Accidental remove *2.pem after "letssencrypt-auto renew"

knnleow · January 21, 2017, 1:10am

cert1.pem expiring soon. been a while since i update the cert.
run letsencrypt-auto renew successfully
remove the new *2.pem instead of *1.pem.
now, i need to get back the remove *2.pem certs.
can anyone advice how to do this?
if not how to regenerate a new cert for current host?

Please fill out the fields below so we can help you better.

My domain is: knnubt06oc.kuenn.co

I ran this command: /opt/letsencrypt/letsencrypt-auto renew

It produced this output:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/knnubt06oc.kuenn.co.conf
-------------------------------------------------------------------------------
target /etc/letsencrypt/archive/knnubt06oc.kuenn.co/cert2.pem of symlink /etc/letsencrypt/live/knnubt06oc.kuenn.co/cert.pem does not exist
Renewal configuration file /etc/letsencrypt/renewal/knnubt06oc.kuenn.co.conf is broken. Skipping.

No renewals were attempted.

Additionally, the following renewal configuration files were invalid:
  /etc/letsencrypt/renewal/knnubt06oc.kuenn.co.conf (parsefail)
0 renew failure(s), 1 parse failure(s)

My operating system is (include version): Ubuntu 16.04.1 LTS

My web server is (include version): nginx version: nginx/1.10.0 (Ubuntu)

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

serverco · January 21, 2017, 8:04am

If you still have the private key, you can download the certificates from crt.sh (search for your domain name )

Alternatively, you can just generate a new certificate (as you did in the beginning, rather than with a renew). As you have found out, you shouldn’t just delete certs from the /etc/letsencrypt area though ( they take up minimal space anyway).

schoen · January 21, 2017, 10:31pm

As @serverco says, the certificate is publicly available so you could try to download it in PEM format and recreate that file.

If you choose to generate a completely new certificate instead, you may need to delete all of the associated files from /etc/letsencrypt to stop Certbot from getting confused about what already exists; or you could try to make cert2.pem be a copy of cert1.pem to temporarily make Certbot think that it already exists. (This second approach might not work depending on your web server configuration and what authentication method Certbot is using, because the web server won’t necessary be fooled by this and might refuse to serve the domain.)

One reason that deleting individual files from under /etc/letsencrypt is risky is the way it can confuse Certbot about what versions already exist.

If you try something and it doesn’t work, you can let us know here and we can try to help you debug the situation further.

system · February 20, 2017, 10:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.