Certbot renew returns "cert is required but missing for this certificate"

When certbot failed to renew the cert on my old debian server, I created a new CentOS8 and tried to move my certs over.

I use DDNS to keep my IP updated on the Internet. I run my own BIND server inside with zone files for marsstuff.com. I can now access my web site at https://www.marsstuff.com, and I copied files around until I see that the cert is no longer expiring tomorrow. I noticed that certbot added a new folder in /etc/letsencrypt/live named "www.marsstuff.com-0001" (in addition to marsstuff.com and www.marsstuff.com)

My domain is: www.marsstuff.com

I ran this command: sudo certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/marsstuff.com.conf

Failed to renew certificate marsstuff.com with error: cert is required but missing for this certificate.

Processing /etc/letsencrypt/renewal/www.marsstuff.com-0001.conf

Certificate not yet due for renewal

Processing /etc/letsencrypt/renewal/www.marsstuff.com.conf

Failed to renew certificate www.marsstuff.com with error: cert is required but missing for this certificate.

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/www.marsstuff.com-0001/fullchain.pem expires on 2022-07-15 (skipped)
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/marsstuff.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.marsstuff.com/fullchain.pem (failure)

2 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.37 (centos)

The operating system my web server runs on is (include version): CentOS Stream release 8

My hosting provider, if applicable, is: N/A local VM

I can login to a root shell on my machine YES
I'm using a control panel to manage my site NO

The version of my client is certbot 1.26.0

This can happen if you move or delete files within /etc/letsencrypt/live/ or /etc/letsencrypt/archive/. It is best to avoid directly making modifications within these directories.

Moving these files between servers is safe, as long as you tar up the entire /etc/letsencrypt directory, and extract it on the other side, preserving symlinks.

It can be tricky to recover from this situation, as it is likely that there are some missing files or broken symlinks. Starting over is probably easier in this case.


Can you point me to a procedure to wipe and re-do?


You could move /etc/letsencrypt to /etc/letsencrypt.old and alllow Certbot to recreate the directory from scratch.

If you do this, you will first need to make sure that Apache is not relying on certificates from that directory, as it will cause your Apache configuration to become invalid. One method to do this is documented here.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.