Dry run works but renew does not, [Errno 17]

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fm.westcycle.org.au

I ran this command: certbot renew

It produced this output: Failed to renew certificate fm.westcycle.org.au with error: [Errno 17] File exists: '/etc/letsencrypt/archive/fm.westcycle.org.au/privkey4.pem'

My web server is (include version): My webserver is running through FileMaker Server, which installs and controls the Apache webserver

The operating system my web server runs on is (include version): Ubuntu 18.04 LTS

My hosting provider, if applicable, is: Binary Lane

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I use the control panel provided by the hosting service, also Cyberduck 8.0.0 and also logging into the server directly using Mac Terminal. I have been running these commands using the terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.24.0

I really don't think the issue has anything to do with FileMaker Server or Apache. I have the renew process working on a couple of other servers running filemaker server with this same setup. After the certificates are renewed there is a script that runs to import them into FileMaker Server. I suspect the issue may be that I messed with the folders at some point but can't actually recall what I did.

At some point a second folder was created in the archive directory fm.westcycle.org.au-0001 and files were put in there. I've removed the original folder now and edited the conf file to match, but it's still not working. Here is a list of what's in the current folder (fm.westcycle.org.au-0001):
total 60
-rw-r--r-- 1 root root 1854 Dec 28 00:09 cert1.pem
-rw-r--r-- 1 root root 1854 Jan 1 03:00 cert2.pem
-rw-r--r-- 1 root root 1854 Jan 1 11:35 cert3.pem
-rw-r--r-- 1 root root 3749 Dec 28 00:09 chain1.pem
-rw-r--r-- 1 root root 3749 Jan 1 03:00 chain2.pem
-rw-r--r-- 1 root root 3749 Jan 1 11:35 chain3.pem
-rw-r--r-- 1 root root 5603 Dec 28 00:09 fullchain1.pem
-rw-r--r-- 1 root root 5603 Jan 1 03:00 fullchain2.pem
-rw-r--r-- 1 root root 5603 Jan 1 11:35 fullchain3.pem
-rw------- 1 root root 1704 Dec 28 00:09 privkey1.pem
-rw------- 1 root root 1704 Jan 1 03:00 privkey2.pem
-rw------- 1 root root 1704 Jan 1 11:35 privkey3.pem

These are the contents of the original folder (fm.westcycle.org.au which I have removed from archive and kept somewhere else for now), probably explaining why cerbot got mixed up with privkey4
total 48
-rw-r--r-- 1 root root 1854 Dec 27 15:46 cert1.pem
-rw-r--r-- 1 root root 1854 Dec 27 21:35 cert2.pem
-rw-r--r-- 1 root root 3749 Dec 27 15:46 chain1.pem
-rw-r--r-- 1 root root 3749 Dec 27 21:35 chain2.pem
-rw-r--r-- 1 root root 5603 Dec 27 15:46 fullchain1.pem
-rw-r--r-- 1 root root 5603 Dec 27 21:35 fullchain2.pem
-rw------- 1 root root 1704 Dec 27 15:46 privkey1.pem
-rw------- 1 root root 1704 Dec 27 21:35 privkey2.pem
-rw------- 1 root root 1704 Mar 2 20:39 privkey4.pem
-rw------- 1 root root 1704 Mar 2 19:54 privkey4.pem.backup

Here are the folders in the letsecrypt folder. I created temp folder
├── accounts
│ ├── acme-staging-v02.api.letsencrypt.org
│ │ └── directory
│ │ └── c13xxxxxx
│ └── acme-v02.api.letsencrypt.org
│ └── directory
│ └── a877xxxxxxx
├── archive
│ └── fm.westcycle.org.au-0001
├── csr
├── keys
├── live
│ └── fm.westcycle.org.au
├── renewal
├── renewal-hooks
│ ├── deploy
│ ├── post
│ └── pre
└── temp
├── fm.westcycle.org (2:3:22, 9:01 pm).au
└── fm.westcycle.org.au.backup

Here is the current conf file, which works with the current archive folder for the dry run, but not for real

renew_before_expiry = 30 days

version = 1.24.0
archive_dir = /etc/letsencrypt/archive/fm.westcycle.org.au-0001
cert = /etc/letsencrypt/live/fm.westcycle.org.au/cert.pem
privkey = /etc/letsencrypt/live/fm.westcycle.org.au/privkey.pem
chain = /etc/letsencrypt/live/fm.westcycle.org.au/chain.pem
fullchain = /etc/letsencrypt/live/fm.westcycle.org.au/fullchain.pem

Options used in the renewal process

account = a877xxxxx
authenticator = webroot
webroot_path = /opt/FileMaker/FileMaker Server/HTTPServer/htdocs
server = https://acme-v02.api.letsencrypt.org/directory
fm.westcycle.org.au = /opt/FileMaker/FileMaker Server/HTTPServer/htdocs
Of course I stupidly ran renew a few times testing different configs and then got the too may tries options. I still have about 3 weeks to get this sorted out before the current certificates expire.

How can I fix this so that the renew process gets the new certs and puts them in the Live folder?

I don't really understand what revoke does. Is it possible to revoke the certificates and reissue for the same domain? Looking for any help I can get here!!!

Unfortunately, due to this error and repeated failures to save your renewed certificates causing you to hit rate limits, you won't be able to renew this certificate for the next 5 days or so.

