Which version of Python is needed for LetsEncrypt

You can get a single certificate with up to 100 different hostnames. A subdomain counts just as a hostname, so you could include all 4 hostnames and have room for 96 more. No wildcard cert required.

A certificate for just app.example.com will NOT work for www.app.example.com (although some browsers, Chrome I believe, does actually accept a cert without the www subdomain for hosts with the www subdomain).

See above.

5 Likes

Thanks Osiris.
I have one more question. In the crontab file, I have to use like this?

0 0 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --quiet

(with python command) or I can simply use like this?

0 4 * * * certbot renew --quiet

In the tutorials, it is mentioned like using python? It has to be done? What is the reason?

Thanks

1 Like

You want to include some kind of random delay instead of always starting at the exact same time.

7 Likes

Thanks rg305. Why would I need this? Can I start at exact time? Any problem with that? Or Can I use both commands?

Right now, I am using both commands. Any problem with that?

Here is part of the reason Brief overloads at midnight UTC (a request for help!)

7 Likes

When you install from pip, it will install the most recent version of Certbot that is compatible with the active Python version - which may be from the system, a user, or a virtual environment.

Usually not. Most of the work in recent Certbot releases (aside from "housekeeping" and under-the hood tooling) have been improving DNS plugins and web server configuration. There have been very little changes to the LetsEncrypt API, and few are expected. Certbot installations should be able to renew and obtain certificates for many years.

If Certbot has a problem installing a Certificate, and you don't know how fix it yourself, upgrading to a newer version of Certbot will usually address the problem.

7 Likes

hmm...
If you choose non-overlapping times and less often, I think that logic could be "reasonable".
[not recommended, but sometimes "both" is a better option than "left" or "right"?]
The recommended choice is by using a random start time.

5 Likes

I would just use the recommended command with the pause. And not use 2. There is no reason to do so.

3 Likes

Currently, I have 3 versions of Python installed Version 2, 3.6.8 & 3.9. Should I remove the older versions?

You can read about managing multiple versions of python here Managing Multiple Python Versions With pyenv – Real Python

2 Likes

Generally, no.

In situations like that, usually one or two are installed by your Operating System and packages depend on them. Removing or altering them in any way can seriously break things. The third is usually user-installed because something requires a more recent version.

I would guess that 2.7 and 3.6 are system managed, and you somehow installed 3.9 yourself. Python doesn't take up much space, and the potential to break things and require a complete server reinstall is quite large.

7 Likes

@Osiris Hi, I tried to install via PIP on Centos 8 Stream. The version installed is 1.22.0 Why is it not installing the latest version, 1.30.0 ?

When I try with snap, it is installing 1.30.0 on Ubuntu.

Thanks

1 Like

I don't know right now. Did you uninstall the previously installed Certbot before you installed Certbot using pip?

4 Likes

@Osiris When I request a certificate from VPS server or by Cloudflare, how 'Let's Encrypt' verifies the ownership of a domain? That, the domain belongs to that particular VPS server or Cloudflare account?

Thanks

1 Like

Each of your Python installations has their own pip to manage their own set of compatible packages. You have 3 versions of python, so you have 3 versions of pip.

On linux-like machines, you can use these commands to see which are the active versions:

# show the version number
python --version

# show the active python
which python

# shows both the version number and active path
pip --version

If 1.22.0 installed, the active Python version for your environment is probably the 3.6.8 version and not the 3.9 version. You will have to modify your environment variables to prefer the 3.8 release.

Support for Python3.6 was dropped in Certbot 1.24.0, so 1.23.0 should have installed. Perhaps you had it cached somewhere.

See:

6 Likes

Thanks @jvanasco I installed Python 3.9 and now it installed Certbot ver 1.30.0

2 Likes

Which way to renew?

'certbot renew -q' or 'certbot renew --quiet'

I run on nginx. Should I add --nginx like certbot renew --quiet --nginx

Is it required?

Those are equivalent.

No. Once you obtain the cert, certbot will remember the options you used for that cert.

7 Likes

Why Lets Encrypt SSL certificates are limited to 3 months? I see SSL certificates can be valid up to 397 days. Why they limit it?