Cannot load certificate

I am upgrading to a new server and would like to migrate my ssl certificates from the old server to the new one. I managed to import the .pem files to the /etc/letsencrypt/archive/mydomain.com folder and link them to the /etc/letsencrypt/live/mydomain.com folder. As my certificates have been renewed, there are multiple copies of each .pem file in the folder.

My server block includes the commands

ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain,com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/mydomain.com/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

My domain is: mydomain.com (not live)

I ran this command: sudo nginx -t

It produced this output:

002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/mydomain.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04.1 server

My hosting provider, if applicable, is: me

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

The old server from which I want to migrate the certificates is running:
Ubuntu 18.04
nginx 1.14.0
certbot 0.31.0

2 Likes

What's the output of ls -l /etc/letsencrypt/live/mydomain.com/fullchain.pem?

And can you view the contents of the file yourself? I.e., run cat /etc/letsencrypt/live/mydomain.com/fullchain.pem

3 Likes

output of ls -l is

lrwxrwxrwx 1 root root 62 Nov 8 19:53 fullchain8.pem -> /etc/letsencrypt/archive/mydomain.com/fullchain8.pem

When I run cat, the output is BEGIN CERTIFICATE, END CERTIFICATE and all the stuff in between. There are two of these and the codes are different.

2 Likes

You've called the symlink in live fullchain8.pem. While it points to the most recent file in /archive/ which does have a number (in your case it's 8), the files in /live/ are just fullchain.pem (and the other names) without the number.

3 Likes

There are 8 fullchain files in /etc/letsencrypt/live/mydomain.com each of which ends in a number starting with 1 and ending in 8. Each one links to a corresponding file in /etc/letsencrypt/archive/mydomain.com.
The same is true for all of the files (cert, chain, fullchain and privkey). There are 32 .pem files in total, each of which links to the corresponding archive files.

2 Likes

Aha! I see what's happening. I should have only one fullchain.pem file linked to the fullchain9.pem (changed this morning) file in the archive folder. Same for each of the others (cert, chain, privkey)

sudo nginx -t now passes satisfactorily

Not sure I'm out of the woods yet because there's still a long way to go before I have everything up and running. We'll see what happens next.

3 Likes

You can run the following to add some comfort:
sudo certbot update_symlinks

2 Likes

Normally, one would just backup the whole /etc/letsencrypt directory with tar or equivalent program which would preserve symbolic links and ownership et cetera. cp also has the -a for archive which should do the same.

1 Like

Many thanks for your help.

1 Like