Certbot renewal archive privkey file error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: p.changeme.fr.eu.org

I ran this command: certbot -v certonly --preferred-challenges=dns -a manual -i nginx --manual-auth-hook /usr/local/bin/certbot-nsd-auth --manual-cleanup-hook /usr/local/bin/certbot-nsd-auth-clean -d p.changeme.fr.eu.org

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for p.changeme.fr.eu.org
Hook '--manual-auth-hook' for p.changeme.fr.eu.org ran with output:
 * Reloading config and zone files ... [ ok ]
Hook '--manual-cleanup-hook' for p.changeme.fr.eu.org ran with output:
 * Reloading config and zone files ... [ ok ]
An unexpected error occurred:
FileNotFoundError: [Errno 2] No such file or directory: '/etc/letsencrypt/archive/p.changeme.fr.eu.org/privkey2.pem'
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer nginx
Certificate is due for renewal, auto-renewing...
Renewing an existing certificate for p.changeme.fr.eu.org
An unexpected error occurred:
FileExistsError: [Errno 17] File exists: '/etc/letsencrypt/archive/p.changeme.fr.eu.org/privkey3.pem'
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx 1.26.2

The operating system my web server runs on is (include version): Gentoo Linux

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

Hi @BetaRays, and welcome to the LE community forum

Please show these:
ls -lt /etc/letsencrypt/archive/p.changeme.fr.eu.org/
ls -lt /etc/letsencrypt/archive/

Thanks for trying to help, here are the results

polaris ~ # ls -lt /etc/letsencrypt/archive/p.changeme.fr.eu.org
total 116
-rw------- 1 root root  241 Oct  8 10:13 privkey3.pem
-rw-r--r-- 1 root root 3363 Apr 15 14:08 fullchain9.pem
-rw-r--r-- 1 root root 1826 Apr 15 14:08 chain9.pem
-rw-r--r-- 1 root root 1537 Apr 15 14:08 cert9.pem
-rw------- 1 root root  241 Apr 15 14:08 privkey9.pem
-rw-r--r-- 1 root root 3331 Apr 11 13:55 fullchain8.pem
-rw-r--r-- 1 root root 1826 Apr 11 13:55 chain8.pem
-rw-r--r-- 1 root root 1505 Apr 11 13:55 cert8.pem
-rw------- 1 root root  241 Apr 11 13:55 privkey8.pem
-rw-r--r-- 1 root root 5254 Feb  1  2024 fullchain7.pem
-rw-r--r-- 1 root root 3749 Feb  1  2024 chain7.pem
-rw-r--r-- 1 root root 1505 Feb  1  2024 cert7.pem
-rw------- 1 root root  241 Feb  1  2024 privkey7.pem
-rw-r--r-- 1 root root 5254 Dec  1  2023 fullchain6.pem
-rw-r--r-- 1 root root 3749 Dec  1  2023 chain6.pem
-rw-r--r-- 1 root root 1505 Dec  1  2023 cert6.pem
-rw------- 1 root root  241 Dec  1  2023 privkey6.pem
-rw-r--r-- 1 root root 5254 Oct  1  2023 fullchain5.pem
-rw-r--r-- 1 root root 3749 Oct  1  2023 chain5.pem
-rw-r--r-- 1 root root 1505 Oct  1  2023 cert5.pem
-rw------- 1 root root  241 Oct  1  2023 privkey5.pem
-rw-r--r-- 1 root root 5254 Aug  1  2023 fullchain4.pem
-rw-r--r-- 1 root root 3749 Aug  1  2023 chain4.pem
-rw-r--r-- 1 root root 1505 Aug  1  2023 cert4.pem
-rw------- 1 root root  241 Aug  1  2023 privkey4.pem
polaris ~ # ls -lt /etc/letsencrypt/archive/
total 24
drwxr-xr-x 2 root root 4096 Oct  8 10:13 p.changeme.fr.eu.org
drwxr-xr-x 2 root root 4096 Sep  1 16:24 changeme.fr.eu.org
drwxr-xr-x 2 root root 4096 Jul  9 23:33 m.p.changeme.fr.eu.org
drwxr-xr-x 2 root root 4096 Jul  9 23:31 p.changeme.fr.eu.org-0001
drwxr-xr-x 2 root root 4096 Mar  2  2024 changeme.fr.eu.org-0001
drwxr-xr-x 2 root root 4096 May 31  2023 x.changeme.fr.eu.org

Well, it is true that there is a "privkey3.pem" already there:

It seems that certbot has lost track of the cert sequence.
It now thinks it is on two and need to create three.
But, as we can see:

It has already used nine.

So...
We may need to purge that cert [and the archive directory] to reset the sequence.