You do have a wildcard certificate that expires in May though, so you could use that in the meantime.

To fix this error, would you please be able to respond with the output of this command:

sudo ls -la /etc/letsencrypt/archive/fm.westcycle.org.au/
1 Like

See my edit above. This folder doesn't exist in archive. One of the renews replaced it with the -0001 version so I went with that,

Another bit of information - as a result of reading this thread I discovered that there is a certbot job to renew. I've checked and it's active and ran successfully at 11.35am on 1 January. That would be what produced cert3. My script was also set up to renew and then import the cert. It ran at 3am on 1 January and produced cert2. I will now be modifying my script so it doesn't run the renew.

Thanks, I really appreciate the detail you included.

To be honest, if you have no other certificates, what I would do is take a backup of /etc/letsencrypt/, delete it, and allow Certbot to recreate everything from scratch with:

sudo certbot certonly -d fm.westcycle.org.au --webroot -w "/opt/FileMaker/FileMaker Server/HTTPServer/htdocs"

That should get you to a working state, without anything important lost. You should be able to do this from late Wednesday night, Sydney time.

It should otherwise be possible to repair things by recreating the symlinks in /etc/letsencrypt/live/fm.westcycle.org.au/ to point to the correct files in /etc/letsencrypt/archive/fm.westcycle.org.au/, and getting rid of the numbered suffix from the filesystem and renewal .conf file. I'm just not confident about my chances of success with trying to walk somebody through that fragile process.

Multiple renewal scripts shouldn't be a problem, as long as you use certbot renew and don't do anything like --force-renewal. certbot renew won't do anything bad, even if you run it 20 times a day.

1 Like

Thankyou so much. I will wait till Wednesday and do this

1 Like

Is that a "space" in the webroot path?

1 Like

Yes it is. I originally escaped it with a back slash but it works without that if I type it in.

Should it be escaped or quoted?


Maureen Murray

If the certificate gets issued, then it's working, leave it alone.

1 Like

I disagree.


may not work like this:

So, the renewals might still fail.

I would quote them (as in the command line).

1 Like

I have it working on another server. I will check the syntax on that and use the same


Ok it has renewed successfully using the quoted webroot path. However, the conf file has been set showing the webroot path unquoted, see below

renew_before_expiry = 30 days

version = 1.24.0
archive_dir = /etc/letsencrypt/archive/fm.westcycle.org.au
cert = /etc/letsencrypt/live/fm.westcycle.org.au/cert.pem
privkey = /etc/letsencrypt/live/fm.westcycle.org.au/privkey.pem
chain = /etc/letsencrypt/live/fm.westcycle.org.au/chain.pem
fullchain = /etc/letsencrypt/live/fm.westcycle.org.au/fullchain.pem

Options used in the renewal process

account = ac206c16fde86b496cb3d068d5a92e3e
authenticator = webroot
webroot_path = /opt/FileMaker/FileMaker Server/HTTPServer/htdocs,
server = https://acme-v02.api.letsencrypt.org/directory
fm.westcycle.org.au = /opt/FileMaker/FileMaker Server/HTTPServer/htdocs

What is your advice? Should I quote the path in this file or escape the space with a backslash, or just leave it as it is? Do you think i will renew successfully?

Does a test renew work? Try

certbot renew --dry-run

The dry run renews successfully. I don't see why it wouldn't renew now that the folders are all as expected. I have this running on another server and it works there.

1 Like

Good. I agree. It should renew fine for production cert too. I would check in 60 days to ensure it does.


I have this thing about having a "space" in such definitions.
[might just be old-school trauma - but it can't hurt enclose that all within (single or double) quotes]


I thought so too but that is apparently the way certbot placed it there. So, it would not help to adjust it manually. The next time certbot touches it would get changed back.

That's why I asked them to try dry-run so it seems like the parser of the conf file is fine with it.

I would have liked to run some of my own tests but never got around to it.


It will attempt to renew a month before I need it so I have time to resolve any issues. I have another server it is running on and it is not quoted or escaped in the conf file but it works. So I think you are right Mike. I will leave it and see how it goes.

Thankyou to everyone for your advice. I am a bit of a novice but it has been great to be able to resolve the issue myself, with your help.


I think it would/could.

There would be no need for certbot to "touch it" again (that only happens once - on the original request). Subsequent renewals go in the other directions (they read that value only - not rewrite it).

1 Like

Ok, I did some certbot tests of webroot paths with imbedded blank. Found this:

Manually adding quotes to renewal conf webroot path is not harmful but is not needed. Certbot initially sets the conf path without quotes and will remove manually added quotes at its convenience.


Doing a renew that does not update the cert will leave the manually added quotes in place. That is, a --dry-run or real renew when the cert was not yet due for renewal.

But, certbot updates the path and removes quotes when:

  1. Doing a real renew with the cert being refreshed (I used force to check that)

  2. Using different parameters on the renew command like using -w new-path
    This was regardless of value even if the same webroot path previously used

  3. Redoing the initial certbot command (not just renew) is likely to rewrite the conf paths as well

So, I do not recommend manually editing the webroot path in the renewal conf. Certbot favors its preferred syntax which is without quotes around the path.

PS: As I did these tests I remember certbot does similar 'normalizing' of the deploy hook commands (removing quotes, ...)