Raspberry Pi no longer accepting --elliptic-curve argument

I have a homemade HTTPS web server running on a Raspberry Pi 1B.
I tried to update my certificates. Certbot has started complaining that --elliptic-curve=secp256r1 is not a supported argument. I have only implemented secp256r1. Implementing new elliptic curves is hard so I would rather not take that approach.

Installing certbot again with snap doesn't work. Is my project dead?

Filling in the template:

My domain is:
freddiewoodruff.co.uk

I ran this command:

sudo certbot certonly --key-type=ecdsa --cert-name=freddiewoodruff.co.uk --elliptic-curve=secp256r1 --standalone

It produced this output:

usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: --key-type ecdsa --elliptic-curve secp256r1

My web server is (include version):
I made it myself and I can modify it as necessary, but would rather not

The operating system my web server runs on is (include version):
Raspberry Pi OS

My hosting provider, if applicable, is:
Self-hosted

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

freddiewoodruff@freddiepi:~ $ certbot --version
Traceback (most recent call last):
  File "/home/freddiewoodruff/.local/bin/certbot", line 6, in <module>
    from certbot.main import main
  File "/home/freddiewoodruff/.local/lib/python2.7/site-packages/certbot/main.py", line 2, in <module>
    from certbot._internal import main as internal_main
  File "/home/freddiewoodruff/.local/lib/python2.7/site-packages/certbot/_internal/main.py", line 22, in <module>
    from certbot._internal import cert_manager
  File "/home/freddiewoodruff/.local/lib/python2.7/site-packages/certbot/_internal/cert_manager.py", line 16, in <module>
    from certbot._internal import storage
  File "/home/freddiewoodruff/.local/lib/python2.7/site-packages/certbot/_internal/storage.py", line 83, in <module>
    def add_time_interval(base_time, interval, textparser=parsedatetime.Calendar()):
  File "/home/freddiewoodruff/.local/lib/python2.7/site-packages/parsedatetime/__init__.py", line 270, in __init__
    self.ptc = Constants()
  File "/home/freddiewoodruff/.local/lib/python2.7/site-packages/parsedatetime/__init__.py", line 2381, in __init__
    self.locale = get_icu(self.localeID)
  File "/home/freddiewoodruff/.local/lib/python2.7/site-packages/parsedatetime/pdt_locales/icu.py", line 56, in get_icu
    result['icu'] = icu = pyicu.Locale(locale)
AttributeError: 'module' object has no attribute 'Locale'

Also:

freddiewoodruff@freddiepi:~ $ sudo snap install core
[sudo] password for freddiewoodruff: 
error: snap "core" is not available on stable for this architecture (armel) but exists on other
       architectures (amd64, arm64, armhf, i386, ppc64el, s390x).

That is the default for current versions of Certbot. And, so are ecdsa certs.

Your command works on my Certbot 2.8 version just fine

I believe your problem is related to Python v2.7 which is very old. If the command certbot --version causes this error no other commands will work either.

How did you install Certbot?

4 Likes

I initially installed certbot by following the instructions on this page https://certbot.eff.org/ a few years back.
The instructions a few years back did not involve snap.
I would like to install Certbot 2.8.
I have tried

sudo snap install --classic certbot

which gives

error: snap "certbot" is not available on stable for this architecture (armel)
       but exists on other architectures (amd64, arm64, armhf).

Something must have changed on your system to have it start failing. But, no matter.

If snap is not possible on that system there are alternatives for Certbot. Or, you could even consider a different ACME Client (see Let's Encrypt suggestions here)

You might try the Certbot pip/venv instructions here:

https://eff-certbot.readthedocs.io/en/stable/install.html

4 Likes

Uninstalling and then with pip rather than snap solved it!! (apt-get did not work) Thank you Mike.

One last question! I can't imagine there are many people trying to serve SSL certificates to browsers from an armv6 machine. Is there anywhere I can stick my hand up and say 'please keep supporting my old server hardware' for the future?

2 Likes

For Certbot try EFF's github for it. But, officially they do not support any o/s that is past its supported life (eol).

Don't forget there are other ACME Clients and several based just on Bash (acme.sh the most popular of those).

If you mean general TLS and related cert options don't waste your breath. The industry is broad and moves forward relentlessly :slight_smile:

Glad I could help.

2 Likes

Not really.

The Certbot team stopped supporting os/distributions several years ago, in favor of Snap. Support for hardware/os has since entirely fallen on the part of the distribution maintainers. (IIRC, aside from the workload of patching support for multiple distributions, the Certbot team spent way too much time working with the distribution maintainers to have updates packaged into their systems. Certbot's update cadence is significantly faster than version bumps or security updates for any operating system.)

It sounds like your os of choice made the decision to stop supporting Certbot too, and those decisions are rarely reversed.

3 Likes

It's usually Debian, up to version 12. It should have a somewhat recent version 2.1 Debian -- Details of package certbot in bookworm

3 Likes

I'd also recommend a client based on go like lego, where you can similarly just copy the binary over and not worry about dependencies (and they build a binary for pretty much every architecture out there).

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.