Getting the following error while renewing the certs error

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:rollingstone.ai

I ran this command: sudo certbot renew --quiet

It produced this output:
Failed to renew certificate live.rollingstone.ai with error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/a858702fa5a31120a6e4560f1e1ceb93 does not exist

Failed to renew certificate pma.rollingstone.ai with error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/6893b220661cd7685680280a26f1a89b does not exist

Failed to renew certificate rollingstone.ai with error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/6893b220661cd7685680280a26f1a89b does not exist

Failed to renew certificate stagging.rollingstone.ai with error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/6893b220661cd7685680280a26f1a89b does not exist

My web server is (include version):
nginx version: nginx/1.14.1

The operating system my web server runs on is (include version):
CentOS Linux release 8.4.2105

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot --version
certbot 1.20.0

1 Like
2

Welcome to the Let's Encrypt Community :slightly_smiling_face:

It appears that your ACME account credentials or a symlink to them has been deleted.

What is the output of:

sudo ls -lRa /etc/letsencrypt

Please put 3 backticks above and below the output, like this:

```
output
```

3 Likes
3

sudo ls -lRa /etc/letsencrypt
/etc/letsencrypt:
total 60
drwxr-xr-x. 9 root root 4096 Dec 1 17:12 .
drwxr-xr-x. 91 root root 4096 Nov 17 17:40 ..
-rw-r--r--. 1 root root 64 Nov 6 06:26 .updated-options-ssl-nginx-conf-digest.txt
drwx------. 4 root root 4096 Nov 6 06:32 accounts
drwxr-xr-x. 6 root root 4096 Nov 15 16:46 archive
-rw-r--r--. 1 root root 30 Oct 6 06:45 cli.ini
drwxr-xr-x. 2 rsadmini rsadmini 4096 Nov 6 06:23 csr
drwx------. 2 rsadmini rsadmini 4096 Nov 6 06:23 keys
drwxr-xr-x. 6 root root 4096 Nov 15 16:51 live
-rw-r--r--. 1 root root 365 Nov 6 05:10 options-ssl-nginx.conf
drwxr-xr-x. 2 rsadmini rsadmini 4096 Nov 15 16:46 renewal
drwxr-xr-x. 5 root root 4096 Nov 6 05:39 renewal-hooks
-rw-r--r--. 1 root root 6202 Nov 15 16:25 rollingstone.ai.tar.gz
-rw-r--r--. 1 root root 424 Nov 6 05:11 ssl-dhparams.pem

/etc/letsencrypt/accounts:
total 16
drwx------. 4 root root 4096 Nov 6 06:32 .
drwxr-xr-x. 9 root root 4096 Dec 1 17:12 ..
drwx------. 3 root root 4096 Nov 6 06:32 acme-staging-v02.api.letsencrypt.org
drwx------. 3 root root 4096 Nov 6 06:26 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org:
total 12
drwx------. 3 root root 4096 Nov 6 06:32 .
drwx------. 4 root root 4096 Nov 6 06:32 ..
drwx------. 3 root root 4096 Nov 6 06:32 directory

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory:
total 12
drwx------. 3 root root 4096 Nov 6 06:32 .
drwx------. 3 root root 4096 Nov 6 06:32 ..
drwx------. 2 root root 4096 Nov 6 06:32 5926898d7b23c36c50bb1fd577e06e44

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory/5926898d7b23c36c50bb1fd577e06e44:
total 20
drwx------. 2 root root 4096 Nov 6 06:32 .
drwx------. 3 root root 4096 Nov 6 06:32 ..
-rw-r--r--. 1 root root 80 Nov 6 06:32 meta.json
-r--------. 1 root root 1632 Nov 6 06:32 private_key.json
-rw-r--r--. 1 root root 86 Nov 6 06:32 regr.json

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 12
drwx------. 3 root root 4096 Nov 6 06:26 .
drwx------. 4 root root 4096 Nov 6 06:32 ..
drwx------. 3 root root 4096 Nov 6 06:26 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 12
drwx------. 3 root root 4096 Nov 6 06:26 .
drwx------. 3 root root 4096 Nov 6 06:26 ..
drwx------. 2 root root 4096 Nov 6 06:26 43a440a2f0c7db42339617adea9f4ad9

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/43a440a2f0c7db42339617adea9f4ad9:
total 20
drwx------. 2 root root 4096 Nov 6 06:26 .
drwx------. 3 root root 4096 Nov 6 06:26 ..
-rw-r--r--. 1 root root 127 Nov 6 06:26 meta.json
-r--------. 1 root root 1632 Nov 6 06:26 private_key.json
-rw-r--r--. 1 root root 79 Nov 6 06:26 regr.json

/etc/letsencrypt/archive:
total 24
drwxr-xr-x. 6 root root 4096 Nov 15 16:46 .
drwxr-xr-x. 9 root root 4096 Dec 1 17:12 ..
drw-r--r--. 2 root root 4096 Nov 6 06:29 live.rollingstone.ai
drw-r--r--. 2 root root 4096 Sep 10 06:24 pma.rollingstone.ai
drw-r--r--. 2 root root 4096 Sep 10 06:23 rollingstone.ai
drw-r--r--. 2 root root 4096 Sep 10 12:30 stagging.rollingstone.ai

