Trouble updating certbot to get the --prefered-chain command (to force ISRG Root X1)

Yumi · October 1, 2021, 2:02pm

Hi,

Our domains have been affected by the DST Root CA X3 expiration.

The only solution we found was to update certbot to at least 1.12 to have access to the --prefered-chain command to force ISRG Root X1.

The problem is that certbot only goes up to 0.31 with apt.

We tried snapd but it seems to not be compatible with our Ubuntu 16.04 (error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount: unknown filesystem type 'squashfs')

Same goes for pip installation, which shows errors that seems to be linked to our python version.

Any help would be appreciated to update our certbot version, like many others, our system is down and clients are waiting.

Thanks !

jillian · October 1, 2021, 3:24pm

Your OS is unfortunately out of support and you should plan to upgrade it. That’s not very helpful in this moment. To get around the old certbot problem, you should switch to another client that can be installed. Many people switch to acme.sh in this scenario. You can read their docs and search for help on it in the forum. Please note that recently acme.sh updated their default ACME server to another provider. If you want to continue using Let’s Encrypt you will need account for that when configuring.

Osiris · October 1, 2021, 5:15pm

Wouldn't the pip installation method be an option?

Phil · October 1, 2021, 5:16pm

I don't think they're able to because python on Ubuntu 16.04 is so old.

Osiris · October 1, 2021, 5:19pm

Whoops, missed that one.

rg305 · October 2, 2021, 6:24am

What about another ACME client?
Like: acme.sh

eva2000 · October 3, 2021, 11:52am

+1 acme.sh is so easy to use on any system which can run shell scripting - been using it for 5+ yrs for my integration into automated Nginx HTTPS sites generation. See GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol

FYI, acme.sh defaults to using ZeroSSL but can be switched back to Letsencrypt easily ZeroSSL.com CA · acmesh-official/acme.sh Wiki · GitHub and Change default CA to ZeroSSL · acmesh-official/acme.sh Wiki · GitHub. Though with current issues and if you hit Letsencrypt rate limiting, you can just use ZeroSSL

acme.sh supports preferred chain too Preferred Chain · acmesh-official/acme.sh Wiki · GitHub and soon you can set it system wide by default Setting Preferred Chain system wide? · Issue #3717 · acmesh-official/acme.sh · GitHub

rg305 · October 4, 2021, 9:07am

9 posts were split to a new topic: Apache challenge file / redirection issue

system · November 3, 2021, 9:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Centos change from acme.sh to certbot; tips? Help	12	1513	December 29, 2021
Older version of ubuntu Help	3	756	May 20, 2021
How do we stick to IdenTrust cross-signed after September Help	5	1211	September 17, 2020
Acmev1 deprecated and certbot unavailable Help	10	1910	August 21, 2021
Im trying update certs with acme.sh but it do not work anymore Help	16	7696	December 11, 2021

Trouble updating certbot to get the --prefered-chain command (to force ISRG Root X1)

Related topics