Hello. I am running Apache 2.4 on Windows 10 and I use Certbot for my certificate.

I had a drive crash yesterday and had to restore the server from backup, which took about 10 minutes and I was up and running.

After something like this I always test everything. The only think that doesn't work is the Certbot renew dry run. It tells me it expects symlinks which, of course, are not present when copied from backup.

How do I recreate symlinks on Windows 10 so I can renew my certificate? I've got about a month to figure this out and get my certificate renewed for the next cycle.

I know this has been addressed for the Linux system, but I can't find anything for help on Windows.

Thanks.

My domain is: neteast.org

I ran this command: certbot renew --dry-run

It produced this output: Certbot expected Symlinks

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.13.0

Welcome to the Let's Encrypt Community, Leora

Try this:

certbot update_symlinks

Thanks for the suggestion.

This doesn't do anything at all. It produces an error: Expected c:\certbot\live\neteast.org\cert.pem to be a symlink

I am able to make symlinks with mklink, but that doesn't fix the problem of the certificate not renewing on dry run. It just says there is a configuration error, however the config files are the same in three different backups

@_az

Any thoughts here?

I don't have a Windows installation handy to test this, but you can try looking at what the highest numbered file is in c:\certbot\archive\neteast.org\ and then try recreating the symlinks (making sure to substitute 99 in each command for the number you found):

mklink c:\certbot\live\neteast.org\cert.pem c:\certbot\archive\neteast.org\cert99.pem
mklink c:\certbot\live\neteast.org\chain.pem c:\certbot\archive\neteast.org\chain99.pem
mklink c:\certbot\live\neteast.org\fullchain.pem c:\certbot\archive\neteast.org\fullchain99.pem
mklink c:\certbot\live\neteast.org\privkey.pem c:\certbot\archive\neteast.org\privkey99.pem

It is super unfortunate that your backup restore does not preserve symlinks.

Thanks. I tried this. The highest number is 18. It makes symlinks, but i am still getting a parsing error on the config file. The config file from back is the original

What's the full error output from Certbot?

Here is the complete output and config file:

Directory with symlinks created by mklink:

Directory of c:\certbot\live\neteast.org

04/17/2022 05:26 PM .
04/17/2022 05:26 PM ..
04/17/2022 05:24 PM cert.pem [c:\certbot\archives\neteast.org\cert18.pem]
04/17/2022 05:25 PM chain.pem [c:\certbot\archives\neteast.org\chain18.pem]
04/17/2022 05:25 PM fullchain.pem [c:\certbot\archives\neteast.org\fullchain18.pem]
04/17/2022 05:26 PM privkey.pem [c:\certbot\archives\neteast.org\privkey18.pem]
4 File(s) 0 bytes
2 Dir(s) 1,303,511,633,920 bytes free

Output of certbot renew --dry-run:

Processing C:\Certbot\renewal\neteast.org.conf

←[31m
Traceback (most recent call last):
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\renewal.py", line 70, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\storage.py", line 468, in init
self._check_symlinks()
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\storage.py", line 538, in _check_symlinks
raise errors.CertStorageError(
certbot.errors.CertStorageError: expected C:\Certbot\live\neteast.org\cert.pem to be a symlink←[0m
←[31mRenewal configuration file C:\Certbot\renewal\neteast.org.conf is broken. Skipping.←[0m

Contents of neteast.org config file:

renew_before_expiry = 30 days

version = 1.13.0
archive_dir = C:\Certbot\archive\neteast.org
cert = C:\Certbot\live\neteast.org\cert.pem
privkey = C:\Certbot\live\neteast.org\privkey.pem
chain = C:\Certbot\live\neteast.org\chain.pem
fullchain = C:\Certbot\live\neteast.org\fullchain.pem

Options used in the renewal process

[renewalparams]
account = e47acbc8f171d9a7e2a968f3a12e6185
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
neteast.org = c:\webroot\neteast

Directory list. Note plural archives

The neteast.org renewal config file. Note singular archive

Ok. I corrected that error and the result is the same.

Directory of c:\Certbot\live\neteast.org

04/17/2022 06:25 PM .
04/17/2022 06:25 PM ..
04/17/2022 06:24 PM cert.pem [c:\certbot\archive\neteast.org\cert18.pem]
04/17/2022 06:25 PM chain.pem [c:\certbot\archive\neteast.org\chain18.pem]
04/17/2022 06:25 PM fullchain.pem [c:\certbot\archive\neteast.org\fullchain18.pem]
04/17/2022 06:25 PM privkey.pem [c:\certbot\archive\neteast.org\privkey18.pem]
4 File(s) 0 bytes
2 Dir(s) 1,303,511,695,360 bytes free

Processing C:\Certbot\renewal\neteast.org.conf

←[31m
Traceback (most recent call last):
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\renewal.py", line 70, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\storage.py", line 468, in init
self._check_symlinks()
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\storage.py", line 538, in _check_symlinks
raise errors.CertStorageError(
certbot.errors.CertStorageError: expected C:\Certbot\live\neteast.org\cert.pem to be a symlink←[0m
←[31mRenewal configuration file C:\Certbot\renewal\neteast.org.conf is broken. Skipping.←[0m

There was one additional error on the drive which I found and corrected. That fixed the symlink error, but the certificate will won't renew:

Processing C:\Certbot\renewal\neteast.org.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for neteast.org
Performing the following challenges:
http-01 challenge for neteast.org
Waiting for verification...
←[31mChallenge failed for domain neteast.org←[0m
http-01 challenge for neteast.org
Cleaning up challenges
←[31mFailed to renew certificate neteast.org with error: Some challenges have failed.←[0m

Additional info: The dry run is successful when i use certonly and -d neteast.org This forces me to enter the challenge type and webroot manually. The config file, however has the same info

What are the full outputs of these commands?

certbot certificates

certbot certonly --webroot -w "C:\whereveryourwebrootdirectoryis" -d "neteast.org,www.neteast.org" --dry-run

The restore failed to keep the symlinks [this you know].
Did the failed drive restore also affect the O/S?
If so, what O/S changes were made since the last backup?
[think about anything to do with inbound HTTP (IIS, firewall, etc.)]

Update:

This is now fixed.

I have several certificates and while they all should have the same number of cycles, one of them has one more than the rest.

After adjusting the batch file to create symlinks with the correct numbers everything works fine.

Thanks for your help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.