certbot.errors.CertStorageError: expected /etc/letsencrypt/live/komn.ist/cert.pem to be a symlink

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: komn.ist

I ran this command: sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/komn.ist-0001.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/komn.ist.conf


Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 67, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 463, in init
self._check_symlinks()
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
"expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/komn.ist/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/komn.ist.conf is broken. Skipping.


Processing /etc/letsencrypt/renewal/media.komn.ist.conf


Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 67, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 463, in init
self._check_symlinks()
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
"expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/media.komn.ist/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/media.komn.ist.conf is broken. Skipping.


The following certs are not due for renewal yet:
/etc/letsencrypt/live/komn.ist-0001/fullchain.pem expires on 2021-01-11 (skipped)
No renewals were attempted.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/komn.ist.conf (parsefail)
/etc/letsencrypt/renewal/media.komn.ist.conf (parsefail)


0 renew failure(s), 2 parse failure(s)

My web server is (include version): Apache 2.4.38

The operating system my web server runs on is (include version): Raspbian GNU/Linux 10 (buster)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Looks like your live symlinks got modified somehow.

Run the following then try again:
sudo certbot update_symlinks

2 Likes

Hi, and thanks for the welcome. I tried with the command you suggested and got the output

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Expected /etc/letsencrypt/live/komn.ist/cert.pem to be a symlink

Trying the renew command afterwards gets me

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/komn.ist-0001.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/komn.ist.conf


Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 67, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 463, in init
self._check_symlinks()
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
"expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/komn.ist/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/komn.ist.conf is broken. Skipping.


Processing /etc/letsencrypt/renewal/media.komn.ist.conf


Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 67, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 463, in init
self._check_symlinks()
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
"expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/media.komn.ist/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/media.komn.ist.conf is broken. Skipping.


The following certs are not due for renewal yet:
/etc/letsencrypt/live/komn.ist-0001/fullchain.pem expires on 2021-01-11 (skipped)
No renewals were attempted.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/komn.ist.conf (parsefail)
/etc/letsencrypt/renewal/media.komn.ist.conf (parsefail)


0 renew failure(s), 2 parse failure(s)

I would attach the log but it appears I'm too new of a user to do so :confused:

1 Like

Hmm... :thinking:

Please show the contents of:
/etc/letsencrypt/renewal/komn.ist.conf
/etc/letsencrypt/renewal/media.komn.ist.conf

I see komn.ist and media.komn.ist. Are there any other subdomains you are wanting to include (like www.komn.ist)?

Once I have this information, I'll help you get things cleaned up. :slightly_smiling_face:

1 Like

Please show the output of:
ls -l /etc/letsencrypt/live/komn.ist/

1 Like

The content of komn.ist.conf is

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/komn.ist
cert = /etc/letsencrypt/live/komn.ist/cert.pem
privkey = /etc/letsencrypt/live/komn.ist/privkey.pem
chain = /etc/letsencrypt/live/komn.ist/chain.pem
fullchain = /etc/letsencrypt/live/komn.ist/fullchain.pem

Options used in the renewal process

[renewalparams]
server = https://acme-v02.api.letsencrypt.org/directory
account = 03b524828ab95ab42abe882730d2cec0
authenticator = apache
installer = apache

while of media.komn.ist is

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/media.komn.ist
cert = /etc/letsencrypt/live/media.komn.ist/cert.pem
privkey = /etc/letsencrypt/live/media.komn.ist/privkey.pem
chain = /etc/letsencrypt/live/media.komn.ist/chain.pem
fullchain = /etc/letsencrypt/live/media.komn.ist/fullchain.pem

Options used in the renewal process

[renewalparams]
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = apache
account = 03b524828ab95ab42abe882730d2cec0
installer = apache

there are no other subdomains.

1 Like

There's no komn.ist folder in /live/, there's komn.ist-0001. I think that might be the problem.

