Error renew certificate on Ubuntu VPS

My domain is:
ticketservice.shop

I ran this command:
certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ticketservice.shop-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 65, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 465, in __init__
    self._check_symlinks()
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/ticketservice.shop-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/ticketservice.shop-0001.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ticketservice.shop-0002.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 65, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 465, in __init__
    self._check_symlinks()
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/ticketservice.shop-0002/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/ticketservice.shop-0002.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ticketservice.shop-0003.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 65, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 465, in __init__
    self._check_symlinks()
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/ticketservice.shop-0003/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/ticketservice.shop-0003.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ticketservice.shop.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (ticketservice.shop) from /etc/letsencrypt/renewal/ticketservice.shop.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ticketservice.shop/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ticketservice.shop/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid:
  /etc/letsencrypt/renewal/ticketservice.shop-0001.conf (parsefail)
  /etc/letsencrypt/renewal/ticketservice.shop-0002.conf (parsefail)
  /etc/letsencrypt/renewal/ticketservice.shop-0003.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 3 parse failure(s)

My web server is (include version):
nginx newest version

The operating system my web server runs on is (include version):
ubuntu 20.04.3 LTS

My hosting provider, if applicable, is:
Digital Ocean Ubuntu droplet

I can login to a root shell on my machine (yes or no, or I don't know):

YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.40.0

The server is running a wordpress multisite with some shopdomains. Please help me understand why it isn't renewing.

You're running quite an old version of certbot, but that isn't likely to be your immediate problem--the bigger problem is that it looks like you've been doing some manual messing around in the /etc/letsencrypt directory. Let's see what all is there. Can you give the output of ls -lR /etc/letsencrypt/? Edit: and certbot certificates?

(or they downgraded certbot and the renewal conf belongs to a newer version)

/etc/letsencrypt/:
total 32
drwxr-xr-x 3 root root 4096 Oct 27 17:36 accounts
drwx------ 6 root root 4096 Mar 24 12:34 archive
-rw-r--r-- 1 root root  121 Feb 11  2019 cli.ini
drwxr-xr-x 2 root root 4096 Mar 24 12:32 csr
drwx------ 2 root root 4096 Mar 24 12:32 keys
drwx------ 3 root root 4096 Oct 27 18:03 live
drwxr-xr-x 2 root root 4096 Oct 27 18:03 renewal
drwxr-xr-x 5 root root 4096 Oct 27 17:36 renewal-hooks

/etc/letsencrypt/accounts:
total 4
drwxr-xr-x 3 root root 4096 Oct 27 17:36 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 4
drwx------ 3 root root 4096 Oct 27 17:36 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 4
drwx------ 2 root root 4096 Oct 27 17:36 7275f6af82aa27fd0a83d268824ab75a

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/7275f6af82aa27fd0a83d268824ab75a:
total 12
-rw-r--r-- 1 root root   78 Oct 27 17:36 meta.json
-r-------- 1 root root 1632 Oct 27 17:36 private_key.json
-rw-r--r-- 1 root root   79 Oct 27 17:36 regr.json

/etc/letsencrypt/archive:
total 16
drwxr-xr-x 2 root root 4096 Oct 27 17:58 ticketservice.shop
drwxr-xr-x 2 root root 4096 Oct 27 17:54 ticketservice.shop-0001
drwxr-xr-x 2 root root 4096 Oct 27 17:59 ticketservice.shop-0002
drwxr-xr-x 2 root root 4096 Oct 27 18:03 ticketservice.shop-0003

/etc/letsencrypt/archive/ticketservice.shop:
total 40
-rw-r--r-- 1 root root 1850 Oct 27 17:36 cert1.pem
-rw-r--r-- 1 root root 1883 Oct 27 17:58 cert2.pem
-rw-r--r-- 1 root root 3750 Oct 27 17:36 chain1.pem
-rw-r--r-- 1 root root 3750 Oct 27 17:58 chain2.pem
-rw-r--r-- 1 root root 5600 Oct 27 17:36 fullchain1.pem
-rw-r--r-- 1 root root 5633 Oct 27 17:58 fullchain2.pem
-rw------- 1 root root 1700 Oct 27 17:36 privkey1.pem
-rw------- 1 root root 1708 Oct 27 17:58 privkey2.pem

