Certbot renewal issue

Help
1

Please suggest me for the below issue.

My domain is:mobps.de

I ran this command:sudo certbot renew /sudo certbot --force-renewal

Processing /etc/letsencrypt/renewal/MoBPSCert.conf

Renewing an existing certificate for mobps.de
Failed to renew certificate MoBPSCert with error: urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No suitable certificate product is currently available to this account

Processing /etc/letsencrypt/renewal/mobps.de-0001.conf

Renewal configuration file /etc/letsencrypt/renewal/mobps.de-0001.conf is broken.
The error was: expected /etc/letsencrypt/live/mobps.de-0001/cert.pem to be a symlink
Skipping.

Processing /etc/letsencrypt/renewal/mobps.de.conf

Renewal configuration file /etc/letsencrypt/renewal/mobps.de.conf is broken.
The error was: expected /etc/letsencrypt/live/mobps.de/cert.pem to be a symlink
Skipping.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/MoBPSCert/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/mobps.de-0001.conf (parsefail)
/etc/letsencrypt/renewal/mobps.de.conf (parsefail)

1 renew failure(s), 2 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
nha@mobps_server:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/mobps.de-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/mobps.de-0001/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/mobps.de.conf produced an unexpected error: expected /etc/letsencrypt/live/mobps.de/cert.pem to be a symlink. Skipping.

Found the following certs:
Certificate Name: MoBPSCert
Serial Number: 5f453dd99527754c8a345d38e440e2d4acf
Key Type: ECDSA
Domains: mobps.de
Expiry Date: 2025-06-29 06:57:15+00:00 (VALID: 17 days)
Certificate Path: /etc/letsencrypt/live/MoBPSCert/fullchain.pem
Private Key Path: /etc/letsencrypt/live/MoBPSCert/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/mobps.de-0001.conf
/etc/letsencrypt/renewal/mobps.de.conf

My web server is (include version):nginx

The operating system my web server runs on is (include version):ubuntu 18.0

My hosting provider, if applicable, is:University of Goettingen

I can login to a root shell on my machine (yes or no, or I don't know):Yes, I'm root user

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 4.1.0

2

Renewal configuration file /etc/letsencrypt/renewal/mobps.de.conf is broken.
The error was: expected /etc/letsencrypt/live/mobps.de/cert.pem to be a symlink
Skipping.

No simulated renewals were attempted.
Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/mobps.de.conf (parsefail)

3

Did you rename or modify the /etc/letsencrypt directories manually?

Because the messages indicate a badly mis-matched set of renewal config files and certificate files

Please show output of:

sudo ls -lR /etc/letsencrypt/live
sudo ls -l /etc/letsencrypt/renewal
sudo cat /etc/letsencrypt/renewal/MoBPSCert.conf
sudo cat /etc/letsencrypt/renewal/mobps.de.conf
4 Likes
4

Please note that this option does NOT mean "make every error go away and magically make it work". It often only leads to more problems than the user began with (rate limits et c.).

2 Likes
5

Thank you so much for your reply.
here it is:

$ sudo ls -lR /etc/letsencrypt/live
/etc/letsencrypt/live:
total 8
drwxr-xr-x 2 root root 4096 Mar 31 07:55 MoBPSCert
-rwxr-xr-x 1 root root 740 Apr 4 2022 README

/etc/letsencrypt/live/MoBPSCert:
total 4
lrwxrwxrwx 1 root root 37 Mar 31 07:55 cert.pem -> ../../archive/mobps.de-0001/cert2.pem
lrwxrwxrwx 1 root root 38 Mar 31 07:55 chain.pem -> ../../archive/mobps.de-0001/chain2.pem
lrwxrwxrwx 1 root root 42 Mar 31 07:55 fullchain.pem -> ../../archive/mobps.de-0001/fullchain2.pem
lrwxrwxrwx 1 root root 40 Mar 31 07:55 privkey.pem -> ../../archive/mobps.de-0001/privkey2.pem
-rw-r--r-- 1 root root 692 Mar 31 07:37 README

$ sudo cat /etc/letsencrypt/renewal/mobps.de.conf
version = 2.4.0
archive_dir = /etc/letsencrypt/archive/mobps.de
cert = /etc/letsencrypt/live/mobps.de/cert.pem
privkey = /etc/letsencrypt/live/mobps.de/privkey.pem
chain = /etc/letsencrypt/live/mobps.de/chain.pem
fullchain = /etc/letsencrypt/live/mobps.de/fullchain.pem

