/dist-packages/pip (python 3.5)
$ python --versionPython 2.7.12
$ head -3 /etc/os-releaseNAME="Ubuntu"VERSION="16.04.6 LTS (Xenial Xerus)"ID=ubuntu
$ pip list --outdated | grep reqrequests (2.9.1) - Latest: 2.26.0
$ pip3 install --upgrade requests.....
$ pip list | grep reqrequests 2.25.1
This assumes that the OS running certbot already is rid of the old Root CA and has the new one.
LE has a url for testing your chain of auth called helloworld.letsencrypt.org . Use this command from your certbot server to see that the chain of auth uses the correct Root CA.
openssl s_client -servername helloworld.letsencrypt.org -showcerts -connect helloworld.letsencrypt.org:443
Ensure that the expired root CA ( DST Root CA X3 ) is out of the list, and the new Root CA used by LE ( ISRG Root X1 ) is in. (Google how to remove / add root CA for specific OS version)
ex.
$ ls /etc/ssl/certs/ | grep ISRG
ISRG_Root_X1.pem