Certbot Renewal Error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mennens.org

I ran this command:
sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/pizza1.mennens.org.conf produced an unexpected error: expected /etc/letsencrypt/live/pizza1.mennens.org/cert.pem to be a symlink. Skipping.


Found the following certs:
Certificate Name: pizza1.mennens.org-0001
Domains: pizza1.mennens.org
Expiry Date: 2019-07-04 02:09:32+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/pizza1.mennens.org-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/pizza1.mennens.org-0001/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/pizza1.mennens.org.conf


It produced this output:
cmennens@pizza1:~$ sudo certbot certificates Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/pizza1.mennens.org.conf produced an unexpected error: expected /etc/letsencrypt/live/pizza1.mennens.org/cert.pem to be a symlink. Skipping.

cmennens@pizza1:~$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/pizza1.mennens.org-0001.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for pizza1.mennens.org
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/pizza1.mennens.org-0001/fullchain.pem



Processing /etc/letsencrypt/renewal/pizza1.mennens.org.conf


Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 67, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 463, in init
self._check_symlinks()
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 522, in _check_symlinks
“expected {0} to be a symlink”.format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/pizza1.mennens.org/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/pizza1.mennens.org.conf is broken. Skipping.


Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/pizza1.mennens.org-0001/fullchain.pem (success)

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/pizza1.mennens.org.conf (parsefail)


0 renew failure(s), 1 parse failure(s)

My web server is (include version): standalone cert for database and Plex

The operating system my web server runs on is (include version): Debian Linux 9.x

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
cmennens@pizza1:~$ certbot --version || /usr/bin/certbot-auto --version
certbot 0.31.0

Hi @cmennens

looks like you have replaced the symlink with a file. Try

certbot update_symlinks

update_symlinks       Recreate symlinks in your /etc/letsencrypt/live/
                        directory

https://certbot.eff.org/docs/using.html

to repair that.

11:11:45-cmennens@pizza1:~$ sudo certbot update_symlinks
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Expected /etc/letsencrypt/live/pizza1.mennens.org/cert.pem to be a symlink
11:13:09-cmennens@pizza1:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/pizza1.mennens.org.conf produced an unexpected error: expected /etc/letsencrypt/live/pizza1.mennens.org/cert.pem to be a symlink. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
[...]

Still getting the error.

Anyone know how to fix / stop getting the above error when I check my certificates? I have a fresh installation on a new server and don’t know why I’m getting errors. Any help is greatly appreciated!

That's impossible. You may have copied these wrong files.

Make a backup, remove your port 443 vHost, then delete the file and create a new certificate.

So my error for symlinks above is circumvented with a removing everything and recreating a new certificate? There’s no solution to fixing an existing installation that throws:

Expected /etc/letsencrypt/live/pizza1.mennens.org/cert.pem to be a symlink

If update_symlinks doesn’t do it, there’s no other code in Certbot to fix this.

If you can tell us how it got this way and post the output ls -lR /etc/letsencrypt/{live,archive} and cat /etc/letsencrypt/renewal/*.conf, we might be able to suggest a manual solution, but starting over might be faster!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.