/etc/letsencrypt/archive/ticketservice.shop-0001:
total 20
-rw-r--r-- 1 root root 1858 Oct 27 17:54 cert1.pem
-rw-r--r-- 1 root root 3750 Oct 27 17:54 chain1.pem
-rw-r--r-- 1 root root 5608 Oct 27 17:54 fullchain1.pem
-rw------- 1 root root 1704 Oct 27 17:54 privkey1.pem

/etc/letsencrypt/archive/ticketservice.shop-0002:
total 20
-rw-r--r-- 1 root root 1883 Oct 27 17:59 cert1.pem
-rw-r--r-- 1 root root 3750 Oct 27 17:59 chain1.pem
-rw-r--r-- 1 root root 5633 Oct 27 17:59 fullchain1.pem
-rw------- 1 root root 1704 Oct 27 17:59 privkey1.pem

/etc/letsencrypt/archive/ticketservice.shop-0003:
total 20
-rw-r--r-- 1 root root 1883 Oct 27 18:03 cert1.pem
-rw-r--r-- 1 root root 3750 Oct 27 18:03 chain1.pem
-rw-r--r-- 1 root root 5633 Oct 27 18:03 fullchain1.pem
-rw------- 1 root root 1704 Oct 27 18:03 privkey1.pem

/etc/letsencrypt/csr:
total 84
-rw-r--r-- 1 root root 928 Oct 27 17:36 0000_csr-certbot.pem
-rw-r--r-- 1 root root 944 Oct 27 17:45 0001_csr-certbot.pem
-rw-r--r-- 1 root root 944 Oct 27 17:46 0002_csr-certbot.pem
-rw-r--r-- 1 root root 932 Oct 27 17:50 0003_csr-certbot.pem
-rw-r--r-- 1 root root 932 Oct 27 17:50 0004_csr-certbot.pem
-rw-r--r-- 1 root root 936 Oct 27 17:50 0005_csr-certbot.pem
-rw-r--r-- 1 root root 932 Oct 27 17:52 0006_csr-certbot.pem
-rw-r--r-- 1 root root 932 Oct 27 17:52 0007_csr-certbot.pem
-rw-r--r-- 1 root root 932 Oct 27 17:53 0008_csr-certbot.pem
-rw-r--r-- 1 root root 960 Oct 27 17:58 0009_csr-certbot.pem
-rw-r--r-- 1 root root 960 Oct 27 17:59 0010_csr-certbot.pem
-rw-r--r-- 1 root root 960 Oct 27 18:03 0011_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:13 0012_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:17 0013_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:18 0014_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:18 0015_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:20 0016_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:20 0017_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:27 0018_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:30 0019_csr-certbot.pem
-rw-r--r-- 1 root root 960 Mar 24 12:32 0020_csr-certbot.pem

/etc/letsencrypt/keys:
total 84
-rw------- 1 root root 1700 Oct 27 17:36 0000_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:45 0001_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:46 0002_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:50 0003_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:50 0004_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:50 0005_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:52 0006_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:52 0007_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:53 0008_key-certbot.pem
-rw------- 1 root root 1708 Oct 27 17:58 0009_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 17:59 0010_key-certbot.pem
-rw------- 1 root root 1704 Oct 27 18:03 0011_key-certbot.pem
-rw------- 1 root root 1704 Mar 24 12:13 0012_key-certbot.pem
-rw------- 1 root root 1708 Mar 24 12:17 0013_key-certbot.pem
-rw------- 1 root root 1704 Mar 24 12:18 0014_key-certbot.pem
-rw------- 1 root root 1708 Mar 24 12:18 0015_key-certbot.pem
-rw------- 1 root root 1704 Mar 24 12:20 0016_key-certbot.pem
-rw------- 1 root root 1704 Mar 24 12:20 0017_key-certbot.pem
-rw------- 1 root root 1704 Mar 24 12:27 0018_key-certbot.pem
-rw------- 1 root root 1704 Mar 24 12:30 0019_key-certbot.pem
-rw------- 1 root root 1704 Mar 24 12:32 0020_key-certbot.pem