The contents are

lrwxrwxrwx 1 root root 37 Nov 20 02:42 cert.pem -> ../../archive/komn.ist-0001/cert1.pem
lrwxrwxrwx 1 root root 38 Nov 20 02:42 chain.pem -> ../../archive/komn.ist-0001/chain1.pem
lrwxrwxrwx 1 root root 42 Nov 20 02:42 fullchain.pem -> ../../archive/komn.ist-0001/fullchain1.pem
lrwxrwxrwx 1 root root 40 Nov 20 02:42 privkey.pem -> ../../archive/komn.ist-0001/privkey1.pem
-rw-r--r-- 1 root root 692 Oct 14 00:18 README

1 Like

Try modifying that to match the "-0001" location.
If that fails you may need to delete that cert and start it over.

2 Likes

I did it and it worked. Thank you very much. I think the problem was due to a "backup" I attempted to do while moving the certs from one raspberry to the present one. Now everything seems to work.

2 Likes

Try:
certbot certificates
[to be (almost) sure]

Not hanging up until it is 100% done!

1 Like

You are right ahah. Here's the output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: komn.ist-0001
Domains: komn.ist media.komn.ist
Expiry Date: 2021-01-11 22:18:40+00:00 (VALID: 52 days)
Certificate Path: /etc/letsencrypt/live/komn.ist-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/komn.ist-0001/privkey.pem
Certificate Name: komn.ist
Domains: komn.ist media.komn.ist
Expiry Date: 2021-01-11 22:18:40+00:00 (VALID: 52 days)
Certificate Path: /etc/letsencrypt/live/komn.ist-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/komn.ist-0001/privkey.pem
Certificate Name: media.komn.ist
Domains: komn.ist media.komn.ist
Expiry Date: 2021-01-11 22:18:40+00:00 (VALID: 52 days)
Certificate Path: /etc/letsencrypt/live/komn.ist-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/komn.ist-0001/privkey.pem


1 Like

OK
Try deleting the unused one - but which one is that?

Certificate Name: komn.ist-0001
Domains: komn.ist media.komn.ist

Certificate Name: komn.ist
Domains: komn.ist media.komn.ist

Certificate Name: media.komn.ist
Domains: komn.ist media.komn.ist

Since they all cover the same names...
I say delete the last two. [but you can delete any two of them]
So at least the certname left will match the path in use.

sudo certbot delete --cert-name komn.ist
sudo certbot delete --cert-name media.komn.ist

Then:
[again]

certbot certificates

[lesson learned: backups are good - restores are imperfect]

1 Like

Ok I got this output

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/komn.ist-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/komn.ist-0001/cert.pem to be a symlink. Skipping.


The following renewal configurations were invalid:
/etc/letsencrypt/renewal/komn.ist-0001.conf


1 Like

To which command?

1 Like

certbot certificates

The folder /etc/letsencrypt/live now contains only a README file, I think I have to reissue the certificates now, right? Or maybe not, I can still reach my server through HTTPS on Apache

1 Like

OK
That's a start [no errors - lol].
Make sure you put all the names you need on it.

Don't stop your web server - it is still using the cert it has in memory.

1 Like

Ok I think everythng's fine now, the command certbot certificates replied

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: komn.ist
Domains: komn.ist media.komn.ist
Expiry Date: 2021-02-18 14:13:49+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/komn.ist/fullchain.pem
Private Key Path: /etc/letsencrypt/live/komn.ist/privkey.pem


I just had to change the apache site config to point komn.ist instead of komn.ist-0001 and restart it

2 Likes

Perfect!

Cheers from Miami :beers:

1 Like

Thanks again!
Cheers from Italy

2 Likes

Looks like you guys accomplished my next step while I was asleep.

Excellent!

:partying_face:

If you're not going to have a certificate covering the www subdomain, you need to remove it from your configuration. You can start by removing the A record for www.komn.ist from your DNS, which will make www.komn.ist unreachable.

Right now...

http://www.komn.ist returns 200 OK, which is not good because that means it's accessible. I'm even seeing an index list of content, which I don't think you want to be showing.

https://www.komn.ist returns 401 Unauthorized, which is better, but still not good. Something in the application seems to be redirecting to https://komn.ist, but it's too late by then for the certificate.

Is your content supposed to be the Debian default page for https://komn.ist?

2 Likes