Will the changes at Certbot/snap/LE between now and 3/31/2026 mean a re-do of Certbot?

My domain is: mymachine.twilightparadox.com

I ran this command: certbot renew --dry-run

It produced this output:"Port in use"

My web server is (include version): None (N/A)

The operating system Asterisk runs on is (include version): Debian 10.5

My hosting provider, if applicable, is: None

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 5.2.2

I have an installation of Certbot that stopped working sometime 5/25. After wiping Certbot and re-install it APPEARS to be working with ECDSA (was RSA). Will it stop working & require re-do ?

FWIW I do NOT have a web server & only want to run TLS as a client. I haven't found anyone at Asterisk or LE that has been a help.

Given I tried to help in their last thread I don't plan to suggest anything here.

I recommend anyone wishing to help visit the previous thread first:

Then why do you need a certificate by Certbot?

From what I understand, these upcoming changes shouldn’t require a full reinstallation or re-do of Certbot in most cases. Usually, Certbot updates are handled through normal package updates, especially if it’s installed via snap.
The “port in use” message during a dry run often points more toward a service (like a web server or another process) already binding to port 80 or 443, rather than an issue caused by future Certbot changes.
It might be worth checking which service is currently using the port and whether Certbot is configured to run in standalone mode or alongside an existing service. As long as renewals are working and the client is kept updated, major disruptions are unlikely.

no one has been able to tell me if I do or don't. I read where LE will stop offering the client cert. Does this mean scrap everything ??

You would know it if you need TLS client certificates.

Or you're not actually familiar with what TLS client certificates are exactly.

Please explain how you're using Asterisk.

using asterisk to dial nums thru Telnyx (tls). right now I have internet ->port 10005 on router forwarding to port 80 on Asterisk and it appears to be working

Have you ever done anything else with Certbot beyond just getting a certificate? I.e., is ANYTHING actually USING the certificate? Did you or someone else ever configure Asterisk to use the cert?

[transport_tls]
type=transport
protocol=tls
local_net=n.n.n.n
bind=n.n.n.n:5587
cert_file=/etc/letsencrypt/live/mymachine.twilightparadox.com/fullchain.pem
priv_key_file=/etc/letsencrypt/live/mymachine.twilightparadox.com/privkey.pem
external_signaling_address=mymachine.twilightparadox.com
external_media_address=mymachine.twilightparadox.com
method=tlsv1_2
ca_list_path=/etc/ssl/certs/
verify_server=yes

all i really know is if I leave out the priv_key line & the cert_file then Asterisk complains.

Hmkay. But that's port 5587. What's Asterisk doing with that port? I can't connect to it from the web, maybe you can internally?

port 5587 is the port sip packets come in on

OK, sounds important Doesn't sound like a client certificate in that case though. It suggests it's listening on that port, not an outgoing TLS client.

my mistake. I tried commenting out those two lines & nothing ''ugly" happened. Might I not need fullchain though??

I wouldn't comment it out, as it has protocol=tls configured.

Just leave it as it is.

thank you for looking

Hmmm . . .

This makes me pause about the client certificate

Based on this

Continuing the discussion from New "Y" Root and Intermediate Hierarchy:

But then again I might be misreading it all.

affirmative. I gave up on Flowroute.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.