Renewals on Ubuntu 16.04 and old certbot version

I have a VPS with Ubuntu 16.04.3 LTS installed on it, and I’ve been installing everything from the main repositories except for the main package, which I installed from git.

sudo ./letsencrypt-auto --apache -d worked great! SSL certificate installed just fine.

I went and added certbot with add-apt-repository ppa:certbot/certbot but it seems to install an older version, which I’m reading is annoyingly common with 16.04. When I try a dry run renewal, (certbot renew --dry-run) I get this error:

Attempting to parse the version 0.20.0 renewal configuration file found at /etc/letsencrypt/renewal/ with version 0.19.0 of Certbot. This might not work.

Now going forward, should I just install the certbot stuff from git as well?

Where is the best place to install it? I don’t want to accidentally overwrite something important.

Right now I just have a crontab entry for renewals.

@monthly root /opt/letsencrypt/letsencrypt-auto certonly --renew-by-default -d


Hi @tacobob,

letsencrypt-auto (which is the old name for certbot-auto) automatically downloads the latest released version of Certbot every time it’s run. This will almost always be newer than the version packaged in a distribution (even if you don’t use an LTS distribution). To avoid the warning that you saw, you should probably decide on using one or the other—your distribution version or the autoupdating version—and then use that one consistently on your system.

letsencrypt-auto and certbot-auto are different names for the same program.

1 Like

Installing Certbot from the PPA installed a cron job (disabled) and systemd timer (enabled) that run "/usr/bin/certbot renew". If downgrading to 0.19.0 is acceptable, you can disable your own cron job. If it's not, you should uninstall PPA Certbot, or do something about the new timer.

It's only warning you that downgrading might not work. It usually does.

Normally I would suggest running "certbot renew --dry-run" to check, but that will actually fail right now because TLS-SNI-01 validation is disabled for a security investigation.

You might want to put this all on hold and deal with it after things are back to normal.

It's recommended to run "/opt/letsencrypt/letsencrypt-auto renew" twice a day. (It won't do anything unless your certificate is going to expire soon.)

Deriving it from the package's /etc/cron.d/certbot would give you something like:

0 */12 * * * root perl -e 'sleep int(rand(3600))' && /opt/letsencrypt/letsencrypt-auto -q renew

(It uses Perl to run at a random-ish time of the day.)

that’s good to know, thanks!

Do I need to specify each domain or is there a way to just renew all of them in one go?

You don't need to specify anything.* ** The "renew" command renews certificates with the settings used before, saved in /etc/letsencrypt/renewal/.

* You may need to add a hook to, for example, reload your web server. That can be specified in a few places, including the "certbot renew" command line.

** Certificates issued with "certbot certonly --manaul" without "--manual-auth-hook" can't be automatically renewed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.