What shows?:
certbot certificate

These seem problematic:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/p.changeme.fr.eu.org-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/p.changeme.fr.eu.org-0001/cert.pem to be a symlink. Skipping.
/usr/lib/python3.12/site-packages/certbot/ocsp.py:238: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
  if not response_ocsp.this_update:
/usr/lib/python3.12/site-packages/certbot/ocsp.py:240: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
  if response_ocsp.this_update > now + timedelta(minutes=5):
/usr/lib/python3.12/site-packages/certbot/ocsp.py:242: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.
  if response_ocsp.next_update and response_ocsp.next_update < now - timedelta(minutes=5):

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: changeme.fr.eu.org-0001
    Serial Number: 3db522d03aca76dcbdd1d65412496b1236f
    Key Type: ECDSA
    Domains: changeme.fr.eu.org conference.changeme.fr.eu.org xshare.changeme.fr.eu.org
    Expiry Date: 2024-05-30 22:00:37+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/changeme.fr.eu.org-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/changeme.fr.eu.org-0001/privkey.pem
  Certificate Name: changeme.fr.eu.org
    Serial Number: 3c26f3c5099b8ff96d74ca1472ae5542b27
    Key Type: ECDSA
    Domains: changeme.fr.eu.org conference.changeme.fr.eu.org xshare.changeme.fr.eu.org xw.changeme.fr.eu.org
    Expiry Date: 2024-11-30 13:25:30+00:00 (VALID: 53 days)
    Certificate Path: /etc/letsencrypt/live/changeme.fr.eu.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/changeme.fr.eu.org/privkey.pem
  Certificate Name: m.p.changeme.fr.eu.org
    Serial Number: 4b0407c676e9037e8b525e0d3e9ed3b58f4
    Key Type: ECDSA
    Domains: m.p.changeme.fr.eu.org
    Expiry Date: 2024-10-07 20:23:26+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/m.p.changeme.fr.eu.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/m.p.changeme.fr.eu.org/privkey.pem
  Certificate Name: p.changeme.fr.eu.org
    Serial Number: 44c1b3b3e4c1075dcb0dcec34eda3cc2b69
    Key Type: ECDSA
    Domains: p.changeme.fr.eu.org
    Expiry Date: 2024-10-07 20:21:09+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/p.changeme.fr.eu.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/p.changeme.fr.eu.org/privkey.pem
  Certificate Name: x.changeme.fr.eu.org
    Serial Number: 32983e4949a9322dad0d433cc35bbeb7c21
    Key Type: ECDSA
    Domains: x.changeme.fr.eu.org xc.changeme.fr.eu.org xs.changeme.fr.eu.org
    Expiry Date: 2023-08-29 20:10:04+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/x.changeme.fr.eu.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/x.changeme.fr.eu.org/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/p.changeme.fr.eu.org-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Note that x.changeme.fr.eu.org is supposed to be expired.

I think this may be due to me trying to first create a certificate only for p.changeme.fr.eu.org then for both p.changeme.fr.eu.org and m.p.changeme.fr.eu.org, then going back to two certificates.
Similarly, I added some domains to the changeme.fr.eu.org domain name at some point (it’s an XMPP server and needs one certificate for the main domain, plus a few subdomains for file uploads and groups…).

That's not good!

Please show:
ls -l /etc/letsencrypt/live/p.changeme.fr.eu.org-0001/

It doesn’t exist.

That can't be good - LOL

We see here:

  Certificate Name: changeme.fr.eu.org-0001
           Domains: changeme.fr.eu.org conference.changeme.fr.eu.org xshare.changeme.fr.eu.org
  Certificate Name: changeme.fr.eu.org
           Domains: changeme.fr.eu.org conference.changeme.fr.eu.org xshare.changeme.fr.eu.org xw.changeme.fr.eu.org

That the "-0001" actually has less domains.
Do you not need/use "xw.changeme.fr.eu.org"?

I do use it.
Maybe it switched to -0001 when I added a subdomain then reused the (unused?) other slot when I added xw.changeme.fr.eu.org?
I don’t know if these will also have issues on next renewal, for now I only have issues on p.changeme.fr.eu.org, which used to work I think.

These four certs are expired, it may be best to just delete them:

  Certificate Name: changeme.fr.eu.org-0001
           Domains: changeme.fr.eu.org conference.changeme.fr.eu.org xshare.changeme.fr.eu.org
           Expiry Date: 2024-05-30 22:00:37+00:00 (INVALID: EXPIRED)
  Certificate Name: m.p.changeme.fr.eu.org
           Domains: m.p.changeme.fr.eu.org
           Expiry Date: 2024-10-07 20:23:26+00:00 (INVALID: EXPIRED)
  Certificate Name: p.changeme.fr.eu.org
           Domains: p.changeme.fr.eu.org
           Expiry Date: 2024-10-07 20:21:09+00:00 (INVALID: EXPIRED)
  Certificate Name: x.changeme.fr.eu.org
           Domains: x.changeme.fr.eu.org xc.changeme.fr.eu.org xs.changeme.fr.eu.org
           Expiry Date: 2023-08-29 20:10:04+00:00 (INVALID: EXPIRED)

Should I just rm /etc/letsencrypt/live/<Certificate Name> for each of the 4, or is there a removal command?

No! Please don't manually alter anything within the /etc/letsencrypt/ folders.
Yes, there is a removal command.
Use certbot for all that is needed.
In this case:
certbot delete --cert-name {name-of-cert}

Okay, for p.changeme.fr.eu.org I also had a line saying No certificate found with name p.changeme.fr.eu.org (expected /etc/letsencrypt/renewal/p.changeme.fr.eu.org.conf)., but deleting it and requesting it again seems to have fixed the issue. Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.