Dry run works, but real renew has all renewal attempts fail with: "produced an unexpected error: [Errno 17] File exists: '/etc/letsencrypt/archive/mydomain.com/privkey3.pem"

etamme · October 30, 2019, 3:27pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: uphreak.com , fococw.com, fococw.org

I ran this command: certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fococw.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for fococw.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/fococw.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fococw.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for fococw.org
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/fococw.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/uphreak.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for anon.uphreak.com
http-01 challenge for moh.uphreak.com
http-01 challenge for phone.uphreak.com
http-01 challenge for rig.uphreak.com
http-01 challenge for test.uphreak.com
http-01 challenge for uphreak.com
http-01 challenge for video.uphreak.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/uphreak.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/fococw.com/fullchain.pem (success)
  /etc/letsencrypt/live/fococw.org/fullchain.pem (success)
  /etc/letsencrypt/live/uphreak.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version): lighttpd

The operating system my web server runs on is (include version): centos7

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.37.2

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fococw.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (fococw.com) from /etc/letsencrypt/renewal/fococw.com.conf produced an unexpected error: [Errno 17] File exists: '/etc/letsencrypt/archive/fococw.com/privkey3.pem'. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fococw.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (fococw.org) from /etc/letsencrypt/renewal/fococw.org.conf produced an unexpected error: [Errno 17] File exists: '/etc/letsencrypt/archive/fococw.org/privkey3.pem'. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/uphreak.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (uphreak.com) from /etc/letsencrypt/renewal/uphreak.com.conf produced an unexpected error: [Errno 17] File exists: '/etc/letsencrypt/archive/uphreak.com/privkey3.pem'. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/fococw.com/fullchain.pem (failure)
  /etc/letsencrypt/live/fococw.org/fullchain.pem (failure)
  /etc/letsencrypt/live/uphreak.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/fococw.com/fullchain.pem (failure)
  /etc/letsencrypt/live/fococw.org/fullchain.pem (failure)
  /etc/letsencrypt/live/uphreak.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3 renew failure(s), 0 parse failure(s)
[root@uphreak etamme]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: fococw.com
    Domains: fococw.com
    Expiry Date: 2019-11-19 12:35:53+00:00 (VALID: 19 days)
    Certificate Path: /etc/letsencrypt/live/fococw.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/fococw.com/privkey.pem
  Certificate Name: fococw.org
    Domains: fococw.org
    Expiry Date: 2019-11-19 12:36:02+00:00 (VALID: 19 days)
    Certificate Path: /etc/letsencrypt/live/fococw.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/fococw.org/privkey.pem
  Certificate Name: uphreak.com
    Domains: uphreak.com anon.uphreak.com moh.uphreak.com phone.uphreak.com rig.uphreak.com test.uphreak.com video.uphreak.com
    Expiry Date: 2019-11-19 12:36:15+00:00 (VALID: 19 days)
    Certificate Path: /etc/letsencrypt/live/uphreak.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/uphreak.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

mnordhoff · October 30, 2019, 8:56pm

Can you post the output of “sudo ls -alR /etc/letsencrypt/{archive,live,renewal}”?

FWIW, please don’t repeatedly run “certbot renew” before this has been fixed. You might issue a bunch of duplicate certificates that don’t get saved properly. (They would probably be recoverable, but still.)

(Running “certbot renew --dry-run” is fine, though.)

etamme · October 31, 2019, 1:44pm

Thanks for your reply - here is the output.

sudo ls -alR /etc/letsencrypt/{archive,live,renewal}
/etc/letsencrypt/archive:
total 44
drwx------ 11 root root 4096 Jun 12 09:30 .
drwxr-xr-x 10 root root 4096 Oct 30 11:00 ..
drwxr-xr-x  2 root root 4096 Jun 12 09:12 fococw.com
drwxr-xr-x  2 root root 4096 Jun 12 08:55 fococw.com-0001
drwxr-xr-x  2 root root 4096 Aug 21 09:19 fococw.com-0002
drwxr-xr-x  2 root root 4096 Jun 12 08:55 fococw.org
drwxr-xr-x  2 root root 4096 Aug 21 09:19 fococw.org-0001
drwxr-xr-x  2 root root 4096 Mar 13  2019 uphreak.com
drwxr-xr-x  2 root root 4096 Jun 12 08:59 uphreak.com-0001
drwxr-xr-x  2 root root 4096 Jun 12 09:03 uphreak.com-0002
drwxr-xr-x  2 root root 4096 Aug 21 09:19 uphreak.com-0003

