Cant get/renew certificate (AttributeError: can't set attribute)

Hi,
Im new to this, I was trying to setup reverse proxy with nginx to my webserver running on port 80. But I messed up something and now I cant renew my certificate. I was also trying to disable nginx and just use my webserver and get certificate using certbot. Its not working and I dont know what to do. I dont really need nginx just want to get my certificate using certbot, and use forgejo as webserver. But all the guides I found used nginx as rewerse proxy so thats why I used it.

My domain is:

weforgecode.xyz

I ran this command:

$ sudo certbot certonly --webroot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): weforgecode.xyz
Requesting a certificate for weforgecode.xyz
An unexpected error occurred:
AttributeError: can't set attribute
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/weforgecode.xyz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/weforgecode.xyz.conf is broken.
The error was: expected /etc/letsencrypt/live/weforgecode.xyz/privkey.pem to be a symlink
Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No simulated renewals were attempted.

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/weforgecode.xyz.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 1 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

forgejo-1.20.5

The operating system my web server runs on is (include version):

Debian GNU/Linux 12 (bookworm) x86_64
Kernel:
6.1.0-10-amd64

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no? well there is administrative options such as changing user names but no options related to networking

The version of my client is:

certbot 2.1.0

list of certificates:

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/weforgecode.xyz.conf produced an unexpected error: expected /etc/letsencrypt/live/weforgecode.xyz/privkey.pem to be a symlink. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/weforgecode.xyz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

last lines in log:

2023-10-11 08:55:32,762:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 75, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/storage.py", line 506, in __init__
    self._check_symlinks()
  File "/usr/lib/python3/dist-packages/certbot/_internal/storage.py", line 585, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/weforgecode.xyz/privkey.pem to be a symlink

2023-10-11 08:55:32,762:DEBUG:certbot._internal.display.obj:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-10-11 08:55:32,763:DEBUG:certbot._internal.display.obj:Notifying user: No simulated renewals were attempted.
2023-10-11 08:55:32,764:DEBUG:certbot._internal.display.obj:Notifying user:
Additionally, the following renewal configurations were invalid:
2023-10-11 08:55:32,765:DEBUG:certbot._internal.display.obj:Notifying user:   /etc/letsencrypt/renewal/weforgecode.xyz.conf (parsefail)
2023-10-11 08:55:32,765:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-10-11 08:55:32,766:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.1.0', 'console_scripts', 'certbot')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1736, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1629, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 558, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 0 renew failure(s), 1 parse failure(s)
2023-10-11 08:55:32,768:ERROR:certbot._internal.log:0 renew failure(s), 1 parse failure(s)

Hi @IllIlIlllIlIlI, and welcome to the LE community forum

What shows?:
ls -l /etc/letsencrypt/live/weforgecode.xyz/

How did certbot lose sight of the certificate for weforgecode.xyz?
Did you backup and restore any of the files in the /etc/letsencrypt folder?

No I dont have any backups. Also I tried to copy the key and cert to forgejo root folder... and I might have used mv insdead of cp. And I have lost the key and cert, but I tought its ok sice I can just renew.. right?

$ sudo ls -l /etc/letsencrypt/live/weforgecode.xyz/
total 4
lrwxrwxrwx 1 root root  39 Oct 10 19:38 cert.pem -> ../../archive/weforgecode.xyz/cert5.pem
lrwxrwxrwx 1 root root  40 Oct 10 19:38 chain.pem -> ../../archive/weforgecode.xyz/chain5.pem
-rw-r--r-- 1 root root 692 Oct 10 19:08 README

Ok, it seems pretty well destroyed.

I would:

• uninstall certbot
• completely remove the entire /etc/letsencrypt directory
• [re]install certbot
• obtain a new cert

ok I have used sudo apt purge certbot and make sure that /etc/letsencrypt is deleted.
After that I installed certbot using sudo apt install certbot -y
And tried to get certificate:

$ sudo certbot certonly --webroot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): weforgecode.xyz
Invalid email address: weforgecode.xyz.
There seem to be problems with that address.

If you really want to skip this, you can run the client with
--register-unsafely-without-email but you will then be unable to receive notice
about impending expiration or revocation of your certificates or problems with
your Certbot installation that will lead to failure to renew.

Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): *censored*

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): weforgecode.xyz
Requesting a certificate for weforgecode.xyz
An unexpected error occurred:
AttributeError: can't set attribute
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Was that certbot?

I believe the recommended installation instructions for Debian use snap.
See: Certbot (eff.org)

yeah it was sudo apt install certbot -y, sorry
(I made a typo in the post not in the terminal, and it did not resolve my issue )

Also I have tried certbot snap version and its now giving a different error

$ sudo apt purge certbot

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

The following packages were automatically installed and are no longer required:

python3-acme python3-certbot python3-configargparse python3-configobj

python3-distro python3-icu python3-josepy python3-parsedatetime

python3-rfc3339 python3-tz

Use 'sudo apt autoremove' to remove them.

The following packages will be REMOVED:

certbot*

0 upgraded, 0 newly installed, 1 to remove and 1 not upgraded.

After this operation, 163 kB disk space will be freed.

Do you want to continue? [Y/n]

(Reading database ... 47136 files and directories currently installed.)

Removing certbot (2.1.0-4) ...

Processing triggers for man-db (2.11.2-2) ...

(Reading database ... 47123 files and directories currently installed.)

Purging configuration files for certbot (2.1.0-4) ...

$ sudo snap install --classic certbot

snap "certbot" is already installed, see 'snap help refresh'

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

$ sudo certbot certonly --webroot

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Enter email address (used for urgent renewal and security notices)

(Enter 'c' to cancel): *censored*

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must

agree in order to register with the ACME server. Do you agree?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing, once your first certificate is successfully issued, to

share your email address with the Electronic Frontier Foundation, a founding

partner of the Let's Encrypt project and the non-profit organization that

develops Certbot? We'd like to send you email about our work encrypting the web,

EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: N

Account registered.

Please enter the domain name(s) you would like on your certificate (comma and/or

space separated) (Enter 'c' to cancel): weforgecode.xyz

Requesting a certificate for weforgecode.xyz

An unexpected error occurred:

Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: weforgecode.xyz, retry after 2023-10-12T02:14:31Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

$ certbot --version

certbot 2.7.1

Since I cant register weforgecode.xyz so I have tried www.weforgecode.xyz and:

$ sudo certbot certonly --webroot --webroot-path /home/git/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): www.weforgecode.xyz
Requesting a certificate for www.weforgecode.xyz
Input the webroot for www.weforgecode.xyz: (Enter 'c' to cancel): /home/misa/

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: www.weforgecode.xyz
  Type:   unauthorized
  Detail: 46.36.36.117: Invalid response from http://www.weforgecode.xyz/.well-known/acme-challenge/O-EKqQ1nkwV6lJ1WCGjn0kEZYHS1C7JP-ywiUTfGjdU: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Since certbot needs certificate acessable here

/.well-known/acme-challenge/O-EKqQ1nkwV6lJ1WCGjn0kEZYHS1C7JP-ywiUTfGjdU: 404

and as far as I know forgejo does not have this feature.

So I have once again installed nginx

sudo apt install nginx -y

And set it up as reverse proxy using

$ sudo nano /etc/nginx/conf.d/gitea.conf

upstream gitea {
server *SERVER IP*:3000;
}
server {
listen 80;
server_name www.weforgecode.xyz;
root /var/lib/gitea/public;
access_log off;
error_log off;
location / {
try_files maintain.html $uri $uri/index.html @node;
}
location @node {
client_max_body_size 0;
proxy_pass http://localhost:3000;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_max_temp_file_size 0;
proxy_redirect off;
proxy_read_timeout 120;
}
}

Then I setup certbot using www.weforgecode.xyz insdead of weforgecode.xyz since I exeeded limit and I need to wait 168hours

sudo certbot --nginx -d www.weforgecode.xyz

once I got it setup, i changed forgejo port to 3000 using

$ nano /custom/config/app.ini

[server]
SSH_DOMAIN = *SERVER_IP*
DOMAIN = *SERVER_IP*
HTTP_PORT = 3000
ROOT_URL = http://www.weforgecode.xyz/
OFFLINE_MODE = false
PROTOCOL = http

And now its running as It should be!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.