# Certbot folder has broken symlinks

Hi support.

I home host on Windows which I understand does not allow one to automatically put certificates into the web site. I.e. I link to updated certificates in Certbot/live/mywebs/certs folder from xampp/apache/cong/extra/httpd... vhosts.conf and httpd ssl.conf files

Before I used to simply type in certbot renew and all would be good in the world.
Now I am getting a host of errors.
Initially the errors were:......................................................
C:\WINDOWS\system32>certbot certonly --standalone
Saving debug log to C:\Certbot\log\letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel):myweb
Requesting a certificate for myweb
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: mywebg
Type: connection
Detail: Fetching http://myweb/.well-known/acme-challenge/l9KvhMaVwBKCfcVBwk05AsC0gmbjaGMSVyknYeQkVr8: Error getting validation data
Hint: The Certificate Authority couldn't exterally verify that the standalone plugin completed the required http-01 challenges. Ensure the plugin is configured correctly and that the changes it makes are accessible from the internet.
.................................................................................................
AND ALSO Renewal configuration file C:\Certbot\renewal\myweb.conf is broken.
The error was: expected C:\Certbot\live\myweb\cert.pem to be a symlink
Skipping.
.........................................................................................................
I do not think (as Windows installation) that I ever used .well-known/acme-challenge folders???
How can I get a refresh of Certbot that will get me sorted again.
I.e. I am happy to start again from fresh.
BUT it seems that my original certificates cannot be removed and other horrors.
I have used all the --help features including one I found that looks at fixing symlinks.
I do not seem to be able to reset the above.

1 Like

Did you really type "myweb"?
If so, then you need to use an FQDN that can be resolved via global DNS.
OR are you just trying to hide the real domain name?
If so, why?
[all certificate registrations contain the domain name(s) and are public information]

As for the missing expected symlink, try executing the command again from an elevated command prompt.

1 Like

Welcome to the Let's Encrypt Community, Mark

Only if @rg305's suggestion doesn't work, then proceed here:

What are the outputs of these commands?

certbot delete --cert-name myweb
certbot certificates


If you're using IIS as your webserver, you might need a special file to serve the challenge files out of \.well-known\acme-challenge.

1 Like

Why delete the cert now?

1 Like

To clear the broken configuration and symlink simultaneously?

Not like a cert was successfully issued, so no loss really.

1 Like

But the reason for the "broken" is unclear and might just be that they are only visible within an elevated command prompt.

2 Likes

That's true. I'll update to reflect.

2 Likes

Maybe not today, but there should be a valid and active cert in the system.

1 Like

That's also true.

I'm thinking some manual changes might have happened here.

1 Like

I'm not sure what to make of this certs folder...

I link to updated certificates in (Certbot/live/mywebs/certs) folder from xampp...

1 Like

Hi all. Apologies. I was sleeping. I added mywebs to the cert path simply because I have multiple certificates. I agree that it ends in a cert and not folder.
When I try certbot certificates command I used to get 4 certificates returned but it now says the links are broken. MAY I ask. How do I reset everything. I think I need to start a fresh. Must I delete the certificates, Uninstall certbot software. Delete Certbot folder and then ask for fresh certificates. That is my plan anyway for today. I just hope that same problems do not re-occur?

1 Like

Just using the certbot command I gave you to delete the certificates should suffice. Please do not try to manually delete things because that's what caused the issues here in the first place.

1 Like

The fault seems to be failure to use the standalone mode, which will be a temporary webserver that tries to run on port 80 just to answer http challenges. Your Apache will already be using that port. Does certbot normally stop and start Apache for your during validation so that standalone can work? If not an alternative would be to stop apache first, run your renewal, then start apache again.

I'm not a certbot guru, so I'm just guessing from the error.

I'm assuming myweb is a redacted domain name, because you can't use Let's Encrypt to get certs for local host names.

