Error renew certificate on Ubuntu VPS

Help
1

My domain is:
ticketservice.shop

I ran this command:
certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ticketservice.shop-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 65, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 465, in __init__
    self._check_symlinks()
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/ticketservice.shop-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/ticketservice.shop-0001.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ticketservice.shop-0002.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 65, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 465, in __init__
    self._check_symlinks()
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/ticketservice.shop-0002/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/ticketservice.shop-0002.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ticketservice.shop-0003.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 65, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 465, in __init__
    self._check_symlinks()
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/ticketservice.shop-0003/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/ticketservice.shop-0003.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ticketservice.shop.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (ticketservice.shop) from /etc/letsencrypt/renewal/ticketservice.shop.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ticketservice.shop/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ticketservice.shop/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid:
  /etc/letsencrypt/renewal/ticketservice.shop-0001.conf (parsefail)
  /etc/letsencrypt/renewal/ticketservice.shop-0002.conf (parsefail)
  /etc/letsencrypt/renewal/ticketservice.shop-0003.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 3 parse failure(s)

My web server is (include version):
nginx newest version

The operating system my web server runs on is (include version):
ubuntu 20.04.3 LTS

My hosting provider, if applicable, is:
Digital Ocean Ubuntu droplet

I can login to a root shell on my machine (yes or no, or I don't know):

YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.40.0

The server is running a wordpress multisite with some shopdomains. Please help me understand why it isn't renewing.

2

You're running quite an old version of certbot, but that isn't likely to be your immediate problem--the bigger problem is that it looks like you've been doing some manual messing around in the /etc/letsencrypt directory. Let's see what all is there. Can you give the output of ls -lR /etc/letsencrypt/? Edit: and certbot certificates?

2 Likes
3

(or they downgraded certbot and the renewal conf belongs to a newer version)

1 Like
4 
/etc/letsencrypt/:
total 32
drwxr-xr-x 3 root root 4096 Oct 27 17:36 accounts
drwx------ 6 root root 4096 Mar 24 12:34 archive
-rw-r--r-- 1 root root  121 Feb 11  2019 cli.ini
drwxr-xr-x 2 root root 4096 Mar 24 12:32 csr
drwx------ 2 root root 4096 Mar 24 12:32 keys
drwx------ 3 root root 4096 Oct 27 18:03 live
drwxr-xr-x 2 root root 4096 Oct 27 18:03 renewal
drwxr-xr-x 5 root root 4096 Oct 27 17:36 renewal-hooks

/etc/letsencrypt/accounts:
total 4
drwxr-xr-x 3 root root 4096 Oct 27 17:36 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 4
drwx------ 3 root root 4096 Oct 27 17:36 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 4
drwx------ 2 root root 4096 Oct 27 17:36 7275f6af82aa27fd0a83d268824ab75a

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/7275f6af82aa27fd0a83d268824ab75a:
total 12
-rw-r--r-- 1 root root   78 Oct 27 17:36 meta.json
-r-------- 1 root root 1632 Oct 27 17:36 private_key.json
-rw-r--r-- 1 root root   79 Oct 27 17:36 regr.json

/etc/letsencrypt/archive:
total 16
drwxr-xr-x 2 root root 4096 Oct 27 17:58 ticketservice.shop
drwxr-xr-x 2 root root 4096 Oct 27 17:54 ticketservice.shop-0001
drwxr-xr-x 2 root root 4096 Oct 27 17:59 ticketservice.shop-0002
drwxr-xr-x 2 root root 4096 Oct 27 18:03 ticketservice.shop-0003

/etc/letsencrypt/archive/ticketservice.shop:
total 40
-rw-r--r-- 1 root root 1850 Oct 27 17:36 cert1.pem
-rw-r--r-- 1 root root 1883 Oct 27 17:58 cert2.pem
-rw-r--r-- 1 root root 3750 Oct 27 17:36 chain1.pem
-rw-r--r-- 1 root root 3750 Oct 27 17:58 chain2.pem
-rw-r--r-- 1 root root 5600 Oct 27 17:36 fullchain1.pem
-rw-r--r-- 1 root root 5633 Oct 27 17:58 fullchain2.pem
-rw------- 1 root root 1700 Oct 27 17:36 privkey1.pem
-rw------- 1 root root 1708 Oct 27 17:58 privkey2.pem

/etc/letsencrypt/archive/ticketservice.shop-0001:
total 20
-rw-r--r-- 1 root root 1858 Oct 27 17:54 cert1.pem
-rw-r--r-- 1 root root 3750 Oct 27 17:54 chain1.pem
-rw-r--r-- 1 root root 5608 Oct 27 17:54 fullchain1.pem
-rw------- 1 root root 1704 Oct 27 17:54 privkey1.pem

/etc/letsencrypt/archive/ticketservice.shop-0002:
total 20
-rw-r--r-- 1 root root 1883 Oct 27 17:59 cert1.pem
-rw-r--r-- 1 root root 3750 Oct 27 17:59 chain1.pem
-rw-r--r-- 1 root root 5633 Oct 27 17:59 fullchain1.pem
-rw------- 1 root root 1704 Oct 27 17:59 privkey1.pem

/etc/letsencrypt/archive/ticketservice.shop-0003:
total 20
-rw-r--r-- 1 root root 1883 Oct 27 18:03 cert1.pem
-rw-r--r-- 1 root root 3750 Oct 27 18:03 chain1.pem
-rw-r--r-- 1 root root 5633 Oct 27 18:03 fullchain1.pem
-rw------- 1 root root 1704 Oct 27 18:03 privkey1.pem

/etc/letsencrypt/csr:
total 84
-rw-r--r-- 1 root root 928 Oct 27 17:36 0000_csr-certbot.pem
-rw-r--r-- 1 root root 944 Oct 27 17:45 0001_csr-certbot.pem
-rw-r--r-- 1 root root 944 Oct 27 17:46 0002_csr-certbot.pem
-rw-r--r-- 1 root root 932 Oct 27 17:50 0003_csr-certbot.pem
-rw-r--r-- 1 root root 932 Oct 27 17:50 0004_csr-certbot.pem
-rw-r--r-- 1 root root 936 Oct 27 17:50 0005_csr-certbot.pem
-rw-r--r-- 1 root root 932 Oct 27 17:52 0006_csr-certbot.pem
-rw-r--r-- 1 root root 932 Oct 27 17:52 0007_csr-certbot.pem
-rw-r--r-- 1 root root 932 Oct 27 17:53 0008_csr-certbot.pem
-rw-r--r-- 1 root root 960 Oct 27 17:58 0009_csr-certbot.pem
-rw-r--r-- 1 root root 960 Oct 27 17:59 0010_csr-certbot.pem
-rw-r--r-- 1 root root 960 Oct 27 18:03 0011_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:13 0012_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:17 0013_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:18 0014_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:18 0015_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:20 0016_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:20 0017_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:27 0018_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:30 0019_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:32 0020_csr-certbot.pem

/etc/letsencrypt/keys:
total 84
-rw------- 1 root root 1700 Oct 27 17:36 0000_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:45 0001_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:46 0002_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:50 0003_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:50 0004_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:50 0005_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:52 0006_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:52 0007_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:53 0008_key-certbot.pem
-rw------- 1 root root 1708 Oct 27 17:58 0009_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:59 0010_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 18:03 0011_key-certbot.pem
-rw------- 1 root root 1704 Mar 24 12:13 0012_key-certbot.pem
-rw------- 1 root root 1708 Mar 24 12:17 0013_key-certbot.pem
-rw------- 1 root root 1704 Mar 24 12:18 0014_key-certbot.pem
-rw------- 1 root root 1708 Mar 24 12:18 0015_key-certbot.pem
-rw------- 1 root root 1704 Mar 24 12:20 0016_key-certbot.pem
-rw------- 1 root root 1704 Mar 24 12:20 0017_key-certbot.pem
-rw------- 1 root root 1704 Mar 24 12:27 0018_key-certbot.pem
-rw------- 1 root root 1704 Mar 24 12:30 0019_key-certbot.pem
-rw------- 1 root root 1704 Mar 24 12:32 0020_key-certbot.pem

/etc/letsencrypt/live:
total 8
-rw-r--r-- 1 root root  740 Oct 27 17:36 README
drwxr-xr-x 2 root root 4096 Oct 27 18:03 ticketservice.shop

/etc/letsencrypt/live/ticketservice.shop:
total 4
-rw-r--r-- 1 root root 692 Oct 27 18:03 README
lrwxrwxrwx 1 root root  47 Oct 27 18:03 cert.pem -> ../../archive/ticketservice.shop-0003/cert1.pem
lrwxrwxrwx 1 root root  48 Oct 27 18:03 chain.pem -> ../../archive/ticketservice.shop-0003/chain1.pem
lrwxrwxrwx 1 root root  52 Oct 27 18:03 fullchain.pem -> ../../archive/ticketservice.shop-0003/fullchain1.pem
lrwxrwxrwx 1 root root  50 Oct 27 18:03 privkey.pem -> ../../archive/ticketservice.shop-0003/privkey1.pem

/etc/letsencrypt/renewal:
total 16
-rw-r--r-- 1 root root 612 Oct 27 17:54 ticketservice.shop-0001.conf
-rw-r--r-- 1 root root 577 Oct 27 17:59 ticketservice.shop-0002.conf
-rw-r--r-- 1 root root 577 Oct 27 18:03 ticketservice.shop-0003.conf
-rw-r--r-- 1 root root 552 Oct 27 17:58 ticketservice.shop.conf

/etc/letsencrypt/renewal-hooks:
total 12
drwxr-xr-x 2 root root 4096 Oct 27 17:36 deploy
drwxr-xr-x 2 root root 4096 Oct 27 17:36 post
drwxr-xr-x 2 root root 4096 Oct 27 17:36 pre

/etc/letsencrypt/renewal-hooks/deploy:
total 0

/etc/letsencrypt/renewal-hooks/post:
total 0

/etc/letsencrypt/renewal-hooks/pre:
total 0
5

This is quite strange. You have renewal configuration files, and archived cert files, for four different certs: ticketservice.shop, ticketservice.shop-0001, ticketservice.shop-0002, and ticketservice.shop-0003. But you only have a live certificate directory for the first. Did you delete the other directories manually?

3 Likes
6

Not that I am aware of. Could it be because this a wordpress multisite?

What is the best course of action?

7

First, make a backup of /etc/letsencrypt. Then try certbot delete --cert-name ticketservice.shop-0001. If that succeeds, repeat for -0002 and -0003, and then try the renewal again.

2 Likes
8

That didn't work out. Deleted al certificates including ticketservice.shop and generated a new one using.

sudo certbot certonly --manual --agree-tos --preferred-challenges dns -d ticketservice.shop -d *.ticketservice.shop

Then i got an rate limit error. Is it possible to circumvent that? The dry run is succesfull.

IMPORTANT NOTES:
 - The dry run was successful.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
9

For which rate limit? There are several, and some last as little as an hour.

Edit: and why did you delete a perfectly good certificate for ticketservice.shop?

3 Likes
10 

An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too                                       many certificates (5) already issued for this exact set of domains in the last 1                                      68 hours: *.ticketservice.shop,ticketservice.shop: see https://letsencrypt.org/d                                      ocs/rate-limits/

Because it wouldn't renew. After deleting it the error where gone in the dry-run.

11

But it did. Five times, all yesterday. I advised you to delete the broken certs; you deleted the perfectly valid cert as well. Wait a week, and you'll be able to create a new one.

3 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.