[renewalparams]
account = a25393f7495667ad9079ad11e71e8529
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa

$ sudo ls -l /etc/letsencrypt/renewal
total 12
-rw-r--r-- 1 root root 487 Mar 26 2024 MoBPSCert.conf
-rw-r--r-- 1 root root 538 Mar 31 07:55 mobps.de-0001.conf
-rw-r--r-- 1 root root 511 Apr 1 2023 mobps.de.conf

$ sudo cat /etc/letsencrypt/renewal/MoBPSCert.conf
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/MoBPSCert
cert = /etc/letsencrypt/live/MoBPSCert/cert.pem
privkey = /etc/letsencrypt/live/MoBPSCert/privkey.pem
chain = /etc/letsencrypt/live/MoBPSCert/chain.pem
fullchain = /etc/letsencrypt/live/MoBPSCert/fullchain.pem

[renewalparams]
account = 31cd19eff97a270e257e6159e4cf541b
server = https://acme.sectigo.com/v2/OV
authenticator = standalone
key_type = rsa

shall i re-install the certbot?

6

Last time when i used "certbot renewal" I was getting error. Then I used "force renewal" it worked!!. I thought it work again this time. But as you said it would have created more problem or I messed up with the files!

7

I just tried to run with this below code.. When I ran this code I got the port is being used etc.. So I stopped the port 80 and ran this command again. And got the below error message.

$ sudo certbot renew --dry-run --cert-name MoBPSCert
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/MoBPSCert.conf

failed to fetch renewal_info URL (https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo/kydGmAOpUWiOmNbEQkjbI79YlNI.BfRT3ZlSd1TIo0XTjkQOLUrP): urn:ietf:params:acme:error:malformed :: The request message was malformed :: While parsing ARI CertID an error occurred :: path contained an Authority Key Identifier that did not match a known issuer
Simulating renewal of an existing certificate for mobps.de

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/MoBPSCert/fullchain.pem (success)

looks like renewals from acme sectigo is not possible at this point from the ssl provider "GWDG". I need to use letsencrypt.

8

There are many things wrong with your configuration. But, do not delete it all and start over. Your running nginx system uses the cert you have and nginx will fail to restart if you delete that cert.

You can ignore this message during --dry-run. That is a bug already reported to the Certbot team on their github. It does not affect the result of the --dry-run which in your case succeeded.

A --dry-run test uses the Let's Encrypt Staging system to test. Not your Sectigo system. There are other ways to test Sectigo but this is not the first thing to fix.

I need some time to think about how best to proceed. You have badly damaged your Certbot directories. Please do not make manual changes to those directories or their contents. Only use Certbot commands and it will manage those directories properly.

Do you use that cert anywhere else other than nginx? This is important to know as we make a plan to fix your system.

Also, please show output of this. It will be very long. An upper case T is essential

sudo nginx -T

Is best if you can upload to this forum the file output from this

sudo nginx -T >/someTempDirectory/config.txt
4 Likes
9 
$sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

configuration file /etc/nginx/nginx.conf:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 1024;
# multi_accept on;
}

http {

## # Basic Settings ## #client_max_body_size 1024M; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 650000s; types_hash_max_size 2048; client_body_timeout 12; client_header_timeout 12; client_body_buffer_size 10k; client_header_buffer_size 1k; client_max_body_size 8m; large_client_header_buffers 4 8k; #optimize session tickets #ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; #Enable session tickets ssl_session_tickets on; add_header X-Cache-Status $upstream_cache_Status; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## #ssl on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MDS:!PSK:!RC4; ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; 

}

#mail {

# See sample authentication script at:# GitHub - nginxinc/nginx-wiki: ARCHIVED -- Source for the now archived NGINX Wiki section of https://www.nginx.com# auth_http localhost/auth.php;# pop3_capabilities "TOP" "USER";# imap_capabilities "IMAP4rev1" "UIDPLUS";server {listen localhost:110;protocol pop3;proxy on;}server {listen localhost:143;protocol imap;proxy on;}

