Letsencrypt on Debian 10 – switching to new ‘snap’ based Certbot

Official instructions: https://certbot.eff.org/lets-encrypt/debianbuster-nginx

If you’ve upgraded a machine Debian 10 (Buster) or later you’ll see a warning like this:

/etc/cron.weekly/certbot:
Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.

Certbot, the tool for updating Let’s Encrypt certificates, is now distributed via Snap.  If you haven’t heard of that, Snap is a new package format – the point is it’s more cross platform – so a single package will currently support Ubuntu, Debian, Fedora, Arch Linux, Manjaro, and CentOS/RHEL.  More details >

This means you need to:

then, typically you already have a weekly cron file that calls certbot to renew the certificates, and restarts your apache or nginx server (the latter step is important because otherwise it’ll keep serving a cached copy of the old certificate, which will eventually expire).

Here’s the (old) contents of my /etc/cron.weekly/certbot:

#!/bin/bash
/home/william/letsencrypt/certbot-auto renew
service nginx reload

You need to remove the line calling certbot-auto, but leave the one restarting nginx once a week.  You might choose to rename the cron file or add a comment to make it clearer to your future self why it’s needed.

Next, check snap is to up to date:

sudo snap install core; sudo snap refresh core

Install the certbot package:

sudo snap install --classic certbot

Then you can test a manual update either:

sudo certbot certonly --nginx

(on the interactive version you’re presented with a list of sites to choose from)

Finally, do a renewal “dry-run” to check for problems:

sudo certbot renew --dry-run

The key points about dry-runs:

  • they use the Let’s Encrypt staging environment, so you don’t hit rate limits
  • therefore, real certificates aren’t requested or saved
  • it’s basically testing that Let’s Encrypt end is able successfully handshake with your server, can write files to correct places etc.

Renewals

Renewals can use one of three methods: crontab, cron files or systemctl timers.

On the servers I’ve installed so far, certbot has automatically setup a timer. You can verify it has by running systemctl as follows:

$ systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Mon 2021-02-15 12:12:00 GMT 1h 43min left Mon 2021-02-15 07:57:03 GMT 2h 31min ago snap.certbot.renew.timer snap.certbot.renew.service
```

So certificate refreshes will happen automatically, but remember you need to handle regularly restarting your web server (and weekly is as good an interval as any to do that).

Here’s another link to the documentation:
https://certbot.eff.org/lets-encrypt/debianbuster-nginx