Certbot renew with/without --dry-run; works but I get "certbot.errors.CertStorageError: renewal config file {} is missing a required file reference"

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: notthere.ddns.net and 5 others (see below).

I ran this command: certbot renew --dry-run and certbot renew

It (they both) produced this output (the same error messages):

/Users/mcook/My_Downloads_ECHO/SSL-install-OLD $ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/notthere.ddns.net-0001.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for notthere.ddns.net
http-01 challenge for skyprod.net
http-01 challenge for skyprod1.ddns.net
http-01 challenge for skyprod5.ddns.net
http-01 challenge for www.skyprod.net
Waiting for verification...
Cleaning up challenges

new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/notthere.ddns.net-0001/fullchain.pem

Processing /etc/letsencrypt/renewal/notthere.ddns.net.conf

Traceback (most recent call last):
File "/usr/local/Cellar/certbot/1.0.0/libexec/lib/python3.7/site-packages/certbot-1.0.0-py3.7.egg/certbot/_internal/renewal.py", line 64, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/local/Cellar/certbot/1.0.0/libexec/lib/python3.7/site-packages/certbot-1.0.0-py3.7.egg/certbot/_internal/storage.py", line 446, in init
"file reference".format(self.configfile))
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/notthere.ddns.net.conf is broken. Skipping.

"_sudo_certbot_renew_test_2005130400_ECHO_SUCCESS_Q_6_certbot_renew" 50L, 2512C
<<

My web server is (include version): Apache 2213 (it's old but it works and I am not planning to upgrade it.)

The operating system my web server runs on is (include version): MacOS 10.13.6 (latest for Mac Mini mid-2011)

My hosting provider, if applicable, is: Bell MTS (Manitoba, Canada) is my ISP, but Apache and certbot are run at home.

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.0.0 (installed using Homebrew)

I tested the certificate and it was renewed successfully but I want to get rid of the error messages. How can I go about this? For example: do I need to upgrade Homebrew to get to a certbot version higher than 1.0.0? Or do I need to upgrade or fix my Python, and - if so - how should I do this?

To me, the error suggests that some of the symlinks in your /etc/letsencrypt/live/notthere.ddns.net/ directory are missing or have otherwise been tampered with, or the renewal configuration file itself has been truncated.

What is the output of:

ls -la /etc/letsencrypt/renewal/notthere.ddns.net.conf
sudo ls -la /etc/letsencrypt/live/notthere.ddns.net/

22:57 mcook@echo /Users/mcook
% sudo ls -lah /etc/letsencrypt/live/notthere.ddns.net/
Password:
total 40
drwxr-xr-x 7 root wheel 224B 13 Sep 2019 .
drwxr-xr-x 5 root wheel 160B 13 Sep 2019 …
-rw-r–r-- 1 root wheel 692B 10 Apr 2019 README
-rw-r–r-- 1 root wheel 1.9K 24 Jun 2019 cert.pem
-rw-r–r-- 1 root wheel 1.6K 24 Jun 2019 chain.pem
-rw-r–r-- 1 root wheel 3.5K 24 Jun 2019 fullchain.pem
-rw------- 1 root wheel 1.7K 24 Jun 2019 privkey.pem
22:58 mcook@echo /Users/mcook
%

Thanks. Could you do the first command as well?

Sorry - I was going too fast - here’s the output for both commands:

22:58 mcook@echo /Users/mcook
% ls -la /etc/letsencrypt/renewal/notthere.ddns.net.conf;sudo ls -lah /etc/letsencrypt/live/notthere.ddns.net/
-rw-r–r-- 1 root wheel 0 13 Sep 2019 /etc/letsencrypt/renewal/notthere.ddns.net.conf
Password:
Sorry, try again.
Password:
total 40
drwxr-xr-x 7 root wheel 224B 13 Sep 2019 .
drwxr-xr-x 5 root wheel 160B 13 Sep 2019 …
-rw-r–r-- 1 root wheel 692B 10 Apr 2019 README
-rw-r–r-- 1 root wheel 1.9K 24 Jun 2019 cert.pem
-rw-r–r-- 1 root wheel 1.6K 24 Jun 2019 chain.pem
-rw-r–r-- 1 root wheel 3.5K 24 Jun 2019 fullchain.pem
-rw------- 1 root wheel 1.7K 24 Jun 2019 privkey.pem
23:05 mcook@echo /Users/mcook

There's the problem - the file is empty for some reason.

I think all you can realistically do is delete that file and forget about it. Once the file is gone, Certbot won't complain about it, but it also won't renew it.

From your original post, it looks like you have a second certificate for that domain anyway:

So I guess just make sure that your webserver is using that one, and not the notthere.ddns.net one.

I checked the Apache config and it’s using:

153: SSLCertificateFile “/private/etc/letsencrypt/live/notthere.ddns.net-0001/fullchain.pem”
167: SSLCertificateKeyFile “/private/etc/letsencrypt/live/notthere.ddns.net-0001/privkey.pem”

I listed the folder and it contains:

23:40 mcook@echo /private/etc/letsencrypt/live/notthere.ddns.net-0001
% ls -la *
-rw-r–r-- 1 root wheel 692 13 Sep 2019 README
lrwxr-xr-x 1 root wheel 47 13 May 03:58 cert.pem -> …/…/archive/notthere.ddns.net-0001/cert12.pem
lrwxr-xr-x 1 root wheel 48 13 May 03:58 chain.pem -> …/…/archive/notthere.ddns.net-0001/chain12.pem
lrwxr-xr-x 1 root wheel 52 13 May 03:58 fullchain.pem -> …/…/archive/notthere.ddns.net-0001/fullchain12.pem
lrwxr-xr-x 1 root wheel 50 13 May 03:58 privkey.pem -> …/…/archive/notthere.ddns.net-0001/privkey12.pem
23:45 mcook@echo /private/etc/letsencrypt/live/notthere.ddns.net-0001

Also, what are the permissions supposed to be in this folder?

BTW, I am running:
Server Version: Apache/2.4.33 (Unix) PHP/7.1.33 LibreSSL/2.2.7 mod_perl/2.0.9 Perl/v5.18.2
Server Built: Jan 18 2020 09:52:26

That looks good.

The permissions look scary but they are OK. If you look at the permissions of the symlink targets (/etc/letsencrypt/archive), you will see that they are much more restrictive.

I’m not sure if namei exists on macOS, but it can be informative to show the permissions through each step:

namei -l /etc/letsencrypt/live/notthere.ddns.net-0001/privkey.pem

As it all seems to be working I don’t think I’ll plan to change anything.

You said:

"There’s the problem - the file [/etc/letsencrypt/renewal/notthere.ddns.net.conf] is empty for some reason.

“I think all you can realistically do is delete that file and forget about it. Once the file is gone, Certbot won’t complain about it, but it also won’t renew it.”

I’ll need to think about that. This web server doesn’t do anything important, so if I’ll be able to renew next time without any problems I will likely just leave it be.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.