Invalid version when updating certificate with certbot

Question

I have a server with a Let's encrypt certificate installed with certbot. I want to renew it with the following command sudo certbot renew --force-renewal

but I get an error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Attempting to renew cert (mydomain) from /etc/letsencrypt/renewal/mydomain.conf produced an unexpected error: Invalid version. The only valid version for X509Req is 0.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

I have Ubuntu 20.04.4 LTS,Python 3.8.10 What should I do?

check `X509Req` in `/etc/letsencrypt/renewal/mydomain.conf`? — Gerald Schneider, Jun 01 '23 at 16:56
here is the contents of the conf file # renew_before_expiry = 30 days version = 0.40.0 archive_dir = /etc/letsencrypt/archive/my domain cert = /etc/letsencrypt/live/my domain/cert.pem privkey = /etc/letsencrypt/live/my domain/privkey.pem chain = /etc/letsencrypt/live/my domain/chain.pem fullchain = /etc/letsencrypt/live/my domain/fullchain.pem # Options used in the renewal process [renewalparams] account = [my account] pref_challs = http-01, authenticator = standalone server = https://acme-v02.api.letsencrypt.org/directory — Grigorii, Jun 01 '23 at 18:24

score 4 · Answer 1 · answered Jun 05 '23 at 11:33

4

I had the same problem in Ubuntu 18.04 and it was caused by the pyOpenSSL 23.2.0 version. After downgrading to 23.1.1 it worked again:

pip3 install pyOpenSSL==23.1.1

answered Jun 05 '23 at 11:33

Marlon Anjos

86
2

Yes, looks like this bug: https://github.com/certbot/certbot/issues/9722 and the problem is that although `csr.set_version(0)` is used [since `acme-v1.29.0`](https://github.com/certbot/certbot/commit/dedbdea1d9854761df9ba28d26e368bdd78d72c9), but because since `acme==1.24.0` there is a dependency on `Python >=3.7`, the latest `acme` version which can be installed with Python 3.6 is `acme-1.23.0`. – Paul Tobias Jul 31 '23 at 02:21

Invalid version when updating certificate with certbot

1 Answers1