Can't get Lets encrypt working after server rebuild


I originally had ubuntu 14.04 with Lets encrypt on. I rebuilt the server to ubuntu 16.04 and copied the cert. The cert needs to be renewed so i followed the instruction on

However i keep getting the error below, Any ideas ?

2016-07-30 07:20:40,547:DEBUG:letsencrypt.cli:Root logging level set at 30
2016-07-30 07:20:40,548:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-07-30 07:20:40,549:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1
2016-07-30 07:20:40,549:DEBUG:letsencrypt.cli:Arguments: [’–apache’]
2016-07-30 07:20:40,550:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-07-30 07:20:40,555:DEBUG:letsencrypt.cli:Requested authenticator apache and installer apache
2016-07-30 07:20:40,891:DEBUG:letsencrypt.display.ops:Single candidate plugin: * apache
Description: Apache Web Server - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = letsencrypt_apache.configurator:ApacheConfigurator
Initialized: <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7f78d4e55710>
Prep: True
2016-07-30 07:20:40,893:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7f78d4e55710> and installer <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7f78d4e55710

2016-07-30 07:20:42,029:DEBUG:letsencrypt.cli:Picked account: <Account(db39b764c075fcb892dcb05724db52a6)>
2016-07-30 07:20:42,031:DEBUG:root:Sending GET request to args: (), kwargs: {}
2016-07-30 07:20:42,035:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1):
2016-07-30 07:20:42,396:DEBUG:requests.packages.urllib3.connectionpool:“GET /directory HTTP/1.1” 200 280
2016-07-30 07:20:42,398:DEBUG:root:Received <Response [200]>. Headers: {‘Content-Length’: ‘280’, ‘Expires’: ‘Sat, 30 Jul 2016 07:20:42 GMT’, ‘Boulder-Request-Id’: ‘YkbcKNIMZRhHtCFcpbvLc5XkEjQynB6V5OLArA1vfmA’, ‘Strict-Transport-Security’
: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Sat, 30 Jul 2016 07:20:42 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/j
son’, ‘Replay-Nonce’: ‘REMOVED’}. Content: '{\n “new-authz”: “”,\n “new-cert”: “”,\n “new-reg”: “”,\n “revoke-cert”: “”\n}'
2016-07-30 07:20:42,399:DEBUG:acme.client:Received response <Response [200]> (headers: {‘Content-Length’: ‘280’, ‘Expires’: ‘Sat, 30 Jul 2016 07:20:42 GMT’, ‘Boulder-Request-Id’: ‘YkbcKNIMZRhHtCFcpbvLc5XkEjQynB6V5OLArA1vfmA’, ‘Strict-Tra
nsport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Sat, 30 Jul 2016 07:20:42 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’
: ‘application/json’, ‘Replay-Nonce’: ‘REMOVED’}): '{\n “new-authz”: “”,\n “new-cert”: “”,\n “new
-reg”: “”,\n “revoke-cert”: “”\n}'
2016-07-30 07:20:42,403:DEBUG:parsedatetime:parse (top of loop): [30 days][]
2016-07-30 07:20:42,410:DEBUG:parsedatetime:CRE_UNITS matched
2016-07-30 07:20:42,411:DEBUG:parsedatetime:parse (bottom) [][30 days][][]
2016-07-30 07:20:42,411:DEBUG:parsedatetime:weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False
2016-07-30 07:20:42,411:DEBUG:parsedatetime:dayStr False, modifier False, modifier2 False, units True, qunits False
2016-07-30 07:20:42,411:DEBUG:parsedatetime:_evalString(30 days, time.struct_time(tm_year=2016, tm_mon=7, tm_mday=30, tm_hour=7, tm_min=20, tm_sec=42, tm_wday=5, tm_yday=212, tm_isdst=0))
2016-07-30 07:20:42,411:DEBUG:parsedatetime:_buildTime: [30 ][][days]
2016-07-30 07:20:42,411:DEBUG:parsedatetime:units days --> realunit days
2016-07-30 07:20:42,411:DEBUG:parsedatetime:return
2016-07-30 07:20:42, renew, less than 30 days before certificate expiry 2016-08-09 16:59:00 UTC.
2016-07-30 07:20:42,411:INFO:letsencrypt.cli:Cert is due for renewal, auto-renewing…
2016-07-30 07:20:42,412:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 9, in
load_entry_point(‘letsencrypt==0.4.1’, ‘console_scripts’, ‘letsencrypt’)()
File “/usr/lib/python2.7/dist-packages/letsencrypt/”, line 1986, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/letsencrypt/”, line 662, in run
lineage, action = _auth_from_domains(le_client, config, domains)
File “/usr/lib/python2.7/dist-packages/letsencrypt/”, line 453, in _auth_from_domains
original_server = lineage.configuration[“renewalparams”][“server”]
File “/usr/lib/python2.7/dist-packages/”, line 554, in getitem
val = dict.__g