/etc/letsencrypt/archive/fococw.com:
total 72
drwxr-xr-x  2 root root 4096 Jun 12 09:12 .
drwx------ 11 root root 4096 Jun 12 09:30 ..
-rw-r--r--  1 root root 2159 Sep 20  2018 cert1.pem
-rw-r--r--  1 root root 1915 Dec  9  2018 cert2.pem
-rw-r--r--  1 root root 1915 Mar 13  2019 cert3.pem
-rw-r--r--  1 root root 1911 Jun 12 09:12 cert4.pem
-rw-r--r--  1 root root 1647 Sep 20  2018 chain1.pem
-rw-r--r--  1 root root 1647 Dec  9  2018 chain2.pem
-rw-r--r--  1 root root 1647 Mar 13  2019 chain3.pem
-rw-r--r--  1 root root 1647 Jun 12 09:12 chain4.pem
-rw-r--r--  1 root root 3806 Sep 20  2018 fullchain1.pem
-rw-r--r--  1 root root 3562 Dec  9  2018 fullchain2.pem
-rw-r--r--  1 root root 3562 Mar 13  2019 fullchain3.pem
-rw-r--r--  1 root root 3558 Jun 12 09:12 fullchain4.pem
-rw-r--r--  1 root root 1704 Sep 20  2018 privkey1.pem
-rw-r--r--  1 root root 1704 Dec  9  2018 privkey2.pem
-rw-r--r--  1 root root 1704 Mar 13  2019 privkey3.pem
-rw-r--r--  1 root root 1704 Jun 12 09:12 privkey4.pem

/etc/letsencrypt/archive/fococw.com-0001:
total 104
drwxr-xr-x  2 root root 4096 Jun 12 08:55 .
drwx------ 11 root root 4096 Jun 12 09:30 ..
-rw-r--r--  1 root root 1899 Apr  8  2019 cert1.pem
-rw-r--r--  1 root root 1899 May  1  2019 cert2.pem
-rw-r--r--  1 root root 1895 May 22 13:12 cert3.pem
-rw-r--r--  1 root root 1899 Jun  1 00:00 cert4.pem
-rw-r--r--  1 root root 1895 Jun  4 08:44 cert5.pem
-rw-r--r--  1 root root 1895 Jun 12 08:55 cert6.pem
-rw-r--r--  1 root root 1647 Apr  8  2019 chain1.pem
-rw-r--r--  1 root root 1647 May  1  2019 chain2.pem
-rw-r--r--  1 root root 1647 May 22 13:12 chain3.pem
-rw-r--r--  1 root root 1647 Jun  1 00:00 chain4.pem
-rw-r--r--  1 root root 1647 Jun  4 08:44 chain5.pem
-rw-r--r--  1 root root 1647 Jun 12 08:55 chain6.pem
-rw-r--r--  1 root root 3546 Apr  8  2019 fullchain1.pem
-rw-r--r--  1 root root 3546 May  1  2019 fullchain2.pem
-rw-r--r--  1 root root 3542 May 22 13:12 fullchain3.pem
-rw-r--r--  1 root root 3546 Jun  1 00:00 fullchain4.pem
-rw-r--r--  1 root root 3542 Jun  4 08:44 fullchain5.pem
-rw-r--r--  1 root root 3542 Jun 12 08:55 fullchain6.pem
-rw-------  1 root root 1700 Apr  8  2019 privkey1.pem
-rw-------  1 root root 1704 May  1  2019 privkey2.pem
-rw-------  1 root root 1704 May 22 13:12 privkey3.pem
-rw-------  1 root root 1704 Jun  1 00:00 privkey4.pem
-rw-------  1 root root 1704 Jun  4 08:44 privkey5.pem
-rw-------  1 root root 1708 Jun 12 08:55 privkey6.pem

/etc/letsencrypt/archive/fococw.com-0002:
total 40
drwxr-xr-x  2 root root 4096 Aug 21 09:19 .
drwx------ 11 root root 4096 Jun 12 09:30 ..
-rw-r--r--  1 root root 1899 Jun 12 09:30 cert1.pem
-rw-r--r--  1 root root 1895 Aug 21 09:19 cert2.pem
-rw-r--r--  1 root root 1647 Jun 12 09:30 chain1.pem
-rw-r--r--  1 root root 1647 Aug 21 09:19 chain2.pem
-rw-r--r--  1 root root 3546 Jun 12 09:30 fullchain1.pem
-rw-r--r--  1 root root 3542 Aug 21 09:19 fullchain2.pem
-rw-------  1 root root 1704 Jun 12 09:30 privkey1.pem
-rw-------  1 root root 1704 Aug 21 09:19 privkey2.pem

