Dry-run works missing privkey.pem on live try

Please fill out the fields below so we can help you better.

My domain is: placeholder.com

I ran this command: certbot renew --dry-run

It produced this output: all good dude!

My web server is (include version): nginx 1.12.1

The operating system my web server runs on is (include version): debian 9

My hosting provider, if applicable, is: baremetal

I can login to a root shell on my machine (yes or no, or I don’t know):yep

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
nope

Ok So i didn’t save the exact error message cause i didnt think it was going to limit out on me. I figured it checked if the files it needed were there before trying to hit the certification servers. So I guess i am done for a week. but maybe i can gatehr info in the meantime.

when running the certbot it throws err2 file not found, and points at my www.placeholder.com-0001 directory/archive privkey…which doesnt exist

I created my cert with a tutorial and i tried to create it for the www.placeholder.com AND placeholder.com and they both worked to make the cert. in my /etc/letsencrypt/archive I only have the directory called asite.com-0001 so i figure the cert with two different domains (the one with www and one without) .

Do I need the www version? once you get on my site, even with www on the address it goes to the version without www, i was just doing it to cover all possibilities of people getting there.

Thanks for making and providing this service and thank you to anyone that took the time to read this. And thanks in advance to anyone that has any information to help me.

also , as it is i am looking at just reinstalling the whole server because of this. I cant have another week down AFTER this week if i cant get it. with --dry-run working i have no idea how to try to fix it in 5 trys a week. I understand the limit but ouch its killing me.

Hi @gigafunk,

Could you please post the exact output that you get from Certbot in both the --dry-run and the regular certbot renew case?

The rate limit related to authorization errors only lasts for one hour, not five days.

Yes, this redirection happens after the browser checks the certificate validity.

The message has changed. in th epastebin i did a successfull dry-run followed by a try with just “certbot renew”

https://pastebin.com/m9ngqLR7

Huh, that’s kind of a new one for me.

Could you also post the contents of /etc/letsencrypt/renewal/placeholder.com.conf and let us know which version of Certbot you’re using?

this is when i try it as root

Processing /etc/letsencrypt/renewal/placeholder.com.conf

Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Attempting to renew cert from /etc/letsencrypt/renewal/placeholder.com.conf produced an unexpected error: . Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/armbarandgrill.com-0001/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

its always a different error.

but --dry-run works always it so frustrating

I am trying to get it to do the same errors (error 2) as before, but i keep getting rate limited.

Thanks for your time ,

oh i just saw your reply, one second ill be back with that info

https://pastebin.com/G0e9xcE3

0.10.2 version certbot

debian 8, thats fully updated via apt-get , i believe

I tried to just remove the ssl stuff from nginx conf fikles but somethign still is redirecting it to https , so i am now considering just wiping it and starting over and bulding the site without ssl. Its just a homepage for a bar with hours and stuff so i dont need ssl, I was just hoping he would be easier to google

@bmw, could you think about reasons for this crash? I don’t quite understand what could be going wrong (the renewal configuration looks fine to me). Unless it’s a different manifestation of the Unicode formatting bug that Erica fixed or something (but then we should get UnicodeEncodeError or something).

@gigafunk, would you be willing to upgrade to a newer version of Certbot outside of your operating system package manager?

yes

i will do anything, i am one step from full wipe

im good in windows, (lol) but if its more than adding a new repository and apt-get update/upghrading I may need a little guidance and where the files go or what gets replaced

You could use the instructions at https://certbot.eff.org/#pip-other

When you’ve done that, you’ll have a command ./certbot-auto (run from your home directory or whatever directory you’re in when you download this script). You can use commands starting with ./certbot-auto (or /home/yourusername/certbot-auto from cron) whenever other documentation says to use commands starting with certbot. For example, the equivalent of certbot renew is then ./certbot-auto renew.) This version of Certbot will auto-update independent of your OS package manger.

ok ill let you know, thank you so much

@gigafunk, if you can provide a full log of the problem, I can better debug it. Logs by default are stored in /var/log/letsencrypt. Feel free to redact domains, IPs, and email addresses as you feel appropriate.

ok, ill get a clean log of failure after my rate limit expires- havent got to try with certbot-auto yet, the dry run for that worked and it updated a bunch of depends so maybe it will work when i try again

Attempting to renew cert (placeholder.com) from /etc/letsencrypt/renewal/placeholder.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: placeholder
.com,www.placeholder.com. Skipping.

i could have swore its been over an hour, but ill try again later-

Unfortunately, that’s a different rate limit that you originally alluded to that takes a week to time out.

I assumed from your original post that the certificate could not be issued because of a problem with the process of proving your control over the certificate. However, the new error that you posted suggests that the certificate does get issued and somehow Certbot has trouble saving it and/or informing you that it was saved correctly.

I apologize for making the wrong guess about which rate limit was in play. It’s very unusual for people with Certbot crashes to encounter the rate limit that you did; they almost always encounter the other one.

Could you post the result of running

ls -l /etc/letsencrypt/{live,archive}/*

so we can see if the problem is that the certificate wasn’t saved to disk or that the problem is that Certbot crashed before telling you that it was saved?

/etc/letsencrypt/archive/www.placeholder.com-0001:
total 16
-rw-r–r-- 1 root root 1842 Mar 25 04:42 cert1.pem
-rw-r–r-- 1 root root 1647 Mar 25 04:42 chain1.pem
-rw-r–r-- 1 root root 3489 Mar 25 04:42 fullchain1.pem
-rw-r–r-- 1 root root 1704 Mar 25 04:42 privkey1.pem

/etc/letsencrypt/live/placeholder.com-0001:
total 16
lrwxrwxrwx 1 root root 62 Mar 25 05:04 cert.pem -> /etc/letsencrypt/archive/www.placeholder.com-0001/cert1.pem
lrwxrwxrwx 1 root root 63 Mar 25 05:04 chain.pem -> /etc/letsencrypt/archive/www.placeholder.com-0001/chain1.pem
lrwxrwxrwx 1 root root 67 Mar 25 05:28 fullchain.pem -> /etc/letsencrypt/archive/www.placeholder.com-0001/fullchain1.pem
lrwxrwxrwx 1 root root 65 Mar 25 05:05 privkey.pem -> /etc/letsencrypt/archive/www.placeholder.com-0001/privkey1.pem

/etc/letsencrypt/live/www.placeholder.com-0001:
total 0
lrwxrwxrwx 1 root root 51 Mar 25 04:42 cert.pem -> …/…/archive/www.plavceholder.com-0001/cert1.pem
lrwxrwxrwx 1 root root 52 Mar 25 04:42 chain.pem -> …/…/archive/www.placeholder.com-0001/chain1.pem
lrwxrwxrwx 1 root root 56 Mar 25 04:42 fullchain.pem -> …/…/archive/www.placeholder.com-0001/fullchain1.pem
lrwxrwxrwx 1 root root 54 Mar 25 04:42 privkey.pem -> …/…/archive/www.placeholder.com-0001/privkey1.pem

This is really bizarre because you have literally dozens of certificates issued for your domain name since March, including six that were issued on Sunday.

@bmw, it looks like it must be a crash after issuance but before saving the cert to disk (!).

site is still down with bad cert so it must not have saved
i think i just need to not use ssl, i have dealing with this for months now, I am ready to give up.

thanks for you help but I think i am just extending the inevitable, i tried to just remove the ssl stuff from the nginx config and its still redirecting to https after a cacheflush in browser so I dont know what to do besides full os reinstall and not use ssl.

If this happened in the dry-run i could just keep trying and figure it out but this rate limit is like working in slow motion. I work a little, wait a week, work a little wait a week… normally i would just keep hammering away before seeking help, because I dont know enough not to waste your time, and i do apologize for that, but normal web stuff is easy, this certificate stuff just is too much for me it seems.

I have no doubt i set it up wrong or something blindly following some tutorial, but its worked until it expired so i just dont know, i just dont know how to learn something that i can only fail at 5 times a week. i learn through hundereds of failures normally.

ugh srry i am frusterated and this is me rage-quitting lol

thanks again for your help-if there is nothing you need from it to help you fix some underlying legitimate problem (which i doubt exists) i am gonna wipe it and re-roll as the gamer crowd would say.

not as simple as permission issue on the cert files?