Version Upgrade

Help
1

Hi All

Received the email Action required and need to upgrade the version of certbot that least 0.28. Currently we are running 0.26 on an Ubuntu server running 14.4 with Apache and I can’t seem to upgrade

Have done an apt-get update && apt-get upgrade and have also done a apt-get install --reinstall certbot but still says 0.26.

Can anyone advise how I can get this updated to at least version 0.28 other than upgrading the server to may be 16.4. We are not in a position to upgrade the machine at present

Thanks

Glenn

2

Try apt-get dist-upgrade.

The current version in the PPA is 0.28.0.

3

Many thanks for that. I always though dist-upgrade upgraded to the next version of the os. I did try this but still running 0.26.1. I can see in the list there were certbot items installed (list below) but still made no difference.

The following NEW packages will be installed:

python-asn1crypto python-certifi python-cffi-backend python-cryptography

python-enum34 python-idna python-ipaddress python-openssl

python-pkg-resources

The following packages will be upgraded:

python-chardet python-requests python-urllib3

3 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.

Need to get 1,083 kB of archives.

After this operation, 4,710 kB of additional disk space will be used.

Do you want to continue? [Y/n] y

Get:1 http://ppa.launchpad.net/certbot/certbot/ubuntu/ trusty/main python-asn1crypto all 0.22.0-2+ubuntu14.04.1+certbot+1 [70.2 kB]

Get:2 http://ppa.launchpad.net/certbot/certbot/ubuntu/ trusty/main python-certifi all 2017.4.17-2+ubuntu14.04.1+certbot+1 [177 kB]

Get:3 http://archive.ubuntu.com/ubuntu/ trusty/universe python-enum34 all 0.9.23-1 [34.2 kB]

Get:4 http://ppa.launchpad.net/certbot/certbot/ubuntu/ trusty/main python-cffi-backend amd64 1.10.0-0.1+ubuntu14.04.1+certbot+1 [70.1 kB]

Get:5 http://ppa.launchpad.net/certbot/certbot/ubuntu/ trusty/main python-pkg-resources all 33.1.1-1+certbot~trusty+1 [166 kB]

Get:6 http://ppa.launchpad.net/certbot/certbot/ubuntu/ trusty/main python-chardet all 3.0.4-1+ubuntu14.04.1+certbot+2 [80.8 kB]

Get:7 http://ppa.launchpad.net/certbot/certbot/ubuntu/ trusty/main python-idna all 2.5-1+ubuntu14.04.1+certbot+1 [31.6 kB]

Get:8 http://ppa.launchpad.net/certbot/certbot/ubuntu/ trusty/main python-ipaddress all 1.0.17-1+certbot~trusty+1 [18.2 kB]

Get:9 http://ppa.launchpad.net/certbot/certbot/ubuntu/ trusty/main python-cryptography amd64 1.9-1+ubuntu14.04.1+certbot+2 [213 kB]

Get:10 http://ppa.launchpad.net/certbot/certbot/ubuntu/ trusty/main python-openssl all 17.3.0-1~0+ubuntu14.04.1+certbot+1 [47.5 kB]

Get:11 http://ppa.launchpad.net/certbot/certbot/ubuntu/ trusty/main python-urllib3 all 1.21.1-1+ubuntu14.04.1+certbot+1 [97.2 kB]

Get:12 http://ppa.launchpad.net/certbot/certbot/ubuntu/ trusty/main python-requests all 2.18.1-1+ubuntu14.04.1+certbot+1 [76.5 kB]

Fetched 1,083 kB in 0s (1,598 kB/s)

Selecting previously unselected package python-asn1crypto.

(Reading database … 27725 files and directories currently installed.)

Preparing to unpack …/python-asn1crypto_0.22.0-2+ubuntu14.04.1+certbot+1_all.deb …

Unpacking python-asn1crypto (0.22.0-2+ubuntu14.04.1+certbot+1) …

Selecting previously unselected package python-certifi.

Preparing to unpack …/python-certifi_2017.4.17-2+ubuntu14.04.1+certbot+1_all.deb …

Unpacking python-certifi (2017.4.17-2+ubuntu14.04.1+certbot+1) …

Selecting previously unselected package python-cffi-backend.

Preparing to unpack …/python-cffi-backend_1.10.0-0.1+ubuntu14.04.1+certbot+1_amd64.deb …

Unpacking python-cffi-backend (1.10.0-0.1+ubuntu14.04.1+certbot+1) …

Selecting previously unselected package python-pkg-resources.

Preparing to unpack …/python-pkg-resources_33.1.1-1+certbot~trusty+1_all.deb …

Unpacking python-pkg-resources (33.1.1-1+certbot~trusty+1) …

Preparing to unpack …/python-chardet_3.0.4-1+ubuntu14.04.1+certbot+2_all.deb …

Unpacking python-chardet (3.0.4-1+ubuntu14.04.1+certbot+2) over (2.0.1-2build2) …

Selecting previously unselected package python-enum34.