#}

configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:

load_module modules/ngx_http_geoip_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:

load_module modules/ngx_http_image_filter_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:

load_module modules/ngx_http_xslt_filter_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:

load_module modules/ngx_mail_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:

load_module modules/ngx_stream_module.so;

configuration file /etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml mml; text/plain txt; text/vnd.sun.j2me.app-descriptor jad; text/vnd.wap.wml wml; text/x-component htc; image/png png; image/tiff tif tiff; image/vnd.wap.wbmp wbmp; image/x-icon ico; image/x-jng jng; image/x-ms-bmp bmp; image/svg+xml svg svgz; image/webp webp; application/font-woff woff; application/java-archive jar war ear; application/json json; application/mac-binhex40 hqx; application/msword doc; application/pdf pdf; application/postscript ps eps ai; application/rtf rtf; application/vnd.apple.mpegurl m3u8; application/vnd.ms-excel xls; application/vnd.ms-fontobject eot; application/vnd.ms-powerpoint ppt; application/vnd.wap.wmlc wmlc; application/vnd.google-earth.kml+xml kml; application/vnd.google-earth.kmz kmz; application/x-7z-compressed 7z; application/x-cocoa cco; application/x-java-archive-diff jardiff; application/x-java-jnlp-file jnlp; application/x-makeself run; application/x-perl pl pm; application/x-pilot prc pdb; application/x-rar-compressed rar; application/x-redhat-package-manager rpm; application/x-sea sea; application/x-shockwave-flash swf; application/x-stuffit sit; application/x-tcl tcl tk; application/x-x509-ca-cert der pem crt; application/x-xpinstall xpi; application/xhtml+xml xhtml; application/xspf+xml xspf; application/zip zip; application/octet-stream bin exe dll; application/octet-stream deb; application/octet-stream dmg; application/octet-stream iso img; application/octet-stream msi msp msm; application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; audio/midi mid midi kar; audio/mpeg mp3; audio/ogg ogg; audio/x-m4a m4a; audio/x-realaudio ra; video/3gpp 3gpp 3gp; video/mp2t ts; video/mp4 mp4; video/mpeg mpeg mpg; video/quicktime mov; video/webm webm; video/x-flv flv; video/x-m4v m4v; video/x-mng mng; video/x-ms-asf asx asf; video/x-ms-wmv wmv; video/x-msvideo avi; 

}

configuration file /etc/nginx/sites-enabled/default:You should look at the following URL's in order to grasp a solid understandingof Nginx configuration files in order to fully unleash the power of Nginx.NGINX DocumentationNGINX DocumentationNginx/DirectoryStructure - Debian WikiIn most cases, administrators will remove this file from sites-enabled/ andleave it as reference inside of sites-available where it will continue to beupdated by the nginx packaging team.This file will automatically load configuration files provided by otherapplications, such as Drupal or Wordpress. These applications will be madeavailable underneath a path with that package name, such as /drupal8.Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.Default server configuration

#server {

listen 443 ssl;ssl on;ssl_certificate /etc/nginx/ssl/mobps.de.chained.crt;ssl_certificate_key /etc/nginx/ssl/perm_with_key.pem;root /var/www/html;server_name mobps.de www.mobps.de;location / {try_files $uri $uri/ = 404;}

#}

#Redirect HTTP to HTTPS

server {
listen 80 default_server;
server_name _;

return 301 https://$host$request_uri; 

}

upstream mobps.de
{
server 127.0.0.1:8080;
}

server {
listen 443 ssl;

server_name mobps.de; #ssl_certificate /etc/nginx/ssl/mobps.de.chained.crt; #ssl_certificate_key /etc/nginx/ssl/pem_with_key.key; #ssl_certificate /etc/letsencrypt/live/mobps.de/fullchain.pem; #ssl_certificate_key /etc/letsencrypt/live/mobps.de/privkey.pem; ssl_certificate /etc/letsencrypt/live/MoBPSCert/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/MoBPSCert/privkey.pem; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. #try_files $uri $uri/ =404; proxy_pass http://localhost:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; proxy_connect_timeout 3600; proxy_send_timeout 3600; proxy_read_timeout 3600; send_timeout 36000s; # proxy_redirect http://locahost:8080 https://mobps.de; #proxy_hide_header X-Frame-Options; 

#add_header X-XSS-Protection "1; mode=block";
#add_header X-Content-Type-Options nosniff;
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

}
}
10

certbot_ssl.txt (10.5 KB)

Above link is the nginx -T code.

