I have a legacy Debian system that has most all software manually compiled. I have been using certbot-auto with conf files, webroot, and CRON jobs without any issue for a few years now, but today I noticed that there was a message saying certbot-auto is no longer supported on this system. So, I looked into it and understand that certbot-auto is discontinued and I need to update to the latest certbot.
However, I have read through the docs and they are less than helpful for my situation. I cannot just use apt to install certbot because it wants to install a host of python packages as well. This could potentially break some of the other software we are running so I'm guessing I need to manually compile certbot (or maybe some other way of installing it?).
I would like to continue using it as I have in the past and do not want to be forced to use the Apache plugin or modify anything else on the system. I just need the certs to auto-renew themselves based on the conf files.
This is a Debian Linux server with a system python of 2.7.13. Can anyone provide detailed assistance to getting this updated? Thanks!
certbot-auto also installs these same Python packages, but it dumps them into a Python virtual environment rather than into the global Python environment.
One of the benefits of the official installation method for Debian (snaps) is reliable isolation from the host system. I recommend you use that.
With your existing certbot-auto installation, it should continue renewing your certificates, despite the warning about being unsupported. How long it will continue working isn't clear and it's not recommended because it won't receive updates, but you can do it.
Finally, taking your life into your own hands, you could install the certbot Python module into a virtual environment using pip, similar to what certbot-auto does. It's definitely not something that there is official support for, but the team does plan to eventually release official instructions using pip/pipx/something for those who really cannot use snaps for whatever reason.
certbot-auto has been deprecated and now it isn't supported in any system so if you want to use it you can do it but it won't be updated.
Regarding the certbot package included in your distribution... I don't think it's worth to install it because I'm pretty sure the version would be outdated so you will be really downgrading it and if you are using a legacy Debian I also suppose you won't get any update.
As certbot is now being distributed as a snap package you could install it but snap is not available in versions prior to Debian 9 so if your are using Debian 7 or 8 you can't go ahead.
My advice, use another client like acme.sh (it is a bash shell script and has minimum requirements but it is full of features). Yes, you will have to learn how to use it and migrate your stuff but you will get an updated client that works on your legacy system.
I do not want to start over with another client if at all possible.
It is my understanding that certbot-auto will not work after June, 2021 because a v2 client must be used in order to communicate with Let's Encrypt. That is why I am seeking an answer to updating to the latest certbot.
I'm not sure why the recommendations are still to use some automated installer. Yes, it's easier, especially for those that aren't well versed in compiling from source, but in my case I need a self-contained installation that will not affect any other portion of this server.
I have no issues with compiling from source, or doing a github pull (which can be done via cron as well to ensure the latest version is always available), but I need a specific step-by-step to ensure I am doing it all correctly.
Certbot has supported ACMEv2 since 0.22 (released back in 2018), and I'm sure your certbot-auto has installed a newer Certbot release than 0.22. If you have a very odd configuration you might receive warnings indicating that you're still using ACMEv1, but in this case the thing you'd have to do to fix that is different from switching away from certbot-auto.
I can't promise this will work for everyone (or will work in the future); please defer to official documentation wherever possible. This worked for me just now on Ubuntu 18.04:
user@ubuntu:~$ virtualenv -p python3 my-certbot-venv
Already using interpreter /usr/bin/python3
Using base prefix '/usr'
New python executable in /home/user/my-certbot-venv/bin/python3
Also creating executable in /home/user/my-certbot-venv/bin/python
Installing setuptools, pkg_resources, pip, wheel...done.
