Error when creating certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:webmail.bering-kopal.de

I ran this command: certbot --apache -d webmail.bering-kopal.de

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 334, in _load_cert_or_req
return load_func(typ, cert_or_req_str)
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1756, in load_certificate
_raise_current_error()
File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [('PEM routines', 'PEM_read_bio', 'no start line')]
An unexpected error occurred:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1114, in run
should_get_cert, lineage = _find_cert(config, domains, certname)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 286, in _find_cert
action, lineage = _find_lineage_for_domains_and_certname(config, domains, certname)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 313, in _find_lineage_for_domains_and_certname
return _find_lineage_for_domains(config, domains)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 257, in _find_lineage_for_domains
ident_names_cert, subset_names_cert = cert_manager.find_duplicative_certs(config, domains)
File "/usr/lib/python3/dist-packages/certbot/cert_manager.py", line 167, in find_duplicative_certs
return _search_lineages(config, update_certs_for_domain_matches, (None, None))
File "/usr/lib/python3/dist-packages/certbot/cert_manager.py", line 388, in _search_lineages
rv = func(candidate_lineage, rv, *args)
File "/usr/lib/python3/dist-packages/certbot/cert_manager.py", line 155, in update_certs_for_domain_matches
candidate_names = set(candidate_lineage.names())
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 880, in names
return crypto_util.get_names_from_cert(f.read())
File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 382, in get_names_from_cert
csr, crypto.load_certificate, typ)
File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 362, in _get_names_from_cert_or_req
loaded_cert_or_req = _load_cert_or_req(cert_or_req, load_func, typ)
File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 334, in _load_cert_or_req
return load_func(typ, cert_or_req_str)
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1756, in load_certificate
_raise_current_error()
File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [('PEM routines', 'PEM_read_bio', 'no start line')]
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
Server version: Apache/2.4.7 (Ubuntu)
Server built: Apr 3 2019 18:04:25

The operating system my web server runs on is (include version):
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.6 LTS
Release: 14.04
Codename: trusty

My hosting provider, if applicable, is:
selfhosting

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no. i use putty.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

From the error stack, I would guess that one of the certificate files in your /etc/letsencrypt directory has become truncated or corrupted.

What's the output of:

sudo ls -lLR /etc/letsencrypt/live

/etc/letsencrypt/live/federn-forum.de:
total 20
-rw-r--r-- 1 root root 1870 Dec 29 00:19 cert.pem
-rw-r--r-- 1 root root 1586 Dec 29 00:19 chain.pem
-rw-r--r-- 1 root root 3456 Dec 29 00:19 fullchain.pem
-rw-r--r-- 1 root root 1704 Dec 29 00:19 privkey.pem
-rw-r--r-- 1 root root 543 Mar 3 2018 README

/etc/letsencrypt/live/matomo.ibumedia.de:
total 20
-rw-r--r-- 1 root root 1850 Dec 29 00:19 cert.pem
-rw-r--r-- 1 root root 1586 Dec 29 00:19 chain.pem
-rw-r--r-- 1 root root 3436 Dec 29 00:19 fullchain.pem
-rw-r--r-- 1 root root 1704 Dec 29 00:19 privkey.pem
-rw-r--r-- 1 root root 543 Mar 3 2018 README

/etc/letsencrypt/live/piwik.ibumedia.de:
total 20
-rw-r--r-- 1 root root 1883 Dec 29 00:19 cert.pem
-rw-r--r-- 1 root root 1586 Dec 29 00:19 chain.pem
-rw-r--r-- 1 root root 3469 Dec 29 00:19 fullchain.pem
-rw-r--r-- 1 root root 1704 Dec 29 00:19 privkey.pem
-rw-r--r-- 1 root root 543 Mar 3 2018 README

/etc/letsencrypt/live/piwik.ibumedia.de-0001:
total 20
-rw-r--r-- 1 root root 1850 Dec 29 00:19 cert.pem
-rw-r--r-- 1 root root 1586 Dec 29 00:19 chain.pem
-rw-r--r-- 1 root root 3436 Dec 29 00:19 fullchain.pem
-rw-r--r-- 1 root root 1704 Dec 29 00:19 privkey.pem
-rw-r--r-- 1 root root 543 Mar 27 2018 README

/etc/letsencrypt/live/roundcube.ibumedia.de:
total 20
-rw-r--r-- 1 root root 1858 Dec 29 00:19 cert.pem
-rw-r--r-- 1 root root 1586 Dec 29 00:19 chain.pem
-rw-r--r-- 1 root root 3444 Dec 29 00:19 fullchain.pem
-rw-r--r-- 1 root root 1704 Dec 29 00:19 privkey.pem
-rw-r--r-- 1 root root 692 Jan 31 2019 README

/etc/letsencrypt/live/shariff2.ibumedia.de:
total 20
-rw-r--r-- 1 root root 1858 Dec 29 00:20 cert.pem
-rw-r--r-- 1 root root 1586 Dec 29 00:20 chain.pem
-rw-r--r-- 1 root root 3444 Dec 29 00:20 fullchain.pem
-rw-r--r-- 1 root root 1704 Dec 29 00:20 privkey.pem
-rw-r--r-- 1 root root 543 Jun 26 2018 README

/etc/letsencrypt/live/statistic.ibumedia.de:
total 20
-rw-r--r-- 1 root root 1858 Dec 29 00:20 cert.pem
-rw-r--r-- 1 root root 1586 Dec 29 00:20 chain.pem
-rw-r--r-- 1 root root 3444 Dec 29 00:20 fullchain.pem
-rw-r--r-- 1 root root 1704 Dec 29 00:20 privkey.pem
-rw-r--r-- 1 root root 543 Mar 27 2018 README

