Ubuntu 16.04 PPA: How long until Certbot 0.22.0 available?


#1

Finally! Worth all the time waiting! Next question: how long will it take to upgrade the version of certbot in Ubuntu (16.04) PPA source (so that we can start to issue certificates for domains with wildcards)?


ACME v2 and Wildcard Certificate Support is Live
#2

Last time it took 11 days for certbot 0.21.1 to appear on the Xenial PPA. Hopefully it’s faster than that this time around.

https://launchpad.net/~certbot/+archive/ubuntu/certbot?field.series_filter=xenial


#3

Unfortunately, it will probably be at least a couple weeks. The PPA is maintained by Debian maintainers who just take the packages from Debian, but they haven’t had a chance to package Certbot 0.22.0 or any of its DNS plugins. The DNS plugins are needed to automate obtaining wildcard certificates because Let’s Encrypt only supports domain validation via DNS for wildcard certificates. On that note, if you have some experience with Debian packaging and would like to contribute to Certbot by helping our Debian maintainers with this, please get in touch.

We’ll be doing what we can on our end to move things along. In the meantime, keep an eye on https://certbot.eff.org for instructions on how to workaround these limitations while we wait for packaging to catch up.


#4

So, instead of using PPA source is there any instruction to upgrade the certbot manually, since it’s already there?


#5

You can just follow the certbot-auto instructions. It should build/update it’s own environment on your machine, but it uses the /etc/letsencrypt directory for data.


#6

Thanks a lot for your hint. Could you please to share a link to the docs (for new instructions)? Thanks in advance.


#7

Try https://certbot.eff.org/lets-encrypt/pip-other (for example).


#8

I’d like to point out that the package in the Ubuntu PPA does not include the DNS plugins which make wildcard support more automatic. In order to get around this, our organization decided to install from source on Ubuntu Xenial as detailed in the Certbot Developer Guide.

# Obtain latest release source
git clone https://github.com/certbot/certbot
cd certbot
git checkout v0.22.0

# Install operating system dependencies and environment in ./certbot/venv/
sudo ./certbot-auto --os-packages-only
./tools/venv.sh

Then, any time we want to create new certificates, we activate the environment to find our newly-built certbot.

source ./certbot/venv/bin/activate

And now, we can run our commands with it. The version of certbot that was installed is accessible in $PATH. For example:

# An example with CloudFlare DNS
sudo env "PATH=$PATH" certbot certonly \
    --server "https://acme-v02.api.letsencrypt.org/directory"
    --dns-cloudflare \
    --dns-cloudflare-credentials "/absolute/path/to/cloudflare-example.com.ini" \
    -d "example.com" -d "*.example.com"

# Manual mode
sudo env "PATH=$PATH" certbot certonly \
    --server "https://acme-v02.api.letsencrypt.org/directory" \
    --manual --preferred-challenges dns-01 \
    -d "example.com" -d "*.example.com"

We also created a renewal script (run from a crontab daily) which is basically the following:

#!/bin/bash

source /path/to/my/local/copy/of/certbot/venv/bin/activate
certbot renew

#9

Following the previous poster, here is the way to do it manually.

git clone https://github.com/certbot/certbot
cd certbot
git checkout v0.22.0
sudo ./certbot-auto --os-packages-only
./tools/venv.sh
source venv/bin/activate
sudo ./certbot -d domain.com -d *.domain.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly

MAKE SURE you include root domain and wildcard!!

You will need to make 2 TXT records. Follow the instructions provided by certbot.


#10

I’d be happy to pitch in w/ packaging for Debian/Ubuntu. Any pointers to where the work is being tracked? Feel free to reach out. My email is my handle here @debian.org or @digitalocean.com while on the clock.


#11

Thanks @asb! I sent you an email with the information I know and put you in touch with our Debian maintainer. If you don’t get it, please let me know.


#12

Cool! Speedy! Oh no, not spdy but h2 now. :grinning:


#13

@asb was in touch, and has uploaded a bunch of the plugins for 0.22. We’ve put 0.22 up into sid; they should be making their way through unstable into testing over the next week or so. (The plugins may take a little longer, as they’re first-time uploads.)


#14

@jvanasco - certbot-auto worked like a charm on Ubuntu 17.10. Version comes up as 0.22.0 :slight_smile:


#15

@dsamarin @jslay88 : On the following step, I get the error “sudo: certbot: command not found
” :

certbot certonly \
    --server "https://acme-v02.api.letsencrypt.org/directory"
    --dns-cloudflare \
    --dns-cloudflare-credentials "/absolute/path/to/cloudflare-example.com.ini" \
    -d "example.com" -d "*.example.com"

#16

What happened when you ran source ./venv/bin/activate in bash first ?


#17

I get to that point : (venv) cachwir@myvps:/etc/certbot$


#18

Sounds like you have a unique system. Well, to troubleshoot I would like to know what PATH is set to and what is in venv/bin.

Or just ./venv/bin/certbot if you have weird scripts that change PATH


#19

Here is my $PATH : /etc/certbot/venv/bin:/home/cachwir/bin:/home/cachwir/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

This VPS server is quite new and I didn’t write any script in it, just deployed a website.
Here’s what’s in venv/bin : https://codeshare.io/axqxJM (I put it on Codeshare as it takes quite a lot of space).


#20

Try with sudo env "PATH=$PATH" certbot ...

As a security measure on Debian, /etc/sudoers has secure_path set to a safe value. There is also env_reset which affects environment variables.