@Osiris
Start-over , you mean try to generate a new cert??
unfortunately my colleague who has access to domain is out of office...hence can't re-generate using the DNS challenge.Any other renewal ideas much welcome.
1 Like
Renewal is just a different name for getting a new certificate, but with the same hostnames as a previously issued certificate. So if you don't have a way to validate the challenge, your current symlink issue is the least of your problems.
That said: do you actually require the wildcard hostname, which forces you to use the DNS challenge?
It seems a few months back someone issued a cert without the wildcard: https://crt.sh/?q=sprigsys.com&deduplicate=y
1 Like
The Cert id which my system is referring is [3854294794]
Yes, need the wild card ones.
OMG ! i am in great trouble ...
is there any way you can help me authenticate through domain email or anything as such ???
PLEASE PLEASE help....
1 Like
Could you perhaps tell us why, so we can understand better?
So you don't have access to your DNS zone settings what so ever? In that case, a wild card cert from Let's Encrypt is out of the question. I'm not sure if this is also the case for the other ACME enabled CA's such as BuyPass or ZeroSSL though.
1 Like
Need wild card since we have production instance running
1.here is the link https://abc.sprigsys.com
2. Please don't consider me as a fake guy trying to access.....
3. I am working late night to get this fixed ...(based out of india).
Hope this clarifies your doubt.
1 Like
And it's not possible to get a certificate for sprigsys.com, slmg.sprigsys.com and perhaps (if required) www.sprigsys.com? I don't understand why that "production instance" with as far as you've told me a single subdomain, requires a wildcard certificate?
There's no doubt here. There are just some technical constraints here. Let's Encrypt can't/won't issue a wildcard certificate without using the dns-01 challenge and that's not something we on this Community can change. And it probably will never change.
1 Like
Thank you for trying. I suggested this because your original post did not indicate the usage of sudo, which I believe to be necessary here.
It looks like @Amit already had this fixed by this point (since the certbot renew execution right above your post did not indicate the symlink error was still present). Verification can't hurt though. I'm still unsure why the command I gave him (with sudo) did not fix the issue immediately. It has fixed similar issues many times in the past.
I'm not sure what was happening after this point as the only issue I can see is attempted usage of the manual authenticator with renew, which won't work (without manual-auth-hook and manual-cleanup-hook scripts) because renew is "non-interactive" (doesn't pause to allow manual intervention to create files or TXT records while executing).
Just ran it on a test cert on my system: update_symlinks doesn't work when there is a file called cert.pem (or any other of the 4 files) and it isn't a symlink. update_symlinks is NOT a generic "Fix my busted symlinks for me": if the files in /live/ aren't symlinks, certbot errors out with the same "File isn't a symbolic link" error.
1 Like
Interesting... 
Thanks so much for testing that.
I'm thinking this might be a case of previous help-seekers (secretly) performing "extra steps" (without telling me), such as deleting the 4 files outright before running update_symlinks, perhaps? Worth testing that too.
No, the code really expects there to be symlinks pointing to the live directory. I think it's meant to be used to point to the most recent files in /archive/ if for some reason the symlinks point to the incorrect ones.
@Amit You've marked my post as Solution: did you find a way to get your certificate without DNS?
1 Like
@Osiris
I just got the domain access so that i can go through the dns01 and do the needful.
1 Like
That's great!
Still though, if a wildcard certificate isn't necessary, the http-01 challenge can be easily automated, which is way better than renew manually every 60 days like you're probably doing now.
1 Like
I concur with @Osiris.
If you must use dns-01, you might look into using acme-dns to automate your renewals.
@Osiris
Before i start, would like to ask your suggestion, since the setup has been bit meshed up.
I am planning to generate a new cert , by deleting /live,/renewal,/archive directories.
Let me know if this will be the right approach?
1 Like
As a very last resort! And back them up please! Also note that without the files in /live/, any reference to those files in a webserver configuration can't be found, so a webserver reload or restart won't work until the files are back again, either by succesful certificate issuance, or restore of the backup.
Also note that the output of your tree command earlier only showed one directory in /live/ and /archive/. If you happen to have multiple directories (i.e., certificates), you'd want to only remove the offending certificate, not everything! The same goes for the *.conf files in /renewal/.
And don't remove the entire /live/, /archive/ and /renewal/ directory, I'm not sure if certbot expects them to exist. If you want a clean slate, remove the contents of the directories. (With the note above of course..)
Still, I find it odd that your certbot isn't working.. Still an error when you run certbot certificates?
1 Like
Yes, tried still the same.
1 Like
You don't need to delete the folders. You already fixed the symlink problem.
We need to be cautious of this:
Hm, didn't see that.. 
Good catch!
He did? He just said he still got the error?
1 Like
I think he's getting the manual error with using renew.