Certbot renewal failed: configuration file is broken

Demianeen · March 22, 2023, 5:09pm

Hello everyone! I was able to successfully get certificates using this guide How to handle HTTPS using Nginx, Let's encrypt and Docker - Mindsers Blog, but I want to setup auto renewal using docker containers.

However, I get an error.

My domain is: mybrandview.co.uk

I ran this command: docker renew
Through docker compose file:

nginx:
    image: nginx:latest
    # build: ./nginx
    depends_on:
      - api
      - client
    restart: unless-stopped
    volumes:
      - ./nginx/conf/:/etc/nginx/conf.d/:ro
      - ./data/certbot/conf:/etc/letsencrypt:ro
      - ./data/certbot/www:/var/www/certbot:ro
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"

    ports:
      - "80:80"
      - "443:443"

  certbot:
    image: certbot/certbot:latest
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt:rw
      - ./data/certbot/www:/var/www/certbot:rw
    command: renew

It produced this output:

online-store-certbot-1  | Saving debug log to /var/log/letsencrypt/letsencrypt.log
online-store-certbot-1  | 
online-store-certbot-1  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
online-store-certbot-1  | Processing /etc/letsencrypt/renewal/mybrandview.co.uk-0001.conf
online-store-certbot-1  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
online-store-certbot-1  | Renewal configuration file /etc/letsencrypt/renewal/mybrandview.co.uk.conf is broken.
online-store-certbot-1  | The error was: expected /etc/letsencrypt/live/mybrandview.co.uk/cert.pem to be a symlink
online-store-certbot-1  | Skipping.
online-store-certbot-1  | 0 renew failure(s), 1 parse failure(s)
online-store-certbot-1  | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
online-store-certbot-1  | Certificate not yet due for renewal
online-store-certbot-1  | 
online-store-certbot-1  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
online-store-certbot-1  | Processing /etc/letsencrypt/renewal/mybrandview.co.uk.conf
online-store-certbot-1  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
online-store-certbot-1  | 
online-store-certbot-1  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
online-store-certbot-1  | The following certificates are not due for renewal yet:
online-store-certbot-1  |   /etc/letsencrypt/live/mybrandview.co.uk-0001/fullchain.pem expires on 2023-06-20 (skipped)
online-store-certbot-1  | No renewals were attempted.
online-store-certbot-1  | 
online-store-certbot-1  | Additionally, the following renewal configurations were invalid: 
online-store-certbot-1  |   /etc/letsencrypt/renewal/mybrandview.co.uk.conf (parsefail)
online-store-certbot-1  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version):
nginx:latest

The operating system my web server runs on is (include version):
Ubuntu 22.04.1 LTS

My hosting provider, if applicable, is:
time4vps

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Docker container Certbot:latest

certbot --version
certbot 1.21.0

docker compose run --rm certbot --version


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mybrandview.co.uk-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mybrandview.co.uk.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/mybrandview.co.uk.conf is broken.
The error was: expected /etc/letsencrypt/live/mybrandview.co.uk/cert.pem to be a symlink
Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/mybrandview.co.uk-0001/fullchain.pem expires on 2023-06-20 (skipped)
No renewals were attempted.

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/mybrandview.co.uk.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 1 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.```

Osiris · March 22, 2023, 5:15pm

I don't see an issue, renewal is not due yet. You can test renewal on the staging evironment using the Certbot option --dry-run.

rg305 · March 22, 2023, 6:45pm

Seeing -000x is usually an indication that something hasn't gone exactly to plan.
Please show:
certbot certificates

Demianeen · March 22, 2023, 9:23pm

I am not sure if certbot is even working: docker compose run --rm certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mybrandview.co.uk-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mybrandview.co.uk.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/mybrandview.co.uk.conf is broken.
The error was: expected /etc/letsencrypt/live/mybrandview.co.uk/cert.pem to be a symlink
Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/mybrandview.co.uk-0001/fullchain.pem expires on 2023-06-20 (skipped)
No renewals were attempted.

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/mybrandview.co.uk.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 1 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

After I tried to view logs: docker compose exec nginx cat /var/log/letsencrypt/letsencrypt.log
cat: /var/log/letsencrypt/letsencrypt.log:
No such file or directory

Osiris · March 22, 2023, 9:48pm

Why do you keep saying that? I see a perfectly fine working Certbot.

Demianeen · March 23, 2023, 5:58am

Yeah, it is working. But how I can fix a problem that arises with certbot renew?

rg305 · March 23, 2023, 6:42am

What shows?:
ls -l /etc/letsencrypt/live/mybrandview.co.uk/

Osiris · March 23, 2023, 7:07am

Ah, I missed the broken symlink entirely My Bad..

Demianeen · March 23, 2023, 9:03am

/etc/letsencrypt/live# ls -l

total 8
-rw-r--r-- 1 1000 1001  740 Jan 31 11:24 README
drwxr-xr-x 2 root root 4096 Mar 22 16:43 mybrandview.co.uk-0001

As far as I can see, there is no mybrandview certificate there, only mybrandview.co.uk-0001

Osiris · March 23, 2023, 10:43am

But there is a renewal configuration file for mybrandview.co.uk (without the -0001): /etc/letsencrypt/renewal/mybrandview.co.uk.conf.

So where did /etc/letsencrypt/live/mybrandview.co.uk/ go to?

Is there a /etc/letsencrypt/archive/mybrandview.co.uk/?

Demianeen · March 23, 2023, 12:18pm

Yeah,

/etc/letsencrypt/archive# ls
mybrandview.co.uk  mybrandview.co.uk-0001

So, do I need to delete these archive certificates? Or renewal mybrandview.co.uk.conf?

Osiris · March 23, 2023, 1:28pm

Well, you shouldn't simply delete "these archive certificates" (as in, everything in /archive/) as that would destroy your currently working certificate too.

If you're happy with your mybrandview.co.uk-0001 certificate and don't care about what's in /etc/letsencrypt/archive/mybrandview.co.uk/, then you can delete that and only that /etc/letsencrypt/archive/mybrandview.co.uk/ directory and the mybrandview.co.uk.conf renewal configuration file.

But if you're not happy with the mybrandview.co.uk-0001 cert and want to keep whatever is currently stored in /etc/letsencrypt/archive/mybrandview.co.uk/, then you should rebuild /etc/letsencrypt/live/mybrandview.co.uk/. You can take a look at /etc/letsencrypt/archive/mybrandview.co.uk-0001/ to see how the symlinking works.

rg305 · March 23, 2023, 2:53pm

That sounds like someone has manually made some changes to that directory (and deleted that folder).
[something that is NOT recommended]

system · April 22, 2023, 2:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.