My domain is: www.pfeiffer-koberstein-immobilien.de
I ran this command:
sudo snap install --classic certbot
It produced this output:
error: system does not fully support snapd: you need to reboot into a 4.4 kernel to start using
snapd
My web server is (include version):
Apache/2.4.7 (Ubuntu)
The operating system my web server runs on is (include version):
Linux Kernel version 3.13.0-79-generic
My hosting provider, if applicable, is:
Strato root server
I can login to a root shell on my machine (yes or no, or I don't know):
yes
Hello,
I try to install certbot for using let's encrypt, but after installing snapd, i got this error, when I try to install certbot:
sudo snap install --classic certbot
error: system does not fully support snapd: you need to reboot into a 4.4 kernel to start using
snapd
My Questions:
how can I solve this problem? it seems to be a bigger thing, and I don't want to break our system.
is it possible, to install certbot without snap, in a normal way, for example with
sudo apt install certbot?
I think the general advice around trying to get a certificate on older systems is to use a different client with minimal dependencies, like something in the client list using Bash or Go.
But if your system isn't getting security updates, it's not like adding a certificate would suddenly make anything "secure". It may just give your users a false sense of security.
thanks for your answers, snap does not work because i need kernel 4.4 instead of 3.13.
It's a running server, LAMP System, ubuntu server version, php PHP 5.5.9,
... I've another idea, .. i have a local machine with
snap 2.48.3 ubuntu 16.04, kernel 4.4.0-203-generic
So, i could install certbot on this machine, there generating the certificates without --apache option, and transfering these certificates to the other server, where I save the certifcates in the correct directory corresponding to the apache virtual hosts configuration.
Is this possible? I cannot see any problems.
It's possible to issue certificates on different hosts than the actual server, but keep in mind there is a challenge to be validated. So it depends on the setup of your servers if it's easy to do. Also, keep in mind that Let's Encrypt advocates automated certificate renewal, so it's recommended to somehow automate the transfer of the certificate at renewal and all the things that come with it, such as reloading the webserver or other services using the certificate.
It's probably easier to use the pip method of installing certbot. If you keep the vulnerable server around anyway, it doesn't really make a difference running certbot on a different host.
You say this server runs MySQL, OK.
If that database can be pushed back, and away from direct Internet access, you might buy this system a bit more lifetime.
I would put in another, more secure system, in the path; And use it to serve the Internet public - while using the database on the older system as only accessible from this newer system.
You should get your certificate on a different host (using DNS validation) then copy the certificate files to the destination host on each renewal (and restart required services). If the rest of the system is also quite old you should consider a reverse proxy back to this service to protect it from the most malicious traffic.
Regarding the system age (off-topic), if you can't get support from Ubuntu then nobody else can help you either. If this system matters to your business then migrating or retiring this system should be your number one priority. You either need to shut it down, migrate it, or re-develop it and if it's not your call then it's not something you can reasonably support either. I can see it's also an old website/application in general (I'm guessing the code for this was built up to 20 years ago?), so someone needs to decide what happens next. The biggest risk with older web based systems is that the site simply gets hacked and data is either lost or leaked.
thanks for your answers, ..
We usually renew our LAMP system when ordering a new root server and this will soon be the case, ... for security reasons we're working with VPN, virus programs and traffic monitoring,
petercooperjr had a good tip, so I implemented getssl, a simple bash script on the ssh console, and it works very well, there you can generate the certificates locally and load them onto the server via ssh,I prefer this approach, as the CA should be offline for security reasons, so we do for vpn