1 Like

I will definitely use the delete command you gave me. Thank you. I do stop xampp. I had issues before and realized it was hogging port 80. IWhat I don't understand is why Certbot suddenly started needing to check .well-known/acme-challenge/ It never needed this before. Thanks all.

1 Like

Hi all. OK. I HAVE DELETED CERTBOT CERTS but have the same issue.
I have put down exactly what the error is below. I.e. I deleted all my certbot certs using certbot delete. I also deleted the c:\Certbot folder. Remember I have a xampp and Windows 10 installation. I.e. I do not believe I need / did not need this in the past... .well-known/acme-challenge/
I used certbot certonly --standalone in my attempt to get a new cert for pmway.hopto.org
ERROR MESSAGE IS INSERTED BELOW:
(Y)es/(N)o: Y
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): pmway.hopto.org
Requesting a certificate for pmway.hopto.org

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: pmway.hopto.org
Type: connection
Detail: Fetching http://pmway.hopto.org/.well-known/acme-challenge/f3eSJbTfmko85riQ47S7CsjeuqChlTOy-4-v4o9rEpU: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority couldn't exterally verify that the standalone plugin completed the required http-01 challenges. Ensure the plugin is configured correctly and that the changes it makes are accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.
PLEASE CAN SOMEONE GIVE ME A SOLUTION IF POSSIBLE.
I would love to solve this weird problem.
I have also made no changes to my firewall at all.
What is interesting is that I also do not have a "live" folder in the c:\Certbot folder.
I.e. from Xampp this would have been a reference to the certificate from httpd-ssl.conf "SSLCertificateFile "C:\Certbot\live\pmway.hopto.org\cert.pem"

1 Like

Can you confirm that your firewall is open for tcp port 80 and if applicable these requests are forwarded to your server? Is this a home machine behind a router? The machine needs to respond to http requests made by Let's Encrypt to validate your domain.

Alternatively you could look at DNS validation if http validation is difficult.

2 Likes

Hi yes I home host.
I can confirm. I have stopped xampp which uses port 80. I know when I start xampp it uses port 80 so this is available. I also run netstat -ano command from elevated cmd and see no port 80 listed as being used.
I tried to renew to get a list of certificates (after applying for them afresh per above) and the following was the response.
C:\WINDOWS\system32>certbot renew
Saving debug log to C:\Certbot\log\letsencrypt.log

No renewals were attempted.

C:\WINDOWS\system32>certbot certificates
Saving debug log to C:\Certbot\log\letsencrypt.log

No certificates found.

C:\WINDOWS\system32>
However at the moment, without certificates (deleted) xampp apache cannot load due to it not finding the certificate (deleted). Per below there is no "live folder"

As I understand, using Windows 10, no plugins are available. I.e. Per the certbot documentation for Windows servers.

1 Like

You can check pmway.hopto.org with Open Port Check Tool - Test Port Forwarding on Your Router to determine if port 80 is open at any time.

Please run the following certbot command (with xampp and apache actually running), which will pause certbot after creating the challenge files, but before Let's Encrypt tries to verify the challenge files. Please file in the correct path for the webroot folder (-w parameter) where the files served for pmway.hopto.org are located.

certbot certonly --webroot -w C:\path\to\webroot\folder -d "pmway.hopto.org" --dry-run --debug-challenges

It should create the \.well-known\acme-challenge folder structure and populate it with the challenge files.

1 Like

HI ALL: SOLVED!!!
Praise the Lord!

OK what I did. I went into my router and in ADVANCED -> VIRTUAL SERVER I added port 80 and port 443 to 192.168.10.111
I found this advice from someone on the internet.
I switched XAMPP off totally and checked port 80 was not being used by anything using netstat -ano
I also clicked IPV6 to on. For some reason my Ethernet IPV6 was off. Not sure if this also contributed.
I am just thrilled I could create LIVE folder and also to renew without any bugs or challenges.
Thanks for listening.
Hopefully someone can use what I have done to help them.

2 Likes