/etc/letsencrypt/archive/fococw.org:
total 136
drwxr-xr-x  2 root root 4096 Jun 12 08:55 .
drwx------ 11 root root 4096 Jun 12 09:30 ..
-rw-r--r--  1 root root 2143 Sep 20  2018 cert1.pem
-rw-r--r--  1 root root 1899 Mar 13  2019 cert2.pem
-rw-r--r--  1 root root 1899 Apr  8  2019 cert3.pem
-rw-r--r--  1 root root 1895 May  1  2019 cert4.pem
-rw-r--r--  1 root root 1895 May 22 13:13 cert5.pem
-rw-r--r--  1 root root 1899 Jun  1 00:00 cert6.pem
-rw-r--r--  1 root root 1899 Jun  4 08:44 cert7.pem
-rw-r--r--  1 root root 1899 Jun 12 08:55 cert8.pem
-rw-r--r--  1 root root 1647 Sep 20  2018 chain1.pem
-rw-r--r--  1 root root 1647 Mar 13  2019 chain2.pem
-rw-r--r--  1 root root 1647 Apr  8  2019 chain3.pem
-rw-r--r--  1 root root 1647 May  1  2019 chain4.pem
-rw-r--r--  1 root root 1647 May 22 13:13 chain5.pem
-rw-r--r--  1 root root 1647 Jun  1 00:00 chain6.pem
-rw-r--r--  1 root root 1647 Jun  4 08:44 chain7.pem
-rw-r--r--  1 root root 1647 Jun 12 08:55 chain8.pem
-rw-r--r--  1 root root 3790 Sep 20  2018 fullchain1.pem
-rw-r--r--  1 root root 3546 Mar 13  2019 fullchain2.pem
-rw-r--r--  1 root root 3546 Apr  8  2019 fullchain3.pem
-rw-r--r--  1 root root 3542 May  1  2019 fullchain4.pem
-rw-r--r--  1 root root 3542 May 22 13:13 fullchain5.pem
-rw-r--r--  1 root root 3546 Jun  1 00:00 fullchain6.pem
-rw-r--r--  1 root root 3546 Jun  4 08:44 fullchain7.pem
-rw-r--r--  1 root root 3546 Jun 12 08:55 fullchain8.pem
-rw-r--r--  1 root root 1704 Sep 20  2018 privkey1.pem
-rw-r--r--  1 root root 1704 Mar 13  2019 privkey2.pem
-rw-r--r--  1 root root 1704 Apr  8  2019 privkey3.pem
-rw-r--r--  1 root root 1704 May  1  2019 privkey4.pem
-rw-r--r--  1 root root 1704 May 22 13:13 privkey5.pem
-rw-r--r--  1 root root 1704 Jun  1 00:00 privkey6.pem
-rw-r--r--  1 root root 1704 Jun  4 08:44 privkey7.pem
-rw-r--r--  1 root root 1704 Jun 12 08:55 privkey8.pem

/etc/letsencrypt/archive/fococw.org-0001:
total 40
drwxr-xr-x  2 root root 4096 Aug 21 09:19 .
drwx------ 11 root root 4096 Jun 12 09:30 ..
-rw-r--r--  1 root root 1895 Jun 12 09:30 cert1.pem
-rw-r--r--  1 root root 1899 Aug 21 09:19 cert2.pem
-rw-r--r--  1 root root 1647 Jun 12 09:30 chain1.pem
-rw-r--r--  1 root root 1647 Aug 21 09:19 chain2.pem
-rw-r--r--  1 root root 3542 Jun 12 09:30 fullchain1.pem
-rw-r--r--  1 root root 3546 Aug 21 09:19 fullchain2.pem
-rw-------  1 root root 1704 Jun 12 09:30 privkey1.pem
-rw-------  1 root root 1704 Aug 21 09:19 privkey2.pem

