Archive deleted, dry run works, live fails, hit ratelimit

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
sudo certbot certonly --manual --preferred-challenges=dns -d volo-fit.com -d workouts.volo-fit.com
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Certificate is due for renewal, auto-renewing...
Renewing an existing certificate for volo-fit.com and workouts.volo-fit.com
An unexpected error occurred:
FileExistsError: [Errno 17] File exists: '/etc/letsencrypt/archive/volo-fit.com/privkey2.pem'
My web server is (include version):
n/a
The operating system my web server runs on is (include version):
Ubuntu 20.04
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.18.0

Following directions left by my predecessor, I logged into the machine and executed
sudo rm -r /etc/letsencrypt/archive/volo-fit.com
sudo cp -Rp /etc/letsencrypt/live/volo-fit.com /etc/letsencrypt/archive/

I believe certbot self-maintains this archive directory, I believe he thought he was doing it. However trying to move on...
sudo certbot certonly --manual --preferred-challenges=dns -d volo-fit.com -d workouts.volo-fit.com --dry-run

This produces the DNS changes to make and after making them, it says the dry run was successful.

Then I take out the dry-run part and get the error:
FileExistsError: [Errno 17] File exists: '/etc/letsencrypt/archive/volo-fit.com/privkey2.pem'

I backed up the /etc/letsencrypt directory (I know, too late). Then based on some other support entries, I tried a few things but they all gave me errors in regards to missing .pem files or pem files that are present. Then I hit the rate-limit of 5 attempts on the same hosts.

Now I have 8 days to renew my cert, a 7 day ban, and because the dry-run works but live fails, I have only 5 tries left to succeed.. I'm willing to start over but I worry just clearing it and reinstalling certbot won't do what I need. Help?

Thank you in advance- John

2

I believe you are correct.

The issue is from the bad instructions from your predecessor, specifically these 2 lines:

sudo rm -r /etc/letsencrypt/archive/volo-fit.com
sudo cp -Rp /etc/letsencrypt/live/volo-fit.com /etc/letsencrypt/archive/

/etc/letsencrypt/archive is a directory that uses this structure, and contains every cert you've been issued with a numerical version id suffix:

`/etc/letsencrypt/archive/{MAIN_DOMAIN}/cert{ID}.pem`
`/etc/letsencrypt/archive/{MAIN_DOMAIN}/chain{ID}.pem`
`/etc/letsencrypt/archive/{MAIN_DOMAIN}/fullchain{ID}.pem`
`/etc/letsencrypt/archive/{MAIN_DOMAIN}/privkey{ID}.pem`

/etc/letsencrypt/live is a directory that uses this structure, and links to the most recent corresponding cert in /archive:

`/etc/letsencrypt/live/{MAIN_DOMAIN}/cert.pem`
`/etc/letsencrypt/live/{MAIN_DOMAIN}/chain.pem`
`/etc/letsencrypt/live/{MAIN_DOMAIN}/fullchain.pem`
`/etc/letsencrypt/live/{MAIN_DOMAIN}/privkey.pem`
`/etc/letsencrypt/live/{MAIN_DOMAIN}/README`

If I were in your situation, I would take a look at exactly what is in the archive folder.

ls -al /etc/letsencrypt/archive

There is a chance there are some salvageable files.

If so, archive them.

Then,

  1. completely empty out /etc/letsencrypt/archive/volo-fit.com
  2. completely empty out /etc/letsencrypt/live/volo-fit.com

That should let Certbot move forward; if not, you may need to touch the expected files in /archive and link to them in /live.

To get around the certificate limit:

The duplicate limit is based on the EXACT same certificate. To get around this, you just need to set up a new domain and add it to the acme order. In this example, I added workouts2.volo-fit.com:

sudo certbot certonly --manual --preferred-challenges=dns -d volo-fit.com -d workouts.volo-fit.com -d workouts2.volo-fit.com
3 Likes
3

Someone doesn't like you very much - LOL
Here do this to the bosses Windows PC once a month:
format c:

Jokes aside, I would try removing certbot program (don't delete any paths)
and then reinstall it - which might fix some of the missing paths.
In any case, let's see what we're "working" with:
certbot certificates

Once the file structure is back as expected, this is the best way you can get a working cert sooner:

4

Thank you for your suggestions. Success!

I went back in and did
rm -r /etc/letsencrypt/archive/volo-fit.com
rm -r /etc/letsencrypt/live/volo-fit.com

Then I executed my dry-run again. I was happy to see that I didn't have to re-enter the certificate fields again. It just ran like normal except that it created a new directory for storage, /etc/letsencrypt/live/volo-fit.com-0002 & /etc/letsencrypt/archive/volo-fit.com-0002 for everything going forward.

Finally I did the live version and this time it didn't error out. I wound up with the reissued keys with the new expiration dates which worked fine.

Thank you for your help. Cheers!
John

2 Likes
5

Seeing cert names with -000x numbers usually means that the new cert contained name(s) close to, but not identical to, another existing cert(s).
Please review the list of active certs, with:
certbot certificates
And then remove any unused and unnecessary certs therein.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.