Preparing to unpack …/python-enum34_0.9.23-1_all.deb …

Unpacking python-enum34 (0.9.23-1) …

Selecting previously unselected package python-idna.

Preparing to unpack …/python-idna_2.5-1+ubuntu14.04.1+certbot+1_all.deb …

Unpacking python-idna (2.5-1+ubuntu14.04.1+certbot+1) …

Selecting previously unselected package python-ipaddress.

Preparing to unpack …/python-ipaddress_1.0.17-1+certbot~trusty+1_all.deb …

Unpacking python-ipaddress (1.0.17-1+certbot~trusty+1) …

Selecting previously unselected package python-cryptography.

Preparing to unpack …/python-cryptography_1.9-1+ubuntu14.04.1+certbot+2_amd64.deb …

Unpacking python-cryptography (1.9-1+ubuntu14.04.1+certbot+2) …

Selecting previously unselected package python-openssl.

Preparing to unpack …/python-openssl_17.3.0-1~0+ubuntu14.04.1+certbot+1_all.deb …

Unpacking python-openssl (17.3.0-1~0+ubuntu14.04.1+certbot+1) …

Preparing to unpack …/python-urllib3_1.21.1-1+ubuntu14.04.1+certbot+1_all.deb …

Unpacking python-urllib3 (1.21.1-1+ubuntu14.04.1+certbot+1) over (1.7.1-1build1) …

Preparing to unpack …/python-requests_2.18.1-1+ubuntu14.04.1+certbot+1_all.deb …

Unpacking python-requests (2.18.1-1+ubuntu14.04.1+certbot+1) over (2.2.1-1ubuntu0.2) …

Setting up python-asn1crypto (0.22.0-2+ubuntu14.04.1+certbot+1) …

Setting up python-certifi (2017.4.17-2+ubuntu14.04.1+certbot+1) …

Setting up python-cffi-backend (1.10.0-0.1+ubuntu14.04.1+certbot+1) …

Setting up python-pkg-resources (33.1.1-1+certbot~trusty+1) …

Setting up python-chardet (3.0.4-1+ubuntu14.04.1+certbot+2) …

Setting up python-enum34 (0.9.23-1) …

Setting up python-idna (2.5-1+ubuntu14.04.1+certbot+1) …

Setting up python-ipaddress (1.0.17-1+certbot~trusty+1) …

Setting up python-cryptography (1.9-1+ubuntu14.04.1+certbot+2) …

Setting up python-openssl (17.3.0-1~0+ubuntu14.04.1+certbot+1) …

Setting up python-urllib3 (1.21.1-1+ubuntu14.04.1+certbot+1) …

Setting up python-requests (2.18.1-1+ubuntu14.04.1+certbot+1) …

root@helpdesk:~# certbot --version || /path/to/certbot-auto --version

certbot 0.26.1

Thanks Glenn

4

You didn’t upgrade to Ubuntu 16.04… I hope…

Have you run “apt-get update” recently?

Edit: You already answered that question…

Edit: I’m not sure what to do. I’m curious to see:

which certbot
dpkg -l certbot python-certbot python3-certbot
apt list --upgradable
apt-cache policy certbot
apt-cache show certbot
5

Thanks Again. I have run the requested

root@helpdesk:~# which certbot
/usr/bin/certbot
root@helpdesk:~# dpkg -l certbot python-certbot python3-certbot
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
++±====================================-=======================-=======================-==============================================================================
ii certbot 0.26.1-1+ubuntu14.04.1+ all automatically configure HTTPS using Let’s Encrypt
ii python3-certbot 0.26.1-1+ubuntu14.04.1+ all main library for certbot
dpkg-query: no packages found matching python-certbot

oot@helpdesk:~# apt list --upgradable

Listing… Done

root@helpdesk:~# apt-cache policy certbot

certbot:

Installed: 0.26.1-1+ubuntu14.04.1+certbot+2

Candidate: 0.26.1-1+ubuntu14.04.1+certbot+2

Version table:

*** 0.26.1-1+ubuntu14.04.1+certbot+2 0

500 http://ppa.launchpad.net/certbot/certbot/ubuntu/ trusty/main amd64 Packages

100 /var/lib/dpkg/status

root@helpdesk:~# apt-cache show certbot

Package: certbot

Source: python-certbot

Priority: optional

Section: web

Installed-Size: 86

Maintainer: Debian Let’s Encrypt <team+letsencrypt@tracker.debian.org>

Architecture: all

Version: 0.26.1-1+ubuntu14.04.1+certbot+2

Replaces: letsencrypt

Suggests: python3-certbot-apache, python3-certbot-nginx, python-certbot-doc

Provides: letsencrypt

Depends: python3-certbot (= 0.26.1-1+ubuntu14.04.1+certbot+2), init-system-helpers (>= 1.13~), python3:any

Breaks: letsencrypt (<= 0.6.0)

Filename: pool/main/p/python-certbot/certbot_0.26.1-1+ubuntu14.04.1+certbot+2_all.deb

Size: 21050

MD5sum: 3161437986b941a00356b43cef519ffa

SHA1: ca98f13a490773c398aad636fca83f6b145d7773

SHA256: 71aeb29f4366d0fa8314c59b832b460844602c5c7d96ffff8f09fa4b88d80d2a

Description-en: automatically configure HTTPS using Let’s Encrypt

The objective of Certbot, Let’s Encrypt, and the ACME (Automated

Certificate Management Environment) protocol is to make it possible

to set up an HTTPS server and have it automatically obtain a

browser-trusted certificate, without any human intervention. This is

accomplished by running a certificate management agent on the web

server.

