How to update certbot to latest version on Ubuntu

Posted on 19th March 2020

Lets Encrypt has announced that, "Beginning June 1, 2020, we will stop allowing new domains to validate using the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before then, or certificate issuance will fail. For most people, simply upgrading to the latest version of your existing client will suffice. You can view the client list at: https://letsencrypt.org/docs/client-options/ "

This article explains how to update certbot to latest version (0.31 at the time of writing this) on Ubuntu 16.04LTS.

If you are on non LTS version such as 17.10 these steps will not work. You have to either update your OS or find another client that complies.

My test machine is Ubuntu 16.04 LTS and runs Apache with certbot 0.21. You can check OS and certbot by following commands.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.3 LTS
Release:        16.04
Codename:       xenial

$ certbot --version
certbot 0.21.0

Now we need a higher version certbot that supports ACMEv2. Certbot can be updated as follows:

  • Step 1) Run apt-get update

    $ sudo apt-get update
    Hit:1 http://europe-west1.gce.archive.ubuntu.com/ubuntu xenial InRelease
    ---------------------------------------------
    Fetched 349 kB in 0s (593 kB/s)
    Reading package lists... Done
    
  • Step 2) Upgrade latest version of certbot

    $ sudo apt-get install --only-upgrade certbot
    This will upgrade only certbot package, and only if it is installed
    
    $ sudo apt-get install --only-upgrade certbot
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    ..........................................................................
    Setting up python-certbot-apache (0.31.0-1+ubuntu16.04.1+certbot+1) ...
    Setting up python3-icu (1.9.2-2build1) ...
    
  • Step 3) Verify new Certbot Version

    $ certbot --version
    certbot 0.31.0
    As you can see we are now at 0.31 whicch supports ACMEv2. However we need to do a trail run to verify that it is able to use ACMEv2
    
  • Step 4) Do a Dry Run

    $ sudo certbot renew --dry-run
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    .........................................................
    Cleaning up challenges
    
  • Step 5) Double check debug log to verify ACME server. You need to be logged in as root user to view letsencrypt logs.

    $ sudo su -
    # cd /var/log/letsencrypt/
    #sudo vi letsencrypt.log
    

If you search for "v02", you will be able to see entries for https://acme-staging-v02.api.letsencrypt.org/directory

DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.

Note that if you see only acme-staging-v01 then this means that the update has not worked as expected. If the update is successful, you will see requests to https://acme-staging-v02.api.letsencrypt.org/directory

Sometimes certbot upgrade may fail as below:

$ sudo apt-get install --only-upgrade certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
You might want to run 'apt-get -f install' to correct these:

If this happens you just need to run the following command.

$ sudo apt-get -f install

Post a comment

Comments

Nothing yet..be the first to share wisdom.