Backing up and restoring certs cause certbot to repeatedly renew certs

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mozib.io

I ran this command: certonly --webroot --noninteractive --email admin@mozib.io --agree-tos --no-eff-email --cert-name certs -w /var/www/html/mozib.io/public_html -d mozib.io -d www.mozib.io

It produced this output: Renewing certificates for mozib.io

My web server is (include version): Apache 2.4.62

The operating system my web server runs on is (include version): Docker on Ubuntu 20.04 using httpd:2.4 container

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 3.0.0

I am running Certbot and Apache on separate Docker containers and link them via a folder in the host, e.g.

services:
    webserver:
        volumes:
            ./certs:/usr/local/apache2/ssl/letsencrypt
    
    certbot:
        volumes:
            ./certs:/etc/letsencrypt

Everything works fine as long as I don't touch the certs folder on the Docker host. Running the certbot command above reports certificates are not up for renewal, which is correct. However, when I backup the folder, delete its contents and then restore it from the backup, running the certbot command causes certbot to always seek new certificates and ignore the existing ones. New certificates are placed in folders called certs-0001, certs-0002 etc. I ensure all permissions and timestamps are preserved when backing up the certs folder by issuing the command cp -a when copying.

I am just wondering why this is the case.

Thank you.

Do you retain the symlinks when backing up and restore these symlinks?

Because the ../live/... folder are symlinks to the most recent cert in ../archive/..
A few of the most recent are retained in ../archive/.. for various purposes

After deleting and restoring what does this show

sudo -lR ./certs

Oh no I didn't check the symlinks and you're right, the symlinks are missing when I restore the backups.

Before backing up:

lrwxrwxrwx 1 root root  29 Oct 31 18:08 cert.pem -> ../../archive/certs/cert7.pem
lrwxrwxrwx 1 root root  30 Oct 31 18:08 chain.pem -> ../../archive/certs/chain7.pem
lrwxrwxrwx 1 root root  34 Oct 31 18:08 fullchain.pem -> ../../archive/certs/fullchain7.pem
lrwxrwxrwx 1 root root  32 Oct 31 18:08 privkey.pem -> ../../archive/certs/privkey7.pem
-rw-r--r-- 1 root root 692 Dec 31  2023 README

After restoring:

-rw-r--r-- 1 root root 1363 Oct 31 18:08 cert.pem
-rw-r--r-- 1 root root 1566 Oct 31 18:08 chain.pem
-rw-r--r-- 1 root root 2929 Oct 31 18:08 fullchain.pem
-rw------- 1 root root  241 Oct 31 18:08 privkey.pem
-rw-r--r-- 1 root root  692 Dec 31  2023 README

Once I restore with symlinks everything works properly!

Many thanks for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.