/etc/letsencrypt/archive/uphreak.com:
total 520
drwxr-xr-x  2 root root 4096 Mar 13  2019 .
drwx------ 11 root root 4096 Jun 12 09:30 ..
-rw-r--r--  1 root root 1984 May  1  2016 cert10.pem
-rw-r--r--  1 root root 1984 Jun  1  2016 cert11.pem
-rw-r--r--  1 root root 1984 Jul  1  2016 cert12.pem
-rw-r--r--  1 root root 1984 Sep  1  2016 cert13.pem
-rw-r--r--  1 root root 1984 Oct  1  2016 cert14.pem
-rw-r--r--  1 root root 1984 Nov  1  2016 cert15.pem
-rw-r--r--  1 root root 1984 Jan 10  2017 cert16.pem
-rw-r--r--  1 root root 1984 Mar 21  2017 cert17.pem
-rw-r--r--  1 root root 1980 May 30  2017 cert18.pem
-rw-r--r--  1 root root 1980 Aug  8  2017 cert19.pem
-rw-r--r--  1 root root 1814 Dec 17  2015 cert1.pem
-rw-r--r--  1 root root 1980 Oct 17  2017 cert20.pem
-rw-r--r--  1 root root 1980 Dec 27  2017 cert21.pem
-rw-r--r--  1 root root 1980 Mar  7  2018 cert22.pem
-rw-r--r--  1 root root 2338 May 16  2018 cert23.pem
-rw-r--r--  1 root root 2338 Aug  6  2018 cert24.pem
-rw-r--r--  1 root root 2370 Oct 15  2018 cert25.pem
-rw-r--r--  1 root root 2370 Oct 27  2018 cert26.pem
-rw-r--r--  1 root root 2370 Oct 27  2018 cert27.pem
-rw-r--r--  1 root root 2130 Nov 29  2018 cert28.pem
-rw-r--r--  1 root root 2126 Dec  9  2018 cert29.pem
-rw-r--r--  1 root root 1838 Dec 21  2015 cert2.pem
-rw-r--r--  1 root root 2130 Jan 26  2019 cert30.pem
-rw-r--r--  1 root root 2155 Mar 11  2019 cert31.pem
-rw-r--r--  1 root root 2151 Mar 13  2019 cert32.pem
-rw-r--r--  1 root root 1838 Jan  1  2016 cert3.pem
-rw-r--r--  1 root root 1874 Jan 18  2016 cert4.pem
-rw-r--r--  1 root root 1931 Jan 19  2016 cert5.pem
-rw-r--r--  1 root root 1960 Feb  1  2016 cert6.pem
-rw-r--r--  1 root root 1960 Mar  1  2016 cert7.pem
-rw-r--r--  1 root root 1960 Apr  1  2016 cert8.pem
-rw-r--r--  1 root root 1984 Apr 13  2016 cert9.pem
-rw-r--r--  1 root root 1647 May  1  2016 chain10.pem
-rw-r--r--  1 root root 1647 Jun  1  2016 chain11.pem
-rw-r--r--  1 root root 1647 Jul  1  2016 chain12.pem
-rw-r--r--  1 root root 1647 Sep  1  2016 chain13.pem
-rw-r--r--  1 root root 1647 Oct  1  2016 chain14.pem
-rw-r--r--  1 root root 1647 Nov  1  2016 chain15.pem
-rw-r--r--  1 root root 1647 Jan 10  2017 chain16.pem
-rw-r--r--  1 root root 1647 Mar 21  2017 chain17.pem
-rw-r--r--  1 root root 1647 May 30  2017 chain18.pem
-rw-r--r--  1 root root 1647 Aug  8  2017 chain19.pem
-rw-r--r--  1 root root 1675 Dec 17  2015 chain1.pem
-rw-r--r--  1 root root 1647 Oct 17  2017 chain20.pem
-rw-r--r--  1 root root 1647 Dec 27  2017 chain21.pem
-rw-r--r--  1 root root 1647 Mar  7  2018 chain22.pem
-rw-r--r--  1 root root 1647 May 16  2018 chain23.pem
-rw-r--r--  1 root root 1647 Aug  6  2018 chain24.pem
-rw-r--r--  1 root root 1647 Oct 15  2018 chain25.pem
-rw-r--r--  1 root root 1647 Oct 27  2018 chain26.pem
-rw-r--r--  1 root root 1647 Oct 27  2018 chain27.pem
-rw-r--r--  1 root root 1647 Nov 29  2018 chain28.pem
-rw-r--r--  1 root root 1647 Dec  9  2018 chain29.pem
-rw-r--r--  1 root root 1675 Dec 21  2015 chain2.pem
-rw-r--r--  1 root root 1647 Jan 26  2019 chain30.pem
-rw-r--r--  1 root root 1647 Mar 11  2019 chain31.pem
-rw-r--r--  1 root root 1647 Mar 13  2019 chain32.pem
-rw-r--r--  1 root root 1675 Jan  1  2016 chain3.pem
-rw-r--r--  1 root root 1675 Jan 18  2016 chain4.pem
-rw-r--r--  1 root root 1675 Jan 19  2016 chain5.pem
-rw-r--r--  1 root root 1675 Feb  1  2016 chain6.pem
-rw-r--r--  1 root root 1675 Mar  1  2016 chain7.pem
-rw-r--r--  1 root root 1647 Apr  1  2016 chain8.pem
-rw-r--r--  1 root root 1647 Apr 13  2016 chain9.pem
-rw-r--r--  1 root root 3631 May  1  2016 fullchain10.pem
