Snap Certbot verses Certbot python3-certbot-apache

I came across this recommendation for securing a Wordpress site

Run the following command to install Let’s Encrypt client (certbot) on Ubuntu 20.04 server.

apt install certbot python3-certbot-apache

certbot --apache --agree-tos --redirect --hsts --uir --staple-ocsp --email you@example.com -d yourdomain.com,www.yourdomain.com

Where

--apache: Use the Apache plugin.
--agree-tos: Agree to terms of service.
--redirect: Force HTTPS by 301 redirect.
--hsts: Add the Strict-Transport-Security header to every HTTP response. Forcing browser to always use TLS for the domain. Defends against SSL/TLS Stripping.
--uir: Add the “Content-Security-Policy: upgrade-insecure-requests” header to every HTTP response.
--staple-ocsp: Enables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS.
--email: Email used for registration and recovery contact.
-d flag is followed by a list of domain names, separated by comma. You can add up to 100 domain names.

The certificate should now be obtained and automatically installed.

First - is there a difference between this programs ( Certbot python3-certbot-apache )
and the Snap installed version?

Are they compatible?

Second -
The above has additional security parameters which would seem to be
a good idea. Are these not available in the Snap version?

Many thanks.
David

Installing with apt gets you the certbot supplied with your Ubuntu distro. Those are older versions than the snap (often considerably older and infrequently updated). snap is best as easy to keep current and is the focus of EFF forward. Others can provide considerably more details but that is the highlight.

The command options you show are available in certbot snap whose latest is 1.21
https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options

2 Likes

They are the same application, but different methods of distributing. The certbot team recommends using snap, as it will be most up to date.

Using the snap distribution method will give you the best chance of best compatibility in the future.

2 Likes

Thanks for your responses.
I am using Certbot installed with snap

I checked through the linked command options (thanks) and see that these
are available: --redirect --hsts --uir --staple-ocsp
All seem to be very sensible options to have.

To apply these options, will I need to delete existing certificates and re-create them?

1 Like

Hello again @Dave.Sintra

--redirect is the default so you probably already have that in place for all your domains

--uir is better resolved by ensuring you do not serve mixed content in the first place.

--hsts and --staple require some study and care to use effectively. That is probably why certbot has them off by default.

Stapling is the only one of these that affects the certificate. The other 3 are just server config items.

Others will likely have different opinions :slight_smile:

1 Like

And to have these options ( or just --staple-ocsp ) will I need to delete existing certificates and re-create them?

UPDATE
I just noticed there is a "enhance" option. That looks like the right thing to use.

No; Deleting certs is never required to change certbot versions.
If those parameters were already there, they will continue to be used after the upgrade.
If any of those parameters were NOT there before the upgrade, then you will have to issue a cert with them (or manually add them to the related VHOSTs).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.