/etc/letsencrypt/live/webmail.ibumedia.de:
total 20
-rw-r--r-- 1 root root 1883 Dec 29 00:21 cert.pem
-rw-r--r-- 1 root root 1586 Dec 29 00:21 chain.pem
-rw-r--r-- 1 root root 3469 Dec 29 00:21 fullchain.pem
-rw-r--r-- 1 root root 1704 Dec 29 00:21 privkey.pem
-rw-r--r-- 1 root root 543 Mar 3 2018 README

/etc/letsencrypt/live/webmail.ibumedia.de-0001:
total 20
-rw-r--r-- 1 root root 1854 Dec 29 00:21 cert.pem
-rw-r--r-- 1 root root 1586 Dec 29 00:21 chain.pem
-rw-r--r-- 1 root root 3440 Dec 29 00:21 fullchain.pem
-rw-r--r-- 1 root root 1704 Dec 29 00:21 privkey.pem
-rw-r--r-- 1 root root 692 Jan 31 2019 README

/etc/letsencrypt/live/webmail.kantinele.de:
total 4
-rw-r--r-- 1 root root 0 Feb 22 2020 cert.pem
-rw-r--r-- 1 root root 0 Feb 22 2020 chain.pem
-rw-r--r-- 1 root root 0 Feb 22 2020 fullchain.pem
-rw-r--r-- 1 root root 0 Feb 22 2020 privkey.pem
-rw-r--r-- 1 root root 543 Mar 3 2018 README

/etc/letsencrypt/live/webmail.kantinele.de-0001:
total 20
-rw-r--r-- 1 root root 1854 Dec 29 00:21 cert.pem
-rw-r--r-- 1 root root 1586 Dec 29 00:21 chain.pem
-rw-r--r-- 1 root root 3440 Dec 29 00:21 fullchain.pem
-rw-r--r-- 1 root root 1704 Dec 29 00:21 privkey.pem
-rw-r--r-- 1 root root 543 Mar 3 2018 README

/etc/letsencrypt/live/webmail.nimbus-group.com:
total 20
-rw-r--r-- 1 root root 1866 Dec 29 00:21 cert.pem
-rw-r--r-- 1 root root 1586 Dec 29 00:21 chain.pem
-rw-r--r-- 1 root root 3452 Dec 29 00:21 fullchain.pem
-rw-r--r-- 1 root root 1704 Dec 29 00:21 privkey.pem
-rw-r--r-- 1 root root 543 Mar 3 2018 README

/etc/letsencrypt/live/webmail.p-l-c.eu:
total 20
-rw-r--r-- 1 root root 1846 Dec 29 00:22 cert.pem
-rw-r--r-- 1 root root 1586 Dec 29 00:22 chain.pem
-rw-r--r-- 1 root root 3432 Dec 29 00:22 fullchain.pem
-rw-r--r-- 1 root root 1704 Dec 29 00:22 privkey.pem
-rw-r--r-- 1 root root 543 Mar 3 2018 README

/etc/letsencrypt/live/www.federn-forum.de:
total 20
-rw-r--r-- 1 root root 1854 Dec 29 00:22 cert.pem
-rw-r--r-- 1 root root 1586 Dec 29 00:22 chain.pem
-rw-r--r-- 1 root root 3440 Dec 29 00:22 fullchain.pem
-rw-r--r-- 1 root root 1704 Dec 29 00:22 privkey.pem
-rw-r--r-- 1 root root 692 Jan 31 2019 README

There it is. All those files are empty and it's causing Certbot to crash.

1 Like

what i did is:
certbot delete --cert-name webmail.bering-kopal.de
certbot delete --cert-name webmail.bering-kopal.de-0001
and
rm -R /etc/letsencrypt/live/webmail.bering-kopal.de-0001/

cause I get an error from the server:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 334, in _load_cert_or_req
return load_func(typ, cert_or_req_str)
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1756, in load_certificate
_raise_current_error()
File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [('PEM routines', 'PEM_read_bio', 'no start line')] Renewal configuration file /etc/letsencrypt/renewal/webmail.kantinele.de.conf (cert: webmail.kantinele.de) produced an unexpected error: [('PEM routines', 'PEM_read_bio', 'no start line')]. Skipping.
Cert not yet due for renewal
Cert not yet due for renewal
Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/shariff.gwen-mag.de/fullchain.pem (failure)
/etc/letsencrypt/live/webmail.bering-kopal.de/fullchain.pem (failure)
/etc/letsencrypt/live/webmail.gwen-mag.de/fullchain.pem (failure) Running post-hook command: service apache2 reload Output from service:

  • Reloading web server apache2

The ls output that you posted above, was that before or after you ran certbot delete?

after i post the error

but the reported error from the server was the reason why I did the delete statement

Well, as long as these files and directories don't exist anymore:

  • /etc/letsencrypt/live/webmail.kantinele.de
  • /etc/letsencrypt/archive/webmail.kantinele.de
  • /etc/letsencrypt/renewal/webmail.kantinele.de.conf

then Certbot should start working again and not produce that error anymore.

If you ran that certbot delete command from earlier, this should already be the case.

Thanks this worked!
certbot --apache -d webmail.bering-kopal.de

I could create the certificate.

Now I like to correct the problem with webmail.kantinele.de

certbot renew --cert-name webmail.kantinele.de --force-renewal

I got an error:
No certificate found with name webmail.kantinele.de (expected /etc/letsencrypt/renewal/webmail.kantinele.de.conf)

waht is to do?

I did now:
certbot renew --cert-name webmail.kantinele.de-0001 --force-renewal

and this worked.

Thanks for your great help.
You and your team are very special ... very good!

1 Like

You should never have to manually remove anything from within the /etc/letsencrypt/ path.

Glad to see it's now working :slight_smile: