Copied certificates to a different folder now can't renew

When configuring SSL, I copied my certificates from c:\certbot\live\archivepahs.org to c:\SSL. (work done by freelancer while I watched). My website runs on a Windows 10 server running Tomcat behind nginx. I tested renewal today and it failed. Belatedly, I see the readme file with its warning against moving certificates. How can I fix my problem?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
http://archivepahs.org
I ran this command: certbot certificates

It produced this output:Saving debug log to C:\Certbot\log\letsencrypt.log
Renewal configuration file C:\Certbot\renewal\archivepahs.org.conf produced an unexpected error: expected C:\Certbot\live\archivepahs.org\cert.pem to be a symlink. Skipping.


The following renewal configurations were invalid:
C:\Certbot\renewal\archivepahs.org.conf


My web server is (include version):nginx 1.20.2

The operating system my web server runs on is (include version):Windows 10 21H2 (OS Build 19044.1706)

My hosting provider, if applicable, is:N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.16.0

There is no problem copying files (*) from the certbot folders but must not move them

We could view all the files in your various folders. Or, you could try this command first and maybe it will fix them. The "files" in the /live/ folder are symlinks to the files in /archive/. This command will restore these symlinks. But, if you moved them out of archive this won't help.

certbot update_symlinks

(*) Although, if you copy certs from the certbot folders you need to remember to copy them each time you renew the certs

2 Likes

Thanks for the prompt reply!

I got a warning when I issued the command:
C:\Certbot>certbot update_symlinks
Saving debug log to C:\Certbot\log\letsencrypt.log
Expected C:\Certbot\live\archivepahs.org\cert.pem to be a symlink
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

Then I issued another command:
C:\Certbot>certbot certificates
Saving debug log to C:\Certbot\log\letsencrypt.log
Renewal configuration file C:\Certbot\renewal\archivepahs.org.conf produced an unexpected error: expected C:\Certbot\live\archivepahs.org\cert.pem to be a symlink. Skipping.


The following renewal configurations were invalid:
C:\Certbot\renewal\archivepahs.org.conf


Is everything good or do I need to address these messages? Also, I understand that I will need to copy the certs to the production folder after each renewal. Will I also need to run the update_symlinks command?
Thanks.

Steve

No, everything is not good. Something is damaged within your certbot folder structure. Cert renewals will fail unless fixed.

The update_symlinks was hoped to fix that damage but it did not.

Can you show output of these commands:

dir c:\certbot\live\archivepahs.org
dir c:\certbot\archive\archivepahs.org
2 Likes

C:\Certbot>dir c:\certbot\live\archivepahs.org
Volume in drive C has no label.
Volume Serial Number is 10C5-8029

Directory of c:\certbot\live\archivepahs.org

05/03/2022 12:51 PM .
05/03/2022 12:51 PM ..
05/03/2022 11:17 AM 1,842 cert.pem
05/03/2022 11:17 AM 3,749 chain.pem
05/03/2022 11:17 AM 5,591 fullchain.pem
05/03/2022 11:17 AM 1,704 privkey.pem
05/03/2022 11:17 AM 706 README
5 File(s) 13,592 bytes
2 Dir(s) 181,152,219,136 bytes free

AND
C:\Certbot>dir c:\certbot\archive\archivepahs.org
Volume in drive C has no label.
Volume Serial Number is 10C5-8029

Directory of c:\certbot\archive\archivepahs.org

05/03/2022 11:17 AM .
05/03/2022 11:17 AM ..
05/03/2022 11:17 AM 1,842 cert1.pem
05/03/2022 11:17 AM 3,749 chain1.pem
05/03/2022 11:17 AM 5,591 fullchain1.pem
05/03/2022 11:17 AM 1,704 privkey1.pem
4 File(s) 12,886 bytes
2 Dir(s) 181,152,088,064 bytes free

I had issued the certbot renew command initially even though I knew that they weren't due for renewal. Perhaps that is what corrupted the C:\Certbot\renewal\archivepahs.org.conf file. I was expecting it to tell me that it wasn't due for renewal yet but I got errors instead. I hope this information is helpful.

I'll be away from my computer for a couple of hours. Back later this morning.

Steve

No, a certbot renew would not corrupt your files. They were most likely damaged when trying to make copies of them and someone overlayed the files in /live/ folder.

The files in /live/ folder can be recovered from the /archive/ folder manually if need be so try this: (I don't have a windows/certbot setup to try myself -sorry):

del c:\certbot\live\archivepahs.org\*.pem
certbot update_symlinks
certbot certificates
3 Likes

It looks like update_symlinks failed:
C:\Certbot>certbot update_symlinks
Saving debug log to C:\Certbot\log\letsencrypt.log
Expected C:\Certbot\live\archivepahs.org\cert.pem to be a symlink
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

The certbot\live\archivepahs.org folder does not contain any pem files, and the archive folder looks the same.

Hmm. You can make the symlinks yourself like this.
Try this and run certbot certificates after

First, change current directory to: c:\certbot\live\archivepahs.org
You will need to be in a windows command shell, not powershell, for mklink.

Then

mklink cert.pem c:\certbot\archive\archivepahs.org\cert1.pem
mklink chain.pem c:\certbot\archive\archivepahs.org\chain1.pem
mklink fullchain.pem c:\certbot\archive\archivepahs.org\fullchain1.pem
mklink privkey.pem c:\certbot\archive\archivepahs.org\privkey1.pem
3 Likes

Success! That worked. Thank you for your help. The certificate expires on August 1 so I have another 20 days before I'll be able to renew it. That will be my first renewal since I got it configured for TLS.

Steve

3 Likes