user@ubuntu:~$ . my-certbot-venv/bin/activate
(my-certbot-venv) user@ubuntu:~$ pip install certbot
Collecting certbot
Using cached certbot-1.11.0-py2.py3-none-any.whl (250 kB)
Requirement already satisfied: setuptools in ./my-certbot-venv/lib/python3.6/site-packages (from certbot) (51.1.2)
Collecting acme>=1.8.0
Using cached acme-1.11.0-py2.py3-none-any.whl (43 kB)
Collecting ConfigArgParse>=0.9.3
Using cached ConfigArgParse-1.2.3-py3-none-any.whl
Collecting cryptography>=1.2.3
Using cached cryptography-3.3.1-cp36-abi3-manylinux2010_x86_64.whl (2.6 MB)
Collecting cffi>=1.12
Using cached cffi-1.14.4-cp36-cp36m-manylinux1_x86_64.whl (401 kB)
Collecting distro>=1.0.1
Using cached distro-1.5.0-py2.py3-none-any.whl (18 kB)
Collecting josepy>=1.1.0
Using cached josepy-1.5.0-py2.py3-none-any.whl (57 kB)
Collecting parsedatetime>=1.3
Using cached parsedatetime-2.6-py3-none-any.whl (42 kB)
Collecting PyOpenSSL>=0.15.1
Using cached pyOpenSSL-20.0.1-py2.py3-none-any.whl (54 kB)
Collecting requests-toolbelt>=0.3.0
Using cached requests_toolbelt-0.9.1-py2.py3-none-any.whl (54 kB)
Collecting requests[security]>=2.6.0
Using cached requests-2.25.1-py2.py3-none-any.whl (61 kB)
Collecting certifi>=2017.4.17
Using cached certifi-2020.12.5-py2.py3-none-any.whl (147 kB)
Collecting chardet<5,>=3.0.2
Using cached chardet-4.0.0-py2.py3-none-any.whl (178 kB)
Collecting idna<3,>=2.5
Using cached idna-2.10-py2.py3-none-any.whl (58 kB)
Collecting six>=1.9.0
Using cached six-1.15.0-py2.py3-none-any.whl (10 kB)
Collecting urllib3<1.27,>=1.21.1
Using cached urllib3-1.26.2-py2.py3-none-any.whl (136 kB)
Collecting configobj
Using cached configobj-5.0.6-py3-none-any.whl
Collecting pycparser
Using cached pycparser-2.20-py2.py3-none-any.whl (112 kB)
Collecting pyrfc3339
Using cached pyRFC3339-1.1-py2.py3-none-any.whl (5.7 kB)
Collecting pytz
Using cached pytz-2020.5-py2.py3-none-any.whl (510 kB)
Collecting zope.component
Using cached zope.component-4.6.2-py2.py3-none-any.whl (67 kB)
Collecting zope.deferredimport>=4.2.1
Using cached zope.deferredimport-4.3.1-py2.py3-none-any.whl (10 kB)
Collecting zope.deprecation>=4.3.0
Using cached zope.deprecation-4.4.0-py2.py3-none-any.whl (10 kB)
Collecting zope.hookable>=4.2.0
Using cached zope.hookable-5.0.1-cp36-cp36m-manylinux2010_x86_64.whl (26 kB)
Collecting zope.interface
Using cached zope.interface-5.2.0-cp36-cp36m-manylinux2010_x86_64.whl (236 kB)
Collecting zope.event
Using cached zope.event-4.5.0-py2.py3-none-any.whl (6.8 kB)
Collecting zope.proxy
Using cached zope.proxy-4.3.5-cp36-cp36m-manylinux2010_x86_64.whl (69 kB)
Installing collected packages: pycparser, six, cffi, zope.interface, urllib3, idna, cryptography, chardet, certifi, zope.proxy, requests, pytz, PyOpenSSL, zope.hookable, zope.event, zope.deprecation, zope.deferredimport, requests-toolbelt, pyrfc3339, josepy, zope.component, parsedatetime, distro, configobj, ConfigArgParse, acme, certbot
Successfully installed ConfigArgParse-1.2.3 PyOpenSSL-20.0.1 acme-1.11.0 certbot-1.11.0 certifi-2020.12.5 cffi-1.14.4 chardet-4.0.0 configobj-5.0.6 cryptography-3.3.1 distro-1.5.0 idna-2.10 josepy-1.5.0 parsedatetime-2.6 pycparser-2.20 pyrfc3339-1.1 pytz-2020.5 requests-2.25.1 requests-toolbelt-0.9.1 six-1.15.0 urllib3-1.26.2 zope.component-4.6.2 zope.deferredimport-4.3.1 zope.deprecation-4.4.0 zope.event-4.5.0 zope.hookable-5.0.1 zope.interface-5.2.0 zope.proxy-4.3.5
(my-certbot-venv) user@ubuntu:~$ certbot --version
certbot 1.11.0
A challenge with this is that you have to either activate the virtual environment before running Certbot, or run it as /home/user/my-certbot-venv/bin/certbot (instead of /usr/bin/certbot or whatever).
Of course, you don't have to use the specific name my-certbot-venv for your virtual environment. You can call it anything you want.
One further complication is that Certbot 1.11 is the final version to support Python 2.7. @kittonian is running Debian Wheezy (based on their comments in Mattermost) and I don't think Python 3.6+ is available there. That may throw a slight spanner in the works for the pip instructions.
I agree with the assessment that assuming certbot-auto --version reports a relatively recent version (and it should unless --no-self-upgrade is being employed), OP should absolutely be able to keep using it past the ACMEv1 shutdown.
I just did a --version to check and it's certbot-auto 1.9.0. If I can keep using it without any issues, I really don't care about a warning message. I just wanted to be prepared with whatever I needed to do in advance of having to scramble for a solution after a certificate expires.
That is unknown, as future changes might require an update to an ACME client. For example, very old clients only using ACME v1 don't work in the near future. Such changes might als occur in the future regarding certbot 1.9.0. Also there might be security impact if an exploitable bug won't get fixed due to lack of updating.
If you have a very odd configuration you might receive warnings indicating that you're still using ACMEv1, but in this case the thing you'd have to do to fix that is different from switching away from