Certbot cannot find my account or certificates after upgrading to snap from apt

My domain is: sayakm.me

I was using an older version of certbot that got installed with apt a few years ago. Its version was 1.21.0. I needed some new features like getting the account details. So, based on the guides on the website and other resources, I removed the older certbot using apt remove certbot and then installed the newer one using snap install --classic certbot.

Now, when I try to check if I can at least fetch the certificates that was generated, I get No certificates found. I think some configuration or something broke. How do I get certbot to work correctly again? My certificates themselves are fine though so my site is still accessible.

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.11.0

N.B. Would it be safe to uninstall the snap certbot and reinstall the older apt one to test things?

More info:

Something is weird.

The /etc/letsencrypt directory had the following content before the upgrade

total 284
drwxr-xr-x  10 root root   4096 Jun 18 09:15 .
drwxr-xr-x 109 root root  12288 Jun 14 06:49 ..
-rw-r--r--   1 root root    237 Apr 16 18:41 account.conf
-rwxr-xr-x   1 root root 221532 Feb 16 19:30 acme.sh
-rw-r--r--   1 root root     82 Feb 16 19:30 acme.sh.env
drwxr-xr-x   3 root root   4096 Feb 16 19:30 ca
-rw-r--r--   1 root root    207 Nov 12  2021 cli.ini
drwxr-xr-x   2 root root   4096 Feb 16 19:30 deploy
drwxr-xr-x   2 root root   4096 Feb 16 19:30 dnsapi
drwxr-xr-x   2 root root   4096 Feb 16 19:30 example.com
-rw-r--r--   1 root root    494 Apr 16 18:41 http.header
drwxr-xr-x   2 root root   4096 Feb 16 19:30 notify
drwxr-xr-x   5 root root   4096 Feb 16 19:35 renewal-hooks
drwxr-xr-x   3 root root   4096 Feb 17 13:20 sayakm.me

I must mention that this is a Ghost cms server created from DigitalOcean marketplace (How to install Ghost on Digital Ocean - Official guide)
Now, I have another server which was created in bare metal and the directory in there looks like

total 192
drwxr-xr-x  9 root root  4096 Jun 18 02:10 .
drwxr-xr-x 98 root root  4096 Jul  4  2023 ..
drwx------  3 root root  4096 Jul  5  2020 accounts
drwx------  4 root root  4096 Mar 14  2022 archive
-rw-r--r--  1 root root   121 Feb 10  2019 cli.ini
drwxr-xr-x  2 root root 69632 Jun 18 02:10 csr
drwx------  2 root root 69632 Jun 18 02:10 keys
drwx------  4 root root  4096 Mar 14  2022 live
-rw-r--r--  1 root root  1143 Jul  5  2020 options-ssl-nginx.conf
drwxr-xr-x  2 root root  4096 May  6 05:11 renewal
drwxr-xr-x  5 root root  4096 Jul  3  2020 renewal-hooks
-rw-r--r--  1 root root   424 Jul  5  2020 ssl-dhparams.pem
-rw-r--r--  1 root root    64 Jul  5  2020 .updated-options-ssl-nginx-conf-digest.txt
-rw-r--r--  1 root root    64 Jul  5  2020 .updated-ssl-dhparams-pem-digest.txt

This server uses a very old certbot (0.31.0) so I dont know if that's the reason for the difference or if the DigitalOcean server is created in a weird way.

Note that the accounds dir does not exist. But there is an account.conf instead. Weirdly, the certificates gets renewed 1 month before expiry so something is working to do it.

The acme.sh script is a different ACME client than Certbot. They work very differently. Sometimes people have used the Certbot folder names when using acme.sh but this is confusing.

Your nginx config must have lines that describe where the cert and private key are. What do those say?

ssl_certificate   
ssl_certificate_key
4 Likes

The certificates point to the sayakm.me directory. Moreover, I was able to get the account URL and email in the ca directory. This pretty much confirms for me that the ghost cli uses acme.sh instead of certbot. Is the acme.sh part of the letsencrypt project like certbot is?

Let's Encrypt is a Certificate Authority operating with the ACME protocol. There are multiple CAs supporting ACME which is a public standard. These are known as ACME Servers.

Certbot is an ACME Client managed by the EFF (at least for many years now). There are numerous ACME Clients. You must use an ACME Client to request a cert from an ACME Server (Let's Encrypt's or one of the others).

Perhaps these topics provide the background you seek

3 Likes