I am running Certbot on a Windows 10 machine with Apache 2.4 server.
I did a dry run renewal today and my certificates are due for a live renewal next week. My directories have been a mess for a while and this time around my certificates won't renew. Here is the output:
Traceback (most recent call last):
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\renewal.py", line 70, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\storage.py", line 468, in init
self._check_symlinks()
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\storage.py", line 538, in _check_symlinks
raise errors.CertStorageError(
certbot.errors.CertStorageError: expected C:\Certbot\live\domain.com-0001\cert.pem to be a symlink
Renewal configuration file C:\Certbot\renewal\domain.com-0001.conf is broken. Skipping.
I also have a domain.com directory and a domain.com-0002 directory.
I need to create new symlinks but I don't know where the symbolic link should be at this point
How can I clean this mess up and get everything under the domain.com directory with correct symlinks so I can renew next week.
I wouldn't bother trying to fix that Certbot install. The EFF dropped support for Windows about 2 years ago. You should switch to an ACME Client that supports Windows. See: Certbot Discontinuing Windows Beta Support in 2024
Given you are using Apache another option is its mod_md feature. This is a built-in ACME Client. If you are reasonably skilled at Apache admin this might be the easiest. See
I helped you with Certbot last time around as it was still largely working. Maybe someone else will help you with such an obsolete setup but not me this time. Most of us here are volunteers offering our time and expertise for free.
In your prior thread you described using a manual method because your automation would take down your websites. That is a symptom of a brittle setup. As I described then the industry is moving to shorter cert lives and manual approaches are even less viable.
The help I offer this time is limited to recommending migrating to a supported ACME Client. Your goal should be to have a fully automated cert renewal using supported tools.
It was nice of you to message me to tell me you won't help me. I don't see the value in that. My setup is not brittle. My certificates and all my web data is on a network drive on a NAS. I have to renew manually on the local machine and then copy the new certificates to the NAS and restart the server. There is no other way to do it. Certificates on a network drive won't auto-renew.
There's... quite a few acme clients that support that, and you can also script this kind of deployment, a few client might also have plugins for your specific flavour of NAS.
Please check if the three mentioned above can fit in your design, or we can check more, just be aware that Windows is harder to get help on than Unix-like systems, here.
Yeah. I don't really have the time to learn something new. I am sticking with Certbot for now and i need to fix these directories and symlinks this week so I can renew next weekend
It's probably not your intention but that statement suggests that volunteer time here is worth less than your own time, and that they should just stop making suggestions and instead help you fix this particular problem.
To resolve this you will need to repair your symlinks, likely something got copied as a real file instead of a symlink, or if it only affects dry run it could just be a bug in the dry run validation.
If you do decide to use a new acme client the closest to certbot would be simple-acme. If you want to do something on a network drive you typically need to copy via UNC path (mapped drives are only available when logged in a as a profile) and allow the machine identity (MACHINE$) rather than your current users profile. It's pretty much always possible to fully automated renewals, it just depends on your administration knowledge and how much effort you put into setting up the automation.
I looked at all three of these. Certify the Web has a limit to how many certificates it will handle. It doesn't say how many and i need six. Posh-acme is a no. I don't have PowerShell installed on the servers and can't install it on those machines. Simple-acme doesn't give me the ability to do renewals so its useless.
Just to be clear... my statement about time in no way says anything about the value of the volunteer time here. Managing SSL certificates is not part of what I do and I am not a technical person. Its just something I have to do
Powershell is blocked by Group Policy. I am configuring simple-acme and I got it to send me a test email message. Where can I find a renewals.json sample to see and will simple-acme do a dry run to test?
It definitely has that feature. By default it installs a windows scheduled task and renewals will be automatic.
Yes the community edition is currently limited to 5 managed certificates, it assumes if you have more than that you're probably a business. I develop this software. You could add more than one name onto one cert (up to 100 domains) to workaround that limit. Either way there are plenty free tools like Posh-ACME and simple-acme which absolutely work for what you want.
I fixed all the broken symlinks in Certbot yesterday so I can renew with that this time around. The dry runs were successful.
For now I can survive on four certificates so maybe Certify the Web will work out ok. I only have two domains that include the .com, .org, and .net along with the www. for each. They were all set up at different times so they ended up separated. I need to figure out how to modify those certificates so the .com, .org, and .net are all in one certficate.
Certify has a Renew All button but I don't see a way to renew the certificates one at time. Is that possible?
Where is Certifiy getting the information about the certificates? It is seeing a lot of the debris from my mistakes in Certbot over the years so I need to clean that up. I think moving the current certificates out of Certbot will fix that.
I have simple-acme installed as well. There is an option to renew, but its grayed out because I don't have a renewals.json file. I can't even find a sample. Where can I get one to look at?
Thanks.
I assume I should move the certficate files out of the Certbot structure to renew with Certify.
Currently it's showing you the config read from Certbot and it's not managing those certificates (it will say Managed By Certbot), it's just telling you that you have the existing config in an external certificate manager (certbot) so you don't accidentally duplicate the certificate requests. You can hide those in the UI by unchecking the External Certificate Managers option under Settings.
So Certify won't renew those externally managed cert for you, it's just telling you other apps are handling those.
If you then create a new Managed Certificate in Certify you can do so for the same domains or any mixture. See Using with Apache, nginx or Other Web Servers | Certify The Web Docs you will need to use apache to server your http domain validation as that will be using port 80 (http).