-rw-r--r--  1 root root 3631 Jun  1  2016 fullchain11.pem
-rw-r--r--  1 root root 3631 Jul  1  2016 fullchain12.pem
-rw-r--r--  1 root root 3631 Sep  1  2016 fullchain13.pem
-rw-r--r--  1 root root 3631 Oct  1  2016 fullchain14.pem
-rw-r--r--  1 root root 3631 Nov  1  2016 fullchain15.pem
-rw-r--r--  1 root root 3631 Jan 10  2017 fullchain16.pem
-rw-r--r--  1 root root 3631 Mar 21  2017 fullchain17.pem
-rw-r--r--  1 root root 3627 May 30  2017 fullchain18.pem
-rw-r--r--  1 root root 3627 Aug  8  2017 fullchain19.pem
-rw-r--r--  1 root root 3489 Dec 17  2015 fullchain1.pem
-rw-r--r--  1 root root 3627 Oct 17  2017 fullchain20.pem
-rw-r--r--  1 root root 3627 Dec 27  2017 fullchain21.pem
-rw-r--r--  1 root root 3627 Mar  7  2018 fullchain22.pem
-rw-r--r--  1 root root 3985 May 16  2018 fullchain23.pem
-rw-r--r--  1 root root 3985 Aug  6  2018 fullchain24.pem
-rw-r--r--  1 root root 4017 Oct 15  2018 fullchain25.pem
-rw-r--r--  1 root root 4017 Oct 27  2018 fullchain26.pem
-rw-r--r--  1 root root 4017 Oct 27  2018 fullchain27.pem
-rw-r--r--  1 root root 3777 Nov 29  2018 fullchain28.pem
-rw-r--r--  1 root root 3773 Dec  9  2018 fullchain29.pem
-rw-r--r--  1 root root 3513 Dec 21  2015 fullchain2.pem
-rw-r--r--  1 root root 3777 Jan 26  2019 fullchain30.pem
-rw-r--r--  1 root root 3802 Mar 11  2019 fullchain31.pem
-rw-r--r--  1 root root 3798 Mar 13  2019 fullchain32.pem
-rw-r--r--  1 root root 3513 Jan  1  2016 fullchain3.pem
-rw-r--r--  1 root root 3549 Jan 18  2016 fullchain4.pem
-rw-r--r--  1 root root 3606 Jan 19  2016 fullchain5.pem
-rw-r--r--  1 root root 3635 Feb  1  2016 fullchain6.pem
-rw-r--r--  1 root root 3635 Mar  1  2016 fullchain7.pem
-rw-r--r--  1 root root 3607 Apr  1  2016 fullchain8.pem
-rw-r--r--  1 root root 3631 Apr 13  2016 fullchain9.pem
-rw-r--r--  1 root root 1708 May  1  2016 privkey10.pem
-rw-r--r--  1 root root 1704 Jun  1  2016 privkey11.pem
-rw-r--r--  1 root root 1704 Jul  1  2016 privkey12.pem
-rw-r--r--  1 root root 1708 Sep  1  2016 privkey13.pem
-rw-r--r--  1 root root 1704 Oct  1  2016 privkey14.pem
-rw-r--r--  1 root root 1708 Nov  1  2016 privkey15.pem
-rw-r--r--  1 root root 1704 Jan 10  2017 privkey16.pem
-rw-r--r--  1 root root 1704 Mar 21  2017 privkey17.pem
-rw-r--r--  1 root root 1704 May 30  2017 privkey18.pem
-rw-r--r--  1 root root 1704 Aug  8  2017 privkey19.pem
-rw-r--r--  1 root root 1708 Dec 17  2015 privkey1.pem
-rw-r--r--  1 root root 1704 Oct 17  2017 privkey20.pem
-rw-r--r--  1 root root 1704 Dec 27  2017 privkey21.pem
-rw-r--r--  1 root root 1704 Mar  7  2018 privkey22.pem
-rw-r--r--  1 root root 1708 May 16  2018 privkey23.pem
-rw-r--r--  1 root root 1704 Aug  6  2018 privkey24.pem
-rw-r--r--  1 root root 1708 Oct 15  2018 privkey25.pem
-rw-r--r--  1 root root 1704 Oct 27  2018 privkey26.pem
-rw-r--r--  1 root root 1704 Oct 27  2018 privkey27.pem
-rw-r--r--  1 root root 1708 Nov 29  2018 privkey28.pem
-rw-r--r--  1 root root 1704 Dec  9  2018 privkey29.pem
-rw-r--r--  1 root root 1704 Dec 21  2015 privkey2.pem
-rw-r--r--  1 root root 1704 Jan 26  2019 privkey30.pem
-rw-r--r--  1 root root 1704 Mar 11  2019 privkey31.pem
-rw-r--r--  1 root root 1704 Mar 13  2019 privkey32.pem
-rw-r--r--  1 root root 1704 Jan  1  2016 privkey3.pem
-rw-r--r--  1 root root 1704 Jan 18  2016 privkey4.pem
-rw-r--r--  1 root root 1704 Jan 19  2016 privkey5.pem
-rw-r--r--  1 root root 1704 Feb  1  2016 privkey6.pem
-rw-r--r--  1 root root 1704 Mar  1  2016 privkey7.pem
-rw-r--r--  1 root root 1704 Apr  1  2016 privkey8.pem
-rw-r--r--  1 root root 1704 Apr 13  2016 privkey9.pem

