certbot-auto is being deprecated and does not work on Ubuntu 18.04.5
smacz42 opened this issue ยท 10 comments
Per certbot/certbot#7941 (comment) the certbot-auto functionality is being deprecated and does not work on 20.04:
TASK [certbot : Generate new certificate if one doesn't exist.] ****************
--
21:34:37 | | fatal: [hostname]: FAILED! => {
21:34:37 | | "changed": true,
21:34:37 | | "cmd": [
21:34:37 | | "/opt/certbot/certbot-auto",
21:34:37 | | "certonly",
21:34:37 | | "--standalone",
21:34:37 | | "--noninteractive",
21:34:37 | | "--agree-tos",
21:34:37 | | "--email",
21:34:37 | | "user@example.com",
21:34:37 | | "-d",
21:34:37 | | "example.com"
21:34:37 | | ],
21:34:37 | | "delta": "0:00:00.030074",
21:34:37 | | "end": "2020-12-02 02:34:37.844875",
21:34:37 | | "rc": 1,
21:34:37 | | "start": "2020-12-02 02:34:37.814801"
21:34:37 | | }
21:34:37 | |
21:34:37 | | STDOUT:
21:34:37 | |
21:34:37 | | Skipping bootstrap because certbot-auto is deprecated on this system.
21:34:37 | | WARNING: couldn't find Python 2.7+ to check for updates.
21:34:37 | | Your system is not supported by certbot-auto anymore.
21:34:37 | | Certbot cannot be installed.
21:34:37 | | Please visit https://certbot.eff.org/ to check for other alternatives.
This happens when called with certbot_install_from_source: False on Debian systems. Right now it looks like the certbot version is 0.27.0-1 in the ubuntu repos for 18.04.5.
See: https://community.letsencrypt.org/t/certbot-1-10-0-release/139518
This also happens with certbot_install_from_source: True
The new recommended way of installing certbot is explained in this thread: https://community.letsencrypt.org/t/certbot-auto-no-longer-works-on-debian-based-systems/139702/7
From the new recommended way.
How do I install Certbot now?
The way we recommend most users install Certbot is through snaps.
I'm not a big fan of snaps, but I guess that means a new task install via snap ?
Similar issue for CentOS 8. IETF also recommends snap as install method apparently.. https://certbot.eff.org/lets-encrypt/centosrhel8-apache
๐
I've come up with this little workaround. It's hacky.
Also remove any use of the --standalone flag in your commands and use --apache.
I don't understand why thecertbot_dir and certbot_script variables can't be overridden (on cert creation etc), so that's why I've done the following. (On Ubunutu 18.)
# install snap certbot
- hosts: build
vars:
tasks:
- name: Install from apt
apt:
name: "{{ packages }}"
state: present
vars:
packages:
- certbot
- snapd
- apache2
- name: "Install snap core"
snap:
name:
- core
- name: "Install snap certbot"
snap:
name: certbot
classic: yes
- name: "Rename old"
command: mv /usr/bin/certbot /usr/bin/certbot.old
- name: "Create link"
file:
path=/usr/bin/certbot
src=/snap/bin/certbot
state=link
Yeah... this is happening on CentOS 7 too.
TASK [geerlingguy.certbot : Generate new certificate if one doesn't exist.] ********************************************
fatal: [servercheck.in]: FAILED! => {"changed": true, "cmd": ["/opt/certbot/certbot-auto", "certonly", "--standalone", "--noninteractive", "--agree-tos", "--email", "webmaster@midwesternmac.com", "-d", "servercheck.in"], "delta": "0:00:00.234317", "end": "2021-01-19 10:07:34.164997", "msg": "non-zero return code", "rc": 1, "start": "2021-01-19 10:07:33.930680", "stderr": "", "stderr_lines": [], "stdout": "Skipping bootstrap because certbot-auto is deprecated on this system.\nYour system is not supported by certbot-auto anymore.\nCertbot cannot be installed.\nPlease visit https://certbot.eff.org/ to check for other alternatives.", "stdout_lines": ["Skipping bootstrap because certbot-auto is deprecated on this system.", "Your system is not supported by certbot-auto anymore.", "Certbot cannot be installed.", "Please visit https://certbot.eff.org/ to check for other alternatives."]}
How annoying. Snaps are dumb :P
On CentOS 7, I installed snap and then installed certbot. Highly annoying:
# Oh snap.
sudo yum install snapd # Requires EPEL
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap # Enable classic snap support
# Install certbot.
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
# Get a cert.
sudo certbot certonly --standalone --noninteractive --agree-tos --email 'email@example.com' -d example.com
# Test a renewal.
sudo certbot renew --dry-run
Working on this in #142
For whoever got a veto on snap, I changed from certbot to lego. Writing a role to get the bin from github etc was quite easy. Got the same functionality in the end.
There's also acme.sh :)