Certbot renewal, new server

greetings! i copied:
/etc/letsencypt/live/
to a new host, and destroyed the old host.
can i renew my unexpired certs with certbot? i have recieved email notification of their pending expiry.

thank you

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tetrisconcept.tv

I ran this command: certbot renew

It produced this output: no renewals were attempted

My web server is (include version): nginx 1.18

The operating system my web server runs on is (include version): devuan buster

My hosting provider, if applicable, is: linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

i believe this is for a standalone configuration originally set up with certbot --cert-only. i am not certain of this.

i recieve certbot renewel emails; but am confused as to the nature of my account and cannot understand the details or whether it is relevant for updating the certs, or certbot.

i dont care about the already expired certs.

If we’re talking about the certificate you have on tetrisconcept.tv right now, it’s 2 days away from expiring.

You should try to renew it, as soon as possible.

If you correctly copied /etc/letsencrypt over, you should be able to do something like:

certbot renew --nginx --dry-run

See whether that succeeds.

that’s right _az! we are talking about those certs. thank you for your reply.

i did not correctly copy /etc/letsencrypt
i believe i only copied /etc/letsencrypt/live/

certbot renew --nginx --dry-run
fails with no renewals attempted.
perhaps the --force-renewal option can help me?


thank you again

:frowning: . Unfortunately that’s not enough if you want renewal to work. You needed to have copied the entire /etc/letsencrypt directory over.

If you can’t do that, it’s probably best to just start again, and issue a certificate from scratch. Forget about your old server and its certificates, pretend they don’t exist anymore.

thank you again _az

is there some graceful way to do this ? can i use --expand or --duplicate or anything here?

to be clear; with all the private keys, and receiving email notifications; i am still out of luck and unable to renew?

ps

renew a what was configured manually as a standalone install if i recall.

thank you again for your help here.

The main problem is that without /etc/letsencrypt/{renewal,archive}, Certbot doesn’t know your certificate exists.

So you need to recreate it from scratch.

You can try to do this, for example, by running:

certbot --nginx -d tetrisconcept.tv -d www.tetrisconcept.tv -d gitlab.tetrisconcept.tv

and it should recreate everything for you.

You may need to first remove/move the contents of the pre-existing live/ folder, as it may confuse Certbot when it tries to create the new certificate.

i had been missing the certbot nginx plugin. i installed this. certbot then identified my certs; but

certbot --renew --dry-run did not change.

next i ran
certbot --nginx -d tetrisconcept.tv -d www.tetrisconcept.tv -d gitlab.tetrisconcept.tv

and error out as you suspected. from letsencypt.log

2020-09-17 10:21:40,627:DEBUG:certbot.storage:Creating directory /etc/letsencrypt/archive.
2020-09-17 10:21:40,627:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
 ....
certbot.errors.CertStorageError: live directory exists for tetrisconcept.tv

thank you again your guidance here. is there something for me to do now to clean this up?

I’d rename /etc/letsencrypt/live/tetrisconcept.tv to something else, and try again.

If the command succeeds, then the old directory won’t matter anymore.

If it fails, you can rename it back.

1 Like
root@kalandan:~# mv /etc/letsencrypt/live/tetrisconcept.tv/ /etc/letsencrypt/live/tetrisconcept.tv_$(date -I)
root@kalandan:~# certbot --nginx -d tetrisconcept.tv -d www.tetrisconcept.tv -d gitlab.tetrisconcept.tv
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/tetrisconcept.tv/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/tetrisconcept.tv/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] cannot load certificate "/etc/letsencrypt/live/tetrisconcept.tv/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/etc/letsencrypt/live/tetrisconcept.tv/fullchain.pem\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')
root@kalandan:~#

Oh yeah, duh. :man_facepalming:

Update your nginx config to use the tetrisconcept.tv_xxxxxxx directory for now.

Certbot will update it back to the new certificate, if it succeeds.

1 Like

seems good. thank you for the excellent support _az!
certbot --sweet-program :]

1 Like