Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
antonioalaniz.com
I ran this command:
sudo certbot renew --dry-run
It produced this output:
Processing /etc/letsencrypt/renewal/antonioalaniz.com.conf
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 64, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 460, in init
self._check_symlinks()
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 519, in _check_symlinks
“expected {0} to be a symlink”.format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/antonioalaniz.com/privkey.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/antonioalaniz.com.conf is broken. Skipping.
Processing /etc/letsencrypt/renewal/antonioalaniz.com-0001.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for antonioalaniz.com
http-01 challenge for www.antonioalaniz.com
Waiting for verification…
Cleaning up challenges
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/antonioalaniz.com-0001/fullchain.pem
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/antonioalaniz.com-0001/fullchain.pem (success)
Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/antonioalaniz.com.conf (parsefail)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
0 renew failure(s), 1 parse failure(s)
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0
Additional Notes:
Output for ls -l on /etc/letsencrypt/live/antonioalaniz.com–
total 8
lrwxrwxrwx 1 root root 41 Mar 13 2017 cert.pem -> …/…/archive/antonioalaniz.com/cert1.pem
lrwxrwxrwx 1 root root 42 Mar 13 2017 chain.pem -> …/…/archive/antonioalaniz.com/chain1.pem
-rw-r–r-- 1 root root 3448 Sep 8 2017 fullchain.pem
-rw-r–r-- 1 root root 1704 Sep 8 2017 privkey.pem
nginx conf certs–
ssl_certificate /etc/letsencrypt/live/antonioalaniz.com-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/antonioalaniz.com-0001/privkey.pem; # managed by Certbot
antonioalaniz.com.conf cert locations–
|1|cert = /etc/letsencrypt/live/antonioalaniz.com/cert.pem
|2|privkey = /etc/letsencrypt/live/antonioalaniz.com/privkey.pem
|3|chain = /etc/letsencrypt/live/antonioalaniz.com/chain.pem
|4|fullchain = /etc/letsencrypt/live/antonioalaniz.com/fullchain.pem
- I do see the fullchain.pem and privkey.pem files in the nginx.conf cert locations and the /etc/letsencrypt/live/antonioalaniz.com/ locations.
Should I symlink fullchain.pem and privkey.pem to one of these dirs? Also, how can I find out what’s causing the parsing error? As is, will this cause issues with my current cert renewals? I just followed a tutorial (How to stop using TLS-SNI-01 with Certbot) on removing TLS-SNI-01 from certbot renewals.