CertStorageError: renewal config file {} is missing a required file reference

Hello.
I’ve previously set up certbot to automatically renew the certificate I created.
The “dry run” didn’t show any errors.
Now I got the email that the certificate will expire soon.
I logged in to the AWS Linux instance to check what’s up and it outputs the error:

sudo certbot renew :

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.chan-chan.tk.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 67, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python2.7/site-packages/certbot/storage.py", line 444, in __init__
    "file reference".format(self.configfile))
CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/www.chan-chan.tk.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

No renewals were attempted.
No hooks were run.

Additionally, the following renewal configurations were invalid:
  /etc/letsencrypt/renewal/www.chan-chan.tk.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 1 parse failure(s)

The /etc/letsencrypt/renewal/www.chan-chan.tk.conf file seems to be empty for some reason:

cat /etc/letsencrypt/renewal/www.chan-chan.tk.conf
ls -l /etc/letsencrypt/renewal/www.chan-chan.tk.conf
-rw-r--r-- 1 root root 0 Feb 26 22:36 /etc/letsencrypt/renewal/www.chan-chan.tk.conf

The dry run still succeeds, even with the empty config file:

**$ sudo certbot certonly --dry-run -d www.chan-chan.tk**
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.chan-chan.tk
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org
Running post-hook command: systemctl reload nginx

IMPORTANT NOTES:
 - The dry run was successful.

How should I proceed from there?
Should I erase all configs and re-create the certificate from scratch?

sudo rm -rf /etc/letsencrypt/archive/www.chan-chan.tk
sudo rm -rf /etc/letsencrypt/live/www.chan-chan.tk
sudo rm /etc/letsencrypt/renewal/www.chan-chan.tk.conf

sudo certbot certonly -d www.chan-chan.tk

Hi @catamphetamine

looks like your configuration is broken, perhaps you have already deleted / edited a config file without a backup.

You have a working certificate, so don’t delete your live / archive folder.

Rename the www.chan-chan.tk.conf and use your certonly command.

Then run the command again without certonly, Certbot should find the certificate and should ask if you want to install it.

But that works only if your Certbot isn’t too old.

What says

certbot --version

Hi Juergen,

Seems like the version is that old because it says:

$ sudo rm /etc/letsencrypt/renewal/www.chan-chan.tk.conf
$ sudo certbot -d www.chan-chan.tk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
With the webroot plugin, you probably want to use the "certonly" command, eg:

    certbot certonly --webroot

(Alternatively, add a --installer flag. See https://eff.org/letsencrypt-plugins
 and "--help plugins" for more information.)

$ sudo certbot --installer -d www.chan-chan.tk
usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument -i/--installer: expected one argument

$ sudo certbot --version
certbot 0.31.0

I’ll delete the data and recreate the certificates then.
Thanks.

Ok, it worked: first deleted the old files as mentioned in the end of my original post and then re-created the certificate and it also created a proper non-empty .conf file.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.