Certbot Symlink file broken for renewal due to moving files

urbanski · August 12, 2018, 9:46am

Hi Community,
I’m facing the same problem as in other discussions, but where I could not see the solution working for me: moved my domains from one IP to a new one…all worked fine with my SSL certificates, until now I wanted to renew them and have the same symlink error message.
When I moved to new IP (on 23rd may 2018), I copied all letsencrypt files from previous server to new server.
It worked perfectly, until I tried to renew the certificates with Certbot yesterday.

Thx for your help in advance!

My domain is: skooly.co

I ran this command: certbot renew

It produced this output:

Processing /etc/letsencrypt/renewal/mail.skooly.co.conf

expected /etc/letsencrypt/live/mail.skooly.co/cert.pem to be a symlink

Renewal configuration file /etc/letsencrypt/renewal/mail.skooly.co.conf is broken. Skipping.

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/mail.skooly.co.conf (parsefail)

The operating system my web server runs on is (include version): Linux with Apache 9 on Debian

mnordhoff · August 12, 2018, 9:54am

Can you post “sudo ls -al /etc/letsencrypt/{archive,live}/mail.skooly.co/”?

Edit: Or “sudo ls -alR /etc/letsencrypt/{archive,live}/”?

JuergenAuer · August 12, 2018, 10:03am

Hi @urbanski

renew needs the last configuration. But if you have changed your server: Start new. With the complete domain list.

urbanski · August 12, 2018, 2:33pm

/etc/letsencrypt/archive/:

total 32

drwxr-xr-x 8 root root 4096 May 21 21:08 .

drwxr-xr-x 9 root root 4096 May 21 21:14 ..

drwxr-xr-x 2 root root 4096 May 21 21:07 mail.skooly.co

drwxr-xr-x 2 root root 4096 May 21 21:06 mail.skooly.de

drwxr-xr-x 2 root root 4096 May 21 21:08 mail.skooly.es

drwxr-xr-x 2 root root 4096 May 21 21:07 skooly.co

drwxr-xr-x 2 root root 4096 May 21 21:08 skooly.de

drwxr-xr-x 2 root root 4096 May 21 21:08 skooly.es

/etc/letsencrypt/archive/mail.skooly.co:

total 92

drwxr-xr-x 2 root root 4096 May 21 21:07 .

drwxr-xr-x 8 root root 4096 May 21 21:08 ..

-rw-r--r-- 1 root root 2143 May 21 21:07 cert1.pem

-rw-r--r-- 1 root root 2139 May 21 21:07 cert2.pem

-rw-r--r-- 1 root root 2139 May 21 21:07 cert3.pem

-rw-r--r-- 1 root root 2139 May 21 21:07 cert4.pem

-rw-r--r-- 1 root root 2496 May 21 21:07 cert5.pem

-rw-r--r-- 1 root root 1647 May 21 21:07 chain1.pem

-rw-r--r-- 1 root root 1647 May 21 21:07 chain2.pem

-rw-r--r-- 1 root root 1647 May 21 21:07 chain3.pem

-rw-r--r-- 1 root root 1647 May 21 21:07 chain4.pem

-rw-r--r-- 1 root root 1647 May 21 21:07 chain5.pem

-rw-r--r-- 1 root root 3790 May 21 21:07 fullchain1.pem

-rw-r--r-- 1 root root 3786 May 21 21:07 fullchain2.pem

-rw-r--r-- 1 root root 3786 May 21 21:07 fullchain3.pem

-rw-r--r-- 1 root root 3786 May 21 21:07 fullchain4.pem

-rw-r--r-- 1 root root 4143 May 21 21:07 fullchain5.pem

-rw-r--r-- 1 root root 3272 May 21 21:07 privkey1.pem

-rw-r--r-- 1 root root 3272 May 21 21:07 privkey2.pem

-rw-r--r-- 1 root root 3268 May 21 21:07 privkey3.pem

-rw-r--r-- 1 root root 3272 May 21 21:07 privkey4.pem

-rw-r--r-- 1 root root 3272 May 21 21:07 privkey5.pem

Osiris · August 12, 2018, 2:33pm

And the /live/ directory?

urbanski · August 12, 2018, 2:34pm

Hi Juergen,
so you mean a clean, fresh new certification process?

So I guess I would then have to delete/empty the existing folders?