/etc/letsencrypt/archive/uphreak.com-0001:
total 152
drwxr-xr-x  2 root root 4096 Jun 12 08:59 .
drwx------ 11 root root 4096 Jun 12 09:30 ..
-rw-r--r--  1 root root 2049 Mar 13  2019 cert1.pem
-rw-r--r--  1 root root 2049 Apr  8  2019 cert2.pem
-rw-r--r--  1 root root 2049 Apr  8  2019 cert3.pem
-rw-r--r--  1 root root 2045 May  1  2019 cert4.pem
-rw-r--r--  1 root root 2049 May 22 13:12 cert5.pem
-rw-r--r--  1 root root 2045 Jun  1 00:00 cert6.pem
-rw-r--r--  1 root root 2049 Jun  4 08:44 cert7.pem
-rw-r--r--  1 root root 2049 Jun 12 08:55 cert8.pem
-rw-r--r--  1 root root 2049 Jun 12 08:59 cert9.pem
-rw-r--r--  1 root root 1647 Mar 13  2019 chain1.pem
-rw-r--r--  1 root root 1647 Apr  8  2019 chain2.pem
-rw-r--r--  1 root root 1647 Apr  8  2019 chain3.pem
-rw-r--r--  1 root root 1647 May  1  2019 chain4.pem
-rw-r--r--  1 root root 1647 May 22 13:12 chain5.pem
-rw-r--r--  1 root root 1647 Jun  1 00:00 chain6.pem
-rw-r--r--  1 root root 1647 Jun  4 08:44 chain7.pem
-rw-r--r--  1 root root 1647 Jun 12 08:55 chain8.pem
-rw-r--r--  1 root root 1647 Jun 12 08:59 chain9.pem
-rw-r--r--  1 root root 3696 Mar 13  2019 fullchain1.pem
-rw-r--r--  1 root root 3696 Apr  8  2019 fullchain2.pem
-rw-r--r--  1 root root 3696 Apr  8  2019 fullchain3.pem
-rw-r--r--  1 root root 3692 May  1  2019 fullchain4.pem
-rw-r--r--  1 root root 3696 May 22 13:12 fullchain5.pem
-rw-r--r--  1 root root 3692 Jun  1 00:00 fullchain6.pem
-rw-r--r--  1 root root 3696 Jun  4 08:44 fullchain7.pem
-rw-r--r--  1 root root 3696 Jun 12 08:55 fullchain8.pem
-rw-r--r--  1 root root 3696 Jun 12 08:59 fullchain9.pem
-rw-r--r--  1 root root 1708 Mar 13  2019 privkey1.pem
-rw-r--r--  1 root root 1704 Apr  8  2019 privkey2.pem
-rw-r--r--  1 root root 1704 Apr  8  2019 privkey3.pem
-rw-r--r--  1 root root 1704 May  1  2019 privkey4.pem
-rw-r--r--  1 root root 1704 May 22 13:12 privkey5.pem
-rw-r--r--  1 root root 1704 Jun  1 00:00 privkey6.pem
-rw-r--r--  1 root root 1704 Jun  4 08:44 privkey7.pem
-rw-r--r--  1 root root 1704 Jun 12 08:55 privkey8.pem
-rw-r--r--  1 root root 1708 Jun 12 08:59 privkey9.pem

/etc/letsencrypt/archive/uphreak.com-0002:
total 24
drwxr-xr-x  2 root root 4096 Jun 12 09:03 .
drwx------ 11 root root 4096 Jun 12 09:30 ..
-rw-r--r--  1 root root 2049 Jun 12 09:03 cert1.pem
-rw-r--r--  1 root root 1647 Jun 12 09:03 chain1.pem
-rw-r--r--  1 root root 3696 Jun 12 09:03 fullchain1.pem
-rw-------  1 root root 1704 Jun 12 09:03 privkey1.pem

/etc/letsencrypt/archive/uphreak.com-0003:
total 40
drwxr-xr-x  2 root root 4096 Aug 21 09:19 .
drwx------ 11 root root 4096 Jun 12 09:30 ..
-rw-r--r--  1 root root 2049 Jun 12 09:30 cert1.pem
-rw-r--r--  1 root root 2049 Aug 21 09:19 cert2.pem
-rw-r--r--  1 root root 1647 Jun 12 09:30 chain1.pem
-rw-r--r--  1 root root 1647 Aug 21 09:19 chain2.pem
-rw-r--r--  1 root root 3696 Jun 12 09:30 fullchain1.pem
-rw-r--r--  1 root root 3696 Aug 21 09:19 fullchain2.pem
-rw-------  1 root root 1700 Jun 12 09:30 privkey1.pem
-rw-------  1 root root 1704 Aug 21 09:19 privkey2.pem

/etc/letsencrypt/live:
total 24
drwx------  5 root root 4096 Jun 12 09:31 .
drwxr-xr-x 10 root root 4096 Oct 30 11:00 ..
lrwxrwxrwx  1 root root   16 Jun 12 09:31 fococw.com -> fococw.com-0002/
drwxr-xr-x  2 root root 4096 Oct 30 10:51 fococw.com-0002
lrwxrwxrwx  1 root root   16 Jun 12 09:31 fococw.org -> fococw.org-0001/
drwxr-xr-x  2 root root 4096 Oct 30 10:51 fococw.org-0001
-rw-r--r--  1 root root  740 Jun 12 09:30 README
lrwxrwxrwx  1 root root   17 Jun 12 09:31 uphreak.com -> uphreak.com-0003/
drwxr-xr-x  2 root root 4096 Oct 30 10:51 uphreak.com-0003

/etc/letsencrypt/live/fococw.com-0002:
total 36
drwxr-xr-x 2 root root 4096 Oct 30 10:51 .
drwx------ 5 root root 4096 Jun 12 09:31 ..
-rw-r--r-- 1 root root 7141 Oct 30 10:51 bundle.crt
-rw-r--r-- 1 root root 7141 Oct  1 00:00 bundle.crt.bak
lrwxrwxrwx 1 root root   39 Aug 21 09:19 cert.pem -> ../../archive/fococw.com-0002/cert2.pem
lrwxrwxrwx 1 root root   40 Aug 21 09:19 chain.pem -> ../../archive/fococw.com-0002/chain2.pem
lrwxrwxrwx 1 root root   44 Aug 21 09:19 fullchain.pem -> ../../archive/fococw.com-0002/fullchain2.pem
lrwxrwxrwx 1 root root   42 Aug 21 09:19 privkey.pem -> ../../archive/fococw.com-0002/privkey2.pem
-rw-r--r-- 1 root root  692 Jun 12 09:30 README
-rw-r--r-- 1 root root 5246 Oct 30 10:51 relay.pem

/etc/letsencrypt/live/fococw.org-0001:
total 36
drwxr-xr-x 2 root root 4096 Oct 30 10:51 .
drwx------ 5 root root 4096 Jun 12 09:31 ..
-rw-r--r-- 1 root root 7149 Oct 30 10:51 bundle.crt
-rw-r--r-- 1 root root 7149 Oct  1 00:00 bundle.crt.bak
lrwxrwxrwx 1 root root   39 Aug 21 09:19 cert.pem -> ../../archive/fococw.org-0001/cert2.pem
lrwxrwxrwx 1 root root   40 Aug 21 09:19 chain.pem -> ../../archive/fococw.org-0001/chain2.pem
lrwxrwxrwx 1 root root   44 Aug 21 09:19 fullchain.pem -> ../../archive/fococw.org-0001/fullchain2.pem
lrwxrwxrwx 1 root root   42 Aug 21 09:19 privkey.pem -> ../../archive/fococw.org-0001/privkey2.pem
-rw-r--r-- 1 root root  692 Jun 12 09:30 README
-rw-r--r-- 1 root root 5250 Oct 30 10:51 relay.pem

/etc/letsencrypt/live/uphreak.com-0003:
total 36
drwxr-xr-x 2 root root 4096 Oct 30 10:51 .
drwx------ 5 root root 4096 Jun 12 09:31 ..
-rw-r--r-- 1 root root 7449 Oct 30 10:51 bundle.crt
-rw-r--r-- 1 root root 7449 Oct  1 00:00 bundle.crt.bak
lrwxrwxrwx 1 root root   40 Aug 21 09:19 cert.pem -> ../../archive/uphreak.com-0003/cert2.pem
lrwxrwxrwx 1 root root   41 Aug 21 09:19 chain.pem -> ../../archive/uphreak.com-0003/chain2.pem
lrwxrwxrwx 1 root root   45 Aug 21 09:19 fullchain.pem -> ../../archive/uphreak.com-0003/fullchain2.pem
lrwxrwxrwx 1 root root   43 Aug 21 09:19 privkey.pem -> ../../archive/uphreak.com-0003/privkey2.pem
-rw-r--r-- 1 root root  692 Jun 12 09:30 README
-rw-r--r-- 1 root root 5400 Oct 30 10:51 relay.pem

