Error with letsencrypt renew


#1

Hi, I can´t get renew to work can you point me in the right direction to fix this.
Ubuntu 14.04, zimbra server 8.6

–version letsencrypt 0.5.0

root@mail:/letsencrypt# ./letsencrypt-auto renew
Checking for new version…
Requesting root privileges to run letsencrypt…
/root/.local/share/letsencrypt/bin/letsencrypt renew


Processing /etc/letsencrypt/renewal/dryg.org.conf

2016-04-06 09:18:39,332:WARNING:letsencrypt.renewal:Renewal configuration file /etc/letsencrypt/renewal/dryg.org.conf is broken. Skipping.
An unexpected error occurred:
TypeError: append() takes exactly one argument (2 given)
Please see the logfiles in /var/log/letsencrypt for more details.

root@mail:/letsencrypt# cat /var/log/letsencrypt/letsencrypt.log
2016-04-06 07:38:58,285:DEBUG:letsencrypt.main:Root logging level set at 30
2016-04-06 07:38:58,286:INFO:letsencrypt.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-04-06 07:38:58,286:DEBUG:letsencrypt.main:letsencrypt version: 0.5.0
2016-04-06 07:38:58,286:DEBUG:letsencrypt.main:Arguments: []
2016-04-06 07:38:58,286:DEBUG:letsencrypt.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-04-06 07:38:58,289:WARNING:letsencrypt.renewal:Renewal configuration file /etc/letsencrypt/renewal/dryg.org.conf is broken. Skipping.
2016-04-06 07:38:58,290:DEBUG:letsencrypt.renewal:Traceback was:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/renewal.py”, line 62, in _reconstitute
full_path, configuration.RenewerConfiguration(config))
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/storage.py”, line 265, in init
self._check_symlinks()
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/storage.py”, line 273, in _check_symlinks
"expected {0} to be a symlink".format(link))
CertStorageError: expected /etc/letsencrypt/live/dryg.org/cert.pem to be a symlink

2016-04-06 07:38:58,290:DEBUG:letsencrypt.main:Exiting abnormally:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py”, line 692, in main
return config.func(config, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py”, line 538, in renew
renewal.renew_all_lineages(config)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/renewal.py”, line 355, in renew_all_lineages
renew_skipped, parse_failures)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/renewal.py”, line 290, in _renew_describe_results
notify(parse_failures, “parsefail”)
TypeError: append() takes exactly one argument (2 given)


Help us test renewal with "letsencrypt renew"
Renewal failure
#2

This line stands out. Did you modify, delete or move that file at any point?

All files in /etc/letsencrypt/live/dryg.org should be symlinks, not actual files. Try running ls -l /etc/letsencrypt/live/dryg.org and confirm it looks somewhat like this:

lrwxrwxrwx 1 root root 41 Apr  4 10:09 cert.pem -> ../../archive/dryg.org/cert2.pem
lrwxrwxrwx 1 root root 42 Apr  4 10:09 chain.pem -> ../../archive/dryg.org/chain2.pem
lrwxrwxrwx 1 root root 46 Apr  4 10:09 fullchain.pem -> ../../archive/dryg.org/fullchain2.pem
lrwxrwxrwx 1 root root 44 Apr  4 10:09 privkey.pem -> ../../archive/dryg.org/privkey2.pem

You can re-create those symlinks with ln -s /etc/letsencrypt/archive/dryg.org/cert2.pem /etc/letsencrypt/live/dryg.org/cert.pem. The first path should lead to the most recent file in /etc/letsencrypt/archive/dryg.org/ (highest number after “cert”).


#3

Hi

Thanks for the reply
Files were not moved or deleated, moved git “letsencrypt” directory though before doing the install maby that broke things.
looks like this at the moment.

root@mail:/letsencrypt# ls -l /etc/letsencrypt/live/dryg.org
total 8
-rw-r–r-- 1 root root 1805 Apr 6 08:49 cert.pem
-rw-r–r-- 1 root root 2848 Apr 6 08:49 chain.pem
lrwxrwxrwx 1 root root 37 Apr 6 08:35 fullchain.pem -> …/…/archive/dryg.org/fullchain1.pem
lrwxrwxrwx 1 root root 35 Apr 6 08:35 privkey.pem -> …/…/archive/dryg.org/privkey1.pem
root@mail:/letsencrypt# ls -l /etc/letsencrypt/archive/dryg.org
total 16
-rw-r–r-- 1 root root 1805 Apr 6 08:35 cert1.pem
-rw-r–r-- 1 root root 2848 Apr 6 08:45 chain1.pem
-rw-r–r-- 1 root root 3452 Apr 6 08:35 fullchain1.pem
-rw-r–r-- 1 root root 1704 Apr 6 08:35 privkey1.pem

fixex symlinks ran renew again with following results

Requesting root privileges to run letsencrypt…
/root/.local/share/letsencrypt/bin/letsencrypt renew


Processing /etc/letsencrypt/renewal/dryg.org.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/dryg.org/fullchain.pem (skipped)
No renewals were attempted.

yey!

Follow up question, since it zimbra and special meassures were taken to build intermediate and deploying certs look at
https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

will i have to do this every time?

Best of regards and superthanks!


#4

I would recommend writing a small bash script to do that.
Based on that wiki page, the steps would probably be something like:

Run letsencrypt renew, use --post-hook to run a bash script in case a certificate was renewed. This bash script might do something like:

  1. Create a new chain file that includes the root CA, i.e. something like cat chain.pem root.pem > root_chain.pem
  2. Copy privkey.pem to /opt/zimbra/ssl/zimbra/commercial/commercial.key
  3. Run /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem root_chain.pem
  4. Run zmcontrol restart.

(Note: I haven’t tested this, and I’m not familiar with Zimbra, so make sure to test this properly and verify I haven’t missed anything. :smile:)


#5

Sweet ill give it a go!

Thanks


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.