Do you use that cert anywhere else other than nginx? - I don;t use it anywhere. Only in nginx.

"I need some time to think about how best to proceed. You have badly damaged your Certbot directories. Please do not make manual changes to those directories or their contents. Only use Certbot commands and it will manage those directories properly." - Sure.. I am not changing anything.

I just received an email from my university support team saying "Sectigo has not been the GÉANT TCS PKI service provider for University since January 2025". Now I have an option to create a new ssl certificate for a year at HARICA by myself or certbot by myself. Will try your suggestions at this point.

Thank you so much for looking at my code and giving suggestions..

11

Okay. Let's setup a fresh Certbot config for a Let's Encrypt cert. We will go step by step to make sure all is working as expected

The first steps are these. Make sure nginx is running before doing the Certbot command

sudo rm /etc/letsencrypt/renewal/mobps.de.conf
sudo rm /etc/letsencrypt/renewal/mobps.de-0001.conf
sudo certbot certonly --cert-name mobps.de --nginx -d mobps.de -d www.mobps.de
3 Likes
12

Yes, nginx was running while I used the below commands..

$ sudo rm /etc/letsencrypt/renewal/mobps.de.conf
$ sudo rm /etc/letsencrypt/renewal/mobps.de-0001.conf
$ sudo certbot certonly --cert-name mobps.de --nginx -d mobps.de -d www.mobps.de
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for mobps.de and www.mobps.de
archive directory exists for mobps.de
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

1 Like
13

Oh, sorry, that was not expected. You earlier showed no .../live/.. directory for that cert name. I should have asked to see the .../archive/... too.

Please delete that directory and contents

sudo rm /etc/letsencrypt/archive/mobps.de/*
sudo rmdir /etc/letsencrypt/archive/mobps.de

Then, re-run the certbot certonly command from my last post and show result. Thanks

2 Likes
14

sudo rm /etc/letsencrypt/archive/mobps.de/*
$ sudo rmdir /etc/letsencrypt/archive/mobps.de
$ sudo certbot certonly --cert-name mobps.de --nginx -d mobps.de -d www.mobps.de
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for mobps.de and www.mobps.de

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mobps.de-0002/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mobps.de-0002/privkey.pem
This certificate expires on 2025-09-10.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

If you like Certbot, please consider supporting our work by:

vow.. it says successfully received certificate!

shall i restart the nginx.. so that i could see the extended month!

15

Hmmm. We requested a specific --cert-name. But, Certbot used a different name mobps.de-0002 instead. That shouldn't happen.

What does this show?

sudo certbot certificates
2 Likes
16

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/mobps.de-0001.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/mobps.de.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.

Found the following certs:
  Certificate Name: MoBPSCert
    Serial Number: 5f453dd99527754c8a345d38e440e2d4acf
    Key Type: ECDSA
    Domains: mobps.de
    Expiry Date: 2025-06-29 06:57:15+00:00 (VALID: 16 days)
    Certificate Path: /etc/letsencrypt/live/MoBPSCert/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/MoBPSCert/privkey.pem
  Certificate Name: mobps.de-0002
    Serial Number: 5c777b9b2a0fa5e9a81f102ad183d3b7a96
    Key Type: ECDSA
    Domains: mobps.de www.mobps.de
    Expiry Date: 2025-09-10 13:11:14+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/mobps.de-0002/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mobps.de-0002/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/mobps.de-0001.conf
  /etc/letsencrypt/renewal/mobps.de.conf

I have two folders now under /etc/letsencrypt/live

Shall i change the MoBPSCert to mobps.de folder and remove mobps.de-0002?

17

But you deleted that file earlier. Why is it still around to cause above error?

2 Likes
18

No, that can't be right. Your certbot certificates shows you have a mobps.de-0002 in .../live/...

NO. Please do NOT make manual changes to these folders. That is what caused all these problems to start with.

3 Likes
19

Don't know... i just followed all your commands!
rightnow I have these files

image
image154×153 2.69 KB

image through winscp.

20

What are you using WinSCP for? You said you had Ubuntu and were root user. Can't you just run commands on Ubuntu?

2 Likes