I renewed three certs today. Since all those are wildcards, I was using a manual method:
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.seeotter.tv -d seeotter.tv
I also yum updated certbot to 0.34.2
Everything went fine, although waiting for gandi.net to propagate DNS really takes a lot of time.
However, we have a couple of servers, and I had to xfr those certs to the other box. Previously (in March), I used tar to get /etc/letsencrypt folder, and scp it to the other box. This time, I did the same. On the other box, I untared it, swapped /etc/letsencrypt to the new one. Once I restarted httpd (systemctl), httpd couldn’t start complaining about a missing file (privkey.pem, as it was listed as the first one in ssl.conf). The file was there. I compared directory structure with ‘ls’ and ‘namei -mo’, but everything was exactly the same. I tried to disable SELinux (CentOS 7), but that didn’t help either. I tried to find something in the log files, but that also didn’t provide any clues.
Finaly, I manually copied all new certs (privkey, fullchain, chain, cert) for all three domains to the old /etc/letsencrypt/archive directory and manually regenerated symlinks in live folder. That fixed the problem.
I have just did another test, where in the old folder structure, I tried to use the ‘original’ (that came from tar) privkey.pem and the copied one. With the original, httpd complained that file was missing.
I cannot tell what is the difference between the file that came from tar, and the one I copied. Of course, since I copied it, whatever permissions were given to this new file were based on this box and the local root user. Although, as far as I can tell, those files are identical (content, permissions, etc. wise).
Again, this procedure worked in March. Something got changed afterwards, not sure whether due to yum updates, or certbot changes.
Thank you, Jacek