Been doing some further research and i removed the conf file from the /etc/letsencrypt directory
deleted renewals and accounts folder
and i got new certs, but renewal fails with :warning:letsencrypt.cli:Renewal configuration file filename is broken skipping

if i restored the file inthe renewals folder i get the original error
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 9, in
load_entry_point(‘letsencrypt==0.4.1’, ‘console_scripts’, ‘letsencrypt’)()
File “/usr/lib/python2.7/dist-packages/letsencrypt/”, line 1986, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/letsencrypt/”, line 706, in obtain_cert
_, action = _auth_from_domains(le_client, config, domains, lineage)
File “/usr/lib/python2.7/dist-packages/letsencrypt/”, line 453, in _auth_from_domains
original_server = lineage.configuration[“renewalparams”][“server”]
File “/usr/lib/python2.7/dist-packages/”, line 554, in getitem
val = dict.getitem(self, key)
KeyError: ‘server’

The file in the renewals directory is either blank after sucessfully letsencrypt --apache following a directory wipe or shown below

in its original form which caused the KeyError: ‘server’ error the file inte renewals directory contains (all the .pem files exist btw)

cert = /etc/letsencrypt/live/MyDomain/cert.pem
privkey = /etc/letsencrypt/live/MyDomain/privkey.pem
chain = /etc/letsencrypt/live/MyDomain/chain.pem
fullchain = /etc/letsencrypt/live/MyDomain/fullchain.pem

Options used in the renewal process

authenticator = apache
installer = apache
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


I’m assuming you’re using the letsencrypt package from the Ubuntu repository? That’s a relatively old version of the client. What might be happening here is that you were previously using the letsencrypt-auto version of the client (which includes an auto-update facility), so you were probably using the latest version of the client available at the moment. The configuration files generated by that version of the client might not necessarily be compatible with the older client from the Ubuntu repository (the client is backwards-compatible - i.e. newer versions of the client generally accept configuration files generated by older versions, but this might not be true in the other direction.)

I see two options here:

  • Remove the client package from the Ubuntu repository and go back to the letsencrypt-auto (or certbot-auto) version of the client. Following the instructions for Ubuntu 14.04 should give you a working installation on 16.04 as well. If you have a clean backup of the original configuration (i.e. everything in /etc/letsencrypt), I’d recommend restoring that as well in case any of the steps you took in the meantime broke the config in other ways.
  • Keep using the Ubuntu package, but start from a clean installation. Get rid of everything Let’s Encrypt-related in your apache configuration, move /etc/letsencrypt out of the way, and re-issue all your certificates.


Thanks. Yes your right i was original using the version from git on Ubuntu 14, then when i rebuilt on Ubuntu 16 i used the packages version. I did try the git version again yesterday but no luck. In the end i wiped both Lets Encrypt and Apache from my system. Installed a base version of Apache , then Lets encrypt and used lets encrypt to create a cert for a Basic site. I then added my original conf back as i’m using several modules including fcgi to a back end application which may have confused Lets Encrypt.

letsencrypt renew --dry-run failed saying

2016-07-31 08:35:35,276:WARNING:letsencrypt.client:Registering without email!
2016-07-31 08:35:36,858:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/ produced an unexpected error: Missing command line flag or config entry for this setting:
Please read the Terms of Service at You must agree in order to register with the ACME server at

(You can set this with the --agree-tos flag). Skipping.

followed the instructions and the renewal process now works, added to crontab Done.

There really should be different instructionsfor downgrade users, or preferably a downgrade routine added to the Ubuntu official release as this must be happening a lot

Many Thanks for your help


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.