CertStorageError (Symlink) and renewal.conf broken


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:
sudo certbot renew --dry-run
It produced this output:

Processing /etc/letsencrypt/renewal/antonioalaniz.com.conf

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 64, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 460, in init
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 519, in _check_symlinks
“expected {0} to be a symlink”.format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/antonioalaniz.com/privkey.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/antonioalaniz.com.conf is broken. Skipping.

Processing /etc/letsencrypt/renewal/antonioalaniz.com-0001.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for antonioalaniz.com
http-01 challenge for www.antonioalaniz.com
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/antonioalaniz.com-0001/fullchain.pem (success)

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/antonioalaniz.com.conf (parsefail)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

0 renew failure(s), 1 parse failure(s)
My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

Additional Notes:
Output for ls -l on /etc/letsencrypt/live/antonioalaniz.com–
total 8
lrwxrwxrwx 1 root root 41 Mar 13 2017 cert.pem -> …/…/archive/antonioalaniz.com/cert1.pem
lrwxrwxrwx 1 root root 42 Mar 13 2017 chain.pem -> …/…/archive/antonioalaniz.com/chain1.pem
-rw-r–r-- 1 root root 3448 Sep 8 2017 fullchain.pem
-rw-r–r-- 1 root root 1704 Sep 8 2017 privkey.pem

nginx conf certs–
ssl_certificate /etc/letsencrypt/live/antonioalaniz.com-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/antonioalaniz.com-0001/privkey.pem; # managed by Certbot

antonioalaniz.com.conf cert locations–
|1|cert = /etc/letsencrypt/live/antonioalaniz.com/cert.pem
|2|privkey = /etc/letsencrypt/live/antonioalaniz.com/privkey.pem
|3|chain = /etc/letsencrypt/live/antonioalaniz.com/chain.pem
|4|fullchain = /etc/letsencrypt/live/antonioalaniz.com/fullchain.pem

  • I do see the fullchain.pem and privkey.pem files in the nginx.conf cert locations and the /etc/letsencrypt/live/antonioalaniz.com/ locations.

Should I symlink fullchain.pem and privkey.pem to one of these dirs? Also, how can I find out what’s causing the parsing error? As is, will this cause issues with my current cert renewals? I just followed a tutorial (How to stop using TLS-SNI-01 with Certbot) on removing TLS-SNI-01 from certbot renewals.


Can you post “sudo certbot certificates” and “sudo ls -al /etc/letsencrypt/archive/antonioalaniz.com/” as well?

The “parsing” error is referring to the symlink issue – certbot renew puts it under the category of “configuration parsing error” even though it’s not exactly.


Sure thing. Here’s sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/antonioalaniz.com.conf produced an unexpected error: expected /etc/letsencrypt/live/antonioalaniz.com/privkey.pem to be a symlink. Skipping.

Found the following certs:
Certificate Name: antonioalaniz.com-0001
Domains: antonioalaniz.com www.antonioalaniz.com
Expiry Date: 2019-03-01 11:44:35+00:00 (VALID: 33 days)
Certificate Path: /etc/letsencrypt/live/antonioalaniz.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/antonioalaniz.com-0001/privkey.pem

The following renewal configurations were invalid:

and here’s sudo ls -al /etc/letsencrypt/archive/antonioalaniz.com/

total 24
drwxr-xr-x 2 root root 4096 Mar 13 2017 .
drwx------ 4 root root 4096 Jun 10 2017 …
-rw-r–r-- 1 root root 1834 Mar 13 2017 cert1.pem
-rw-r–r-- 1 root root 1647 Mar 13 2017 chain1.pem
-rw-r–r-- 1 root root 3481 Mar 13 2017 fullchain1.pem
-rw-r–r-- 1 root root 1704 Mar 13 2017 privkey1.pem



Assuming the name and last modified dates aren’t misleading, both the antonioalaniz.com and antonioalaniz.com-0001 certificates are for the same two names, antonioalaniz.com and www.antonioalaniz.com.

You can confirm that with e.g.:

openssl x509 -in /etc/letsencrypt/live/antonioalaniz.com/cert.pem -noout -text | egrep 'DNS|Not'
openssl x509 -in /etc/letsencrypt/live/antonioalaniz.com/fullchain.pem -noout -text | egrep 'DNS|Not'
openssl x509 -in /etc/letsencrypt/archive/antonioalaniz.com/fullchain1.pem -noout -text | egrep 'DNS|Not'

While you can fix the antonioalaniz.com certificate, you don’t need it. I’d suggest ensuring that nothing is using it, and then just deleting it.

sudo certbot delete --cert-name antonioalaniz.com” would normally work. Under these circumstances, I’m not sure it will. You can delete: