"could not find cert file" renewing SECOND domain


#1

I am trying to renew several domains. I had to use the standalone module when I first got the certificates, and so I modified the renewal instructions to use that. The renewal succeeded fine for my first attempt.

The instructions claimed all the files should be right where they could be used, but I discovered this was not true. Instead of being in /etc/letsencrypt/live/example1.com, they were in /etc/letsencrypt/live/example1.com-0001. I moved the old directory to example1.com-0000 and the new directory to example1.com, restarted the web server, and found the new certificate live.

But when I tried to repeat the process only changing the domain name, I got an error:

$ ./letsencrypt-auto --standalone --standalone-supported-challenges tls-sni-01 --server https://acme-v01.api.letsencrypt.org/directory certonly -d example2.com
-n Updating letsencrypt and virtual environment dependencies…
-n .
-n .
-n .

Running with virtualenv: sudo /Users/michael/.local/share/letsencrypt/bin/letsencrypt --standalone --standalone-supported-challenges tls-sni-01 --server https://acme-v01.api.letsencrypt.org/directory certonly -d example2.com
could not find cert file
$

Thinking maybe my moving directories confused something, I moved the directories back the way they were and tried again, without any success.

What am I doing wrong?


#2

After wrestling with this a bit further, I found the logs in /var/log/letsencrypt, which suggested that I hadn’t properly moved the directories back. When I fixed that, suddenly the second domain renewal worked. However, there is still the question of why the files are not being put in the same directory as before. How can I get this to happen so I don’t have to edit my server config files to point to the new keys?


#3

@michael314, I think you found a bug in the renewal process; when you say that “the renewal succeeded” but the files ended up in a different directory, I would not regard that as a renewal at all, from the client’s point of view, but rather as creating a totally independent cert that applies to the same names. (The client apparently does not know that these certs are related to each other in the sense that you meant for the new one to replace the old one.)

Can you tell me more about how you tried to do the renewal, like what command you used the first time? Did you ask for exactly the same names as before, including any www. names? The way that the renewal logic currently works – and we’re trying to create some more convenient alternatives – would require you to explicitly ask for every single name that the original cert covers, or else the client thinks that you want a new, independent cert.

The reason that moving things around doesn’t work has to do with the renewal configuration files (in /etc/letsencrypt/renewal), but I wouldn’t really suggest editing those. Instead, we should ideally figure out what went wrong with the client and how to fix it.


#4

Thanks @schoen for your reply. After I figured that last part out, I renewed the rest of my domains. When I was done I noticed that only two of them has a -0001 suffix created for them, including the very first domain I had tried to renew.

Somewhere in one of the output messages I saw, and now I forgot where it was, it seemed to suggest that when I initially obtained the certs, I somehow got the certs for the two domains which had -0001 suffixes created using a different command line from the others, I think both using a single invocation of letencrypt-auto. However I could not find my notes from the original cert creation so I don’t have a record of what that command line actually was, all I have was the command creating them one at a time.

I did notice that when I tried to renew them all on the same command line separating each domain by a space the message it gave suggested to me that I might be doing something wrong - does this generate a single certificate for all these domains? If so, this may have been what I originally did, but in renewing I wasn’t sure this was something I should do.


#5

@michael314, yes, currently there is no way to ask the client to renew multiple certificates at once (we’re working on that now). If you run the client with a long list of -d values, you’ll get a single cert containing all of the domains that you specified. If you have an existing cert that contains a subset of those domains, the new cert containing all of them will replace that existing cert, unless you said --duplicate or indicated this preference in the menu.

Right now the only way to use the client to “renew” an existing cert is to specify exactly the list of domains that that existing cert contains when re-running the client (no more and no fewer). Once we have the renew client verb in place, it may have different behavior for this.