.

This agent is used to:

.

  • Automatically prove to the Let’s Encrypt CA that you control the website

  • Obtain a browser-trusted certificate and set it up on your web server

  • Keep track of when your certificate is going to expire, and renew it

  • Help you revoke the certificate if that ever becomes necessary.

.

This package contains the main application, including the standalone

and the manual authenticators.

Description-md5: 144b1c4e5711bc50cb475059cff489cc

Thanks

Glenn

6

EDIT sorry, ignore the previous version of this post if you saw it - I misread your question.

7

Note that you don’t strictly need to upgrade to 0.28 - 0.26 should be able to use HTTP-01 just fine, it just doesn’t do so by default when used with Apache (or Nginx, or standalone). You can try running certbot renew --dry-run to verify that it works - it will run a test against the staging server, where TLS-SNI-01 is already disabled, so this can be used to simulate what will happen when it’s disabled on the live server.

1 Like
8

That’s true – upgrading isn’t necessary to take care of the TLS-SNI issue, but it concerns me that it’s not upgrading.

Can you run “apt-get update” and then “apt-cache policy certbot” again?

1 Like
9

Thanks Guys for you help here

running “ apt-get update ” and then “ apt-cache policy certbot ” again I get

root@helpdesk:~# apt-cache policy certbot
certbot:
Installed: 0.26.1-1+ubuntu14.04.1+certbot+2
Candidate: 0.28.0-1+ubuntu14.04.1+certbot+4
Version table:
0.28.0-1+ubuntu14.04.1+certbot+4 0
500 http://ppa.launchpad.net/certbot/certbot/ubuntu/ trusty/main amd64 Packages
*** 0.26.1-1+ubuntu14.04.1+certbot+2 0
100 /var/lib/dpkg/status

I a, a tad confused as the email gives a link How to stop using TLS-SNI-01 with Certbot which say you need to be on 0.28 or higher. To be this running on 0.26.1 to I just need to run the command from the linked page

sudo sh -c “sed -i.bak -e ‘s/^(pref_challs.)tls-sni-01(.)/\1http-01\2/g’ /etc/letsencrypt/renewal/; rm -f /etc/letsencrypt/renewal/.bak”

Running the dry run does seem to suggest it would completed as it does seem to suggest it’s using http

http-01 challenge for helpdesk.pdjitsupport.co.uk

Waiting for verification…

Cleaning up challenges

Would be nice to know though why it will not upgrade to 0.28

Many thanks again

Glenn

1 Like
10

Before it said:

Now it says:

Try "apt-get upgrade" again? It looks like it finally wants to upgrade.

That's good. :smile:

The Apache, Nginx and standalone plugins support both HTTP-01 and TLS-SNI-01. In 0.26.1, when the CA supports both, Certbot prefers TLS-SNI-01 by default. In 0.28.0, it prefers HTTP-01.

Let's Encrypt has disabled TLS-SNI-01 on the staging environment, so --dry-run will use HTTP-01 even in 0.26.1. If it works, you should be okay even with 0.26.1 even after Let's Encrypt disables TLS-SNI-01 in production.

1 Like
11

Thanks mnordhoff

Clearly it does not want to play our game as it’s still running 0.26.1 after apt-get update && apt-get upgrade. :slight_smile:

12

received and email from mbaiti Not sure what it is not showing up in this thread. Did these steps and it’s fixed it

apt-get update & apt-cache policy certbot

sudo apt-get --with-new-pkgs upgrade because certbot kept back

and after that certbot --version || /path/to/certbot-auto --version says:
certbot 0.28.0

Thanks all for the help

Glenn

1 Like
13

Big thanks, that did it! I wish Letcencrypt had their update procedure and instructions in better order. Wasted some time here...

The following instructions from Letsencrypt need a rewrite:

  1. Don't assume that the reader has any clue at all about what "TLS-SNI-01" means.
  2. Add an explicit instruction at the top on how to check if anything at all needs to be done.
  3. Reference upgrade instructions that actually work (see above).
  4. Don't assume that the reader has any clue where to modify the "renewal configuration". The suggested locations elsewhere are all non-existent.

On to the next hurdle - I haven't yet figured out if i need to do anything at all for things to continue working after 13th February or later in March... does anyone have a clue about that?

14

You should open a new (separate) topic for that.

15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.