Thx

urbanski · August 12, 2018, 2:36pm

/etc/letsencrypt/live/:

total 32

drwxr-xr-x 8 root root 4096 May 21 21:11 .

drwxr-xr-x 9 root root 4096 May 21 21:14 …

drwxr-xr-x 2 root root 4096 May 21 21:12 mail.skooly.co

drwxr-xr-x 2 root root 4096 May 21 21:12 mail.skooly.de

drwxr-xr-x 2 root root 4096 May 21 21:13 mail.skooly.es

drwxr-xr-x 2 root root 4096 May 21 21:13 skooly.co

drwxr-xr-x 2 root root 4096 May 21 21:13 skooly.de

drwxr-xr-x 2 root root 4096 May 21 21:13 skooly.es

/etc/letsencrypt/live/mail.skooly.co:

total 28

drwxr-xr-x 2 root root 4096 May 21 21:12 .

drwxr-xr-x 8 root root 4096 May 21 21:11 …

-rw-r–r-- 1 root root 2496 May 21 21:12 cert.pem

-rw-r–r-- 1 root root 1647 May 21 21:12 chain.pem

-rw-r–r-- 1 root root 4143 May 21 21:12 fullchain.pem

-rw-r–r-- 1 root root 3272 May 21 21:12 privkey.pem

/etc/letsencrypt/live/mail.skooly.de:

total 28

drwxr-xr-x 2 root root 4096 May 21 21:12 .

drwxr-xr-x 8 root root 4096 May 21 21:11 …

-rw-r–r-- 1 root root 2496 May 21 21:12 cert.pem

-rw-r–r-- 1 root root 1647 May 21 21:12 chain.pem

-rw-r–r-- 1 root root 4143 May 21 21:12 fullchain.pem

-rw-r–r-- 1 root root 3272 May 21 21:12 privkey.pem

/etc/letsencrypt/live/mail.skooly.es:

total 28

drwxr-xr-x 2 root root 4096 May 21 21:13 .

drwxr-xr-x 8 root root 4096 May 21 21:11 …

-rw-r–r-- 1 root root 2496 May 21 21:13 cert.pem

-rw-r–r-- 1 root root 1647 May 21 21:13 chain.pem

-rw-r–r-- 1 root root 4143 May 21 21:13 fullchain.pem

-rw-r–r-- 1 root root 3268 May 21 21:13 privkey.pem

JuergenAuer · August 12, 2018, 2:51pm

I wouldn't delete someting. The CT-protocol

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:true;domain:skooly.co;issuer_uid:4428624498008853827&lu=cert_search

lists only expired certificates.

So use something like

certbot --your-auth-method -d yourdomainlist --yourinstaller

instead of trying to fix your old configuration.

urbanski · August 12, 2018, 2:54pm

Thx Juergen. Will do so later and let you know the outcome.

Appreciate your help

mnordhoff · August 12, 2018, 3:10pm

Changing the subject, what are the permissions on /etc/letsencrypt? It looks like your private keys are readable by other users on the server.

(Normally /etc/letsencrypt is world-readable but archive and live are not.)

Back to the original subject:

The live directories are supposed to contain symlinks to the equivalent files in the archive directories. The copying process must have converted the symlinks to their target files instead of preserving them, so Certbot is having trouble working with them.

The question's what to do about it. You can manually fix all of them. Certbot has a command to fix symlinks, but I'm not sure if it can handle this situation.

You can also delete everything and start over, but that can be even more of a hassle. (For example, if the files are missing, your server daemons won't reload or (re)start, which may make it difficult to get new certificates without changing the web server configuration.)

urbanski · August 12, 2018, 4:32pm

UUUfff…that sound scary. Will try to fix the symlinks with the Certbot command as you mentioned and let you know.

Thanks for pointing out the permissions issue ! Will fix it.

urbanski · August 17, 2018, 9:38am

Just to let you know: I deleted all the files and issued new certificates, than symlinked them and now everything seems to work.

Thx for your help averybody and keep the great community up!

Best from Barcelona

Osiris · August 17, 2018, 9:21pm

Euh, symlinked them too what exactly? If you get a certificate with certbot, it will place the symlinks in /live/ itself?

urbanski · August 18, 2018, 11:11am

You’re right, should have expressed me better:
They came with automatic symlink via Certbot.
However, they were linked to a new directory skooly.co-0001 for example (even though I deleted files and directory before). So I removed the links, changed the names and linked them again.

system · September 17, 2018, 11:11am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.