After certbot renewal the inode-symlinks in the …/live/server directory are date-stamped correctly but they still point to the earlier expired certs in the …/archive/server directory. I have run the renewal a further two times and they still point to the old files. There are new certificates in the archive directory so they are being produced but the simlinks are not being updated for some reason
-sh-4.2$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/wikispooks.com-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/wikispooks.com-0001/cert.pem to be a symlink. Skipping.
Found the following certs:
Certificate Name: wikispooks.com
Domains: wikispooks.com
Expiry Date: 2018-11-15 14:26:01+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/wikispooks.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/wikispooks.com/privkey.pem
The following renewal configurations were invalid:
/etc/letsencrypt/renewal/wikispooks.com-0001.conf
I have temporarily pointed the server at the latest cert files in the archive directory to fix the problem for site users
Thanks. But that’s because I have pointed the server at the new valid cert in the archive directory rather than the new symlink file in the live directory which still points to the expired certs - as a temporary fix
So I guess you renamed the directory /etc/letsencrypt/live/wikispooks.com-0001 to /etc/letsencrypt/live/wikispooks.com? But the symbolic links are still pointing to the previous location of the corresponding archive directory. That will confuse certbot. Generally it's best not to manually modify those directories at all, but if you must, be sure to update the symlinks as well. Specifically you need to recreate the symlinks in /etc/letsencrypt/live/wikispooks.com/ so that they point to the latest certificate files in /etc/letsencrypt/archive/wikispooks.com/.
I haven’t modified the file names or directories. I have just modified the apache config file to point to the latest (unexpired) certs in /etc/letsencrypt/archive/ . I would appreciate a pointer as to how to get certbot to work properly again because, sure as night follows day, in 3 months I will have forgotten much of this and will have to go through it all again.
PS I do not claim serious sysop expertise. I just muddle through to try to keep the server working OK
Isn’t it possible that you renamed the directory 3 months ago and subsequently forgot?
Anyway, regardless of how they got that way, the symlinks are broken now so you’ll still need to fix them. Once they’re fixed, certbot should once again be able to renew as normal, and then next time you should not need to do anything at all.
To fix the symlinks you can try this (adapted from the other thread):
Yes JM, that is possible. I think I have enough info to fix things properly now but do not have time to try right now. I'll post again when I have done so, either successfully or to seek more help.
Thanks to all who have chipped in.