Creating a certificate without certain domains

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot --nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] PEM_read_bio_X509_AUX("/etc/letsencrypt/live/") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(‘Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] PEM_read_bio_X509_AUX("/etc/letsencrypt/live/") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n’,)

My web server is (include version): nginx/1.12.2

The operating system my web server runs on is (include version): Ubuntu 16.0.4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0


I wanted to remove a domain name from my existing certificate, because this domain is no longer active on the server. I used the command sudo certbot delete --cert-name but when I ran sudo certbot certificates, I got the answer:

Found the following certs:
Certificate Name:
Expiry Date: 2019-05-14 23:45:08+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

I thought: “OK. I’ll delete the certificate and recreate it without”. But when I did that, calls to nginx -c /etc/nginx/nginx.conf -t failed because /etc/letsencrypt/live/ no longer existed.

“OK,” thought I, “I’ll recreate it, then nginx will be happy and we can continue.” But no: simply having an empty file at /etc/letsencrypt/live/ is not enough.

How can I reset certbot and nginx so that I can recreate my certificate from scratch?

The Certbot nginx plugin won’t work until you have a working nginx configuration. It can’t perform that repair for you - you’ll need to do it by hand.

What you’ll want to do is just comment out those ssl_certiificate and ssl_certificate_key lines in your nginx configuration that point to the non-existent files. Work on that until it does not complain when you test the config:

nginx -t

Once the above command runs OK, you can continue working with Certbot.

Hi @blackslate

your configuration should have a self signed certificate.

Use that (cert and private key), so your SSL should work.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.