/etc/letsencrypt/live:
total 8
-rw-r--r-- 1 root root  740 Oct 27 17:36 README
drwxr-xr-x 2 root root 4096 Oct 27 18:03 ticketservice.shop

/etc/letsencrypt/live/ticketservice.shop:
total 4
-rw-r--r-- 1 root root 692 Oct 27 18:03 README
lrwxrwxrwx 1 root root  47 Oct 27 18:03 cert.pem -> ../../archive/ticketservice.shop-0003/cert1.pem
lrwxrwxrwx 1 root root  48 Oct 27 18:03 chain.pem -> ../../archive/ticketservice.shop-0003/chain1.pem
lrwxrwxrwx 1 root root  52 Oct 27 18:03 fullchain.pem -> ../../archive/ticketservice.shop-0003/fullchain1.pem
lrwxrwxrwx 1 root root  50 Oct 27 18:03 privkey.pem -> ../../archive/ticketservice.shop-0003/privkey1.pem

/etc/letsencrypt/renewal:
total 16
-rw-r--r-- 1 root root 612 Oct 27 17:54 ticketservice.shop-0001.conf
-rw-r--r-- 1 root root 577 Oct 27 17:59 ticketservice.shop-0002.conf
-rw-r--r-- 1 root root 577 Oct 27 18:03 ticketservice.shop-0003.conf
-rw-r--r-- 1 root root 552 Oct 27 17:58 ticketservice.shop.conf

/etc/letsencrypt/renewal-hooks:
total 12
drwxr-xr-x 2 root root 4096 Oct 27 17:36 deploy
drwxr-xr-x 2 root root 4096 Oct 27 17:36 post
drwxr-xr-x 2 root root 4096 Oct 27 17:36 pre

/etc/letsencrypt/renewal-hooks/deploy:
total 0

/etc/letsencrypt/renewal-hooks/post:
total 0

/etc/letsencrypt/renewal-hooks/pre:
total 0

This is quite strange. You have renewal configuration files, and archived cert files, for four different certs: ticketservice.shop, ticketservice.shop-0001, ticketservice.shop-0002, and ticketservice.shop-0003. But you only have a live certificate directory for the first. Did you delete the other directories manually?

Not that I am aware of. Could it be because this a wordpress multisite?

What is the best course of action?

First, make a backup of /etc/letsencrypt. Then try certbot delete --cert-name ticketservice.shop-0001. If that succeeds, repeat for -0002 and -0003, and then try the renewal again.

That didn't work out. Deleted al certificates including ticketservice.shop and generated a new one using.

sudo certbot certonly --manual --agree-tos --preferred-challenges dns -d ticketservice.shop -d *.ticketservice.shop

Then i got an rate limit error. Is it possible to circumvent that? The dry run is succesfull.

IMPORTANT NOTES:
 - The dry run was successful.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

For which rate limit? There are several, and some last as little as an hour.

Edit: and why did you delete a perfectly good certificate for ticketservice.shop?

An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too                                       many certificates (5) already issued for this exact set of domains in the last 1                                      68 hours: *.ticketservice.shop,ticketservice.shop: see https://letsencrypt.org/d                                      ocs/rate-limits/

Because it wouldn't renew. After deleting it the error where gone in the dry-run.

But it did. Five times, all yesterday. I advised you to delete the broken certs; you deleted the perfectly valid cert as well. Wait a week, and you'll be able to create a new one.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.