Cannot load certificate

I am upgrading to a new server and would like to migrate my ssl certificates from the old server to the new one. I managed to import the .pem files to the /etc/letsencrypt/archive/mydomain.com folder and link them to the /etc/letsencrypt/live/mydomain.com folder. As my certificates have been renewed, there are multiple copies of each .pem file in the folder.

My server block includes the commands

ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain,com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/mydomain.com/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

My domain is: mydomain.com (not live)

I ran this command: sudo nginx -t

It produced this output:

002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/mydomain.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04.1 server

My hosting provider, if applicable, is: me

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

The old server from which I want to migrate the certificates is running:
Ubuntu 18.04
nginx 1.14.0
certbot 0.31.0

What's the output of ls -l /etc/letsencrypt/live/mydomain.com/fullchain.pem?

And can you view the contents of the file yourself? I.e., run cat /etc/letsencrypt/live/mydomain.com/fullchain.pem

output of ls -l is

lrwxrwxrwx 1 root root 62 Nov 8 19:53 fullchain8.pem -> /etc/letsencrypt/archive/mydomain.com/fullchain8.pem

When I run cat, the output is BEGIN CERTIFICATE, END CERTIFICATE and all the stuff in between. There are two of these and the codes are different.

You've called the symlink in live fullchain8.pem. While it points to the most recent file in /archive/ which does have a number (in your case it's 8), the files in /live/ are just fullchain.pem (and the other names) without the number.

There are 8 fullchain files in /etc/letsencrypt/live/mydomain.com each of which ends in a number starting with 1 and ending in 8. Each one links to a corresponding file in /etc/letsencrypt/archive/mydomain.com.
The same is true for all of the files (cert, chain, fullchain and privkey). There are 32 .pem files in total, each of which links to the corresponding archive files.

Aha! I see what's happening. I should have only one fullchain.pem file linked to the fullchain9.pem (changed this morning) file in the archive folder. Same for each of the others (cert, chain, privkey)

sudo nginx -t now passes satisfactorily

Not sure I'm out of the woods yet because there's still a long way to go before I have everything up and running. We'll see what happens next.

You can run the following to add some comfort:
sudo certbot update_symlinks

Normally, one would just backup the whole /etc/letsencrypt directory with tar or equivalent program which would preserve symbolic links and ownership et cetera. cp also has the -a for archive which should do the same.

Many thanks for your help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.