/etc/letsencrypt/renewal:
total 20
drwxr-xr-x  2 root root 4096 Sep  9 11:32 .
drwxr-xr-x 10 root root 4096 Oct 30 11:00 ..
-rw-r--r--  1 root root  494 Jun 12 09:12 fococw.com.conf
-rw-r--r--  1 root root  494 Jun 12 08:55 fococw.org.conf
-rw-r--r--  1 root root  421 Mar 13  2019 uphreak.com.conf

mnordhoff · November 1, 2019, 12:41am

etamme:

/etc/letsencrypt/live:
total 24
drwx------  5 root root 4096 Jun 12 09:31 .
drwxr-xr-x 10 root root 4096 Oct 30 11:00 ..
lrwxrwxrwx  1 root root   16 Jun 12 09:31 fococw.com -> fococw.com-0002/
drwxr-xr-x  2 root root 4096 Oct 30 10:51 fococw.com-0002
lrwxrwxrwx  1 root root   16 Jun 12 09:31 fococw.org -> fococw.org-0001/
drwxr-xr-x  2 root root 4096 Oct 30 10:51 fococw.org-0001
-rw-r--r--  1 root root  740 Jun 12 09:30 README
lrwxrwxrwx  1 root root   17 Jun 12 09:31 uphreak.com -> uphreak.com-0003/
drwxr-xr-x  2 root root 4096 Oct 30 10:51 uphreak.com-0003

Certbot doesn't know what to do when /etc/letsencrypt/ has been modified like that.

I guess it sees that /etc/letsencrypt/archive/fococw.com-0002/privkey3.pem and so forth don't exist, so it assumes the next set of files should be numbered 3. But then it tries to create /etc/letsencrypt/archive/fococw.com/privkey3.pem, which does exist, and fails.

Everything needs to be arranged how Certbot expects it.

E.g. /etc/letsencrypt/live/fococw.com/ needs to be a directory, and it needs to contain symlinks to files in ../../archive/fococw.com/.

Or you could get rid of e.g. "fococw.com" and stick with "fococw.com-0002". In which case /etc/letsencrypt/renewal/fococw.com-0002.conf would need to exist with the appropriate settings -- it includes references to the archive and live directories -- and the "fococw.com" and "fococw.com-0001" stuff could be deleted.

A simple way to reset everything is to take a backup, take a close look at everything, delete the archive, live and renewal directories and start over. That's usually a disastrous idea: If you're using the Apache or Nginx authenticators, they won't work if the web server is referencing files that no longer exist. And if you've issued 5 duplicate certificates too recently, the rate limit will prevent you from issuing more. But it looks like you're fine both ways, since you're using the standalone plugin and have only issued two sets of certificates recently.

etamme · November 1, 2019, 1:37pm

So backup /etc/letsencrypt folder, then
rm -rf /etc/letsencrypt/archive
rm -rf /etc/letsencrypt/live
rm -rf /etc/letsencrypt/renewal

and… then run
certbot renew

? mostly just not sure what to do after removing all those directories, is renew the correct thing? Some how I got into this state when converting from the old letsencrypt daemon to certbot.

mnordhoff · November 1, 2019, 1:49pm

No, if you delete all the stuff, certbot renew won’t do anything.

You’d have to rerun the original commands you used to create the certificates. “sudo certbot certonly --standalone -d example.com -d www.example.com...” or whatever.

etamme · November 1, 2019, 1:56pm

OK i did a backup, then rm -rf the specified directories, then ran

]# certbot certonly --standalone -d uphreak.com -d video.uphreak.com -d phone.uphreak.com -d test.uphreak.com -d anon.uphreak.com -d moh.uphreak.com -d rig.uphreak.com -d fococw.com -d fococw.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/uphreak.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/uphreak.com/privkey.pem
   Your cert will expire on 2020-01-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

which did not seem to deal with the two fococw domains, so I ran

certbot certonly --standalone -d fococw.com
certbot certonly --standalone -d fococw.org

seperately

I believe it all looks good. I really appreciate your help in sorting this out.

schoen · November 1, 2019, 5:15pm

A potential problem with --standalone is that you need to stop the web server temporarily for renewals (because Certbot then needs to use port 80).

etamme · November 1, 2019, 5:27pm

yeah I do that first b/c I run lighttpd with no certbot integration, I have always done a manual stop/start of lighttpd.

rg305 · November 1, 2019, 8:40pm

Have you looked into using certbot with --webroot ?

etamme · November 2, 2019, 12:11am

nope, stopping and starting lighttpd is a trivial task for me to automate in cron with cert renewal

system · December 2, 2019, 12:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.