/etc/letsencrypt/archive/live.rollingstone.ai:
total 28
drw-r--r--. 2 root root 4096 Nov 6 06:29 .
drwxr-xr-x. 6 root root 4096 Nov 15 16:46 ..
-rw-r--r--. 1 root root 1858 Nov 6 05:43 cert1.pem
-rw-r--r--. 1 root root 3749 Nov 6 05:43 chain1.pem
-rw-r--r--. 1 root root 5607 Nov 6 05:07 fullchain1.pem
-rw-r--r--. 1 root root 1704 Nov 6 05:07 privkey1.pem

/etc/letsencrypt/archive/pma.rollingstone.ai:
total 28
drw-r--r--. 2 root root 4096 Sep 10 06:24 .
drwxr-xr-x. 6 root root 4096 Nov 15 16:46 ..
-rw-r--r--. 1 root root 1854 Sep 10 06:24 cert1.pem
-rw-r--r--. 1 root root 3749 Sep 10 06:24 chain1.pem
-rw-r--r--. 1 root root 5603 Sep 10 06:24 fullchain1.pem
-rw-r--r--. 1 root root 1708 Sep 10 06:24 privkey1.pem

/etc/letsencrypt/archive/rollingstone.ai:
total 28
drw-r--r--. 2 root root 4096 Sep 10 06:23 .
drwxr-xr-x. 6 root root 4096 Nov 15 16:46 ..
-rw-r--r--. 1 root root 1870 Sep 10 06:23 cert1.pem
-rw-r--r--. 1 root root 3749 Sep 10 06:23 chain1.pem
-rw-r--r--. 1 root root 5619 Sep 10 06:23 fullchain1.pem
-rw-r--r--. 1 root root 1704 Sep 10 06:23 privkey1.pem

/etc/letsencrypt/archive/stagging.rollingstone.ai:
total 28
drw-r--r--. 2 root root 4096 Sep 10 12:30 .
drwxr-xr-x. 6 root root 4096 Nov 15 16:46 ..
-rw-r--r--. 1 root root 1870 Sep 10 12:30 cert1.pem
-rw-r--r--. 1 root root 3749 Sep 10 12:30 chain1.pem
-rw-r--r--. 1 root root 5619 Sep 10 12:30 fullchain1.pem
-rw-r--r--. 1 root root 1708 Sep 10 12:30 privkey1.pem

/etc/letsencrypt/csr:
total 12
drwxr-xr-x. 2 rsadmini rsadmini 4096 Nov 6 06:23 .
drwxr-xr-x. 9 root root 4096 Dec 1 17:12 ..
-rw-r--r--. 1 rsadmini rsadmini 932 Nov 6 06:23 0000_csr-certbot.pem

/etc/letsencrypt/keys:
total 12
drwx------. 2 rsadmini rsadmini 4096 Nov 6 06:23 .
drwxr-xr-x. 9 root root 4096 Dec 1 17:12 ..
-rw-------. 1 rsadmini rsadmini 1704 Nov 6 06:23 0000_key-certbot.pem

/etc/letsencrypt/live:
total 24
drwxr-xr-x. 6 root root 4096 Nov 15 16:51 .
drwxr-xr-x. 9 root root 4096 Dec 1 17:12 ..
drwxrwxrwx. 2 root root 4096 Nov 6 06:32 live.rollingstone.ai
drwxrwxrwx. 2 root root 4096 Nov 15 17:04 pma.rollingstone.ai
drwxrwxrwx. 2 root root 4096 Nov 15 17:03 rollingstone.ai
drwxrwxrwx. 2 root root 4096 Nov 15 17:06 stagging.rollingstone.ai

/etc/letsencrypt/live/live.rollingstone.ai:
total 12
drwxrwxrwx. 2 root root 4096 Nov 6 06:32 .
drwxr-xr-x. 6 root root 4096 Nov 15 16:51 ..
lrwxrwxrwx. 1 root root 55 Nov 6 06:31 cert.pem -> /etc/letsencrypt/archive/live.rollingstone.ai/cert1.pem
lrwxrwxrwx. 1 root root 56 Nov 6 06:31 chain.pem -> /etc/letsencrypt/archive/live.rollingstone.ai/chain1.pem
lrwxrwxrwx. 1 root root 60 Nov 6 06:31 fullchain.pem -> /etc/letsencrypt/archive/live.rollingstone.ai/fullchain1.pem
lrwxrwxrwx. 1 root root 58 Nov 6 06:32 privkey.pem -> /etc/letsencrypt/archive/live.rollingstone.ai/privkey1.pem

/etc/letsencrypt/live/pma.rollingstone.ai:
total 8
drwxrwxrwx. 2 root root 4096 Nov 15 17:04 .
drwxr-xr-x. 6 root root 4096 Nov 15 16:51 ..
lrwxrwxrwx. 1 root root 54 Nov 15 17:04 cert.pem -> /etc/letsencrypt/archive/pma.rollingstone.ai/cert1.pem
lrwxrwxrwx. 1 root root 55 Nov 15 17:04 chain.pem -> /etc/letsencrypt/archive/pma.rollingstone.ai/chain1.pem
lrwxrwxrwx. 1 root root 59 Nov 15 17:04 fullchain.pem -> /etc/letsencrypt/archive/pma.rollingstone.ai/fullchain1.pem
lrwxrwxrwx. 1 root root 57 Nov 15 17:04 privkey.pem -> /etc/letsencrypt/archive/pma.rollingstone.ai/privkey1.pem

/etc/letsencrypt/live/rollingstone.ai:
total 8
drwxrwxrwx. 2 root root 4096 Nov 15 17:03 .
drwxr-xr-x. 6 root root 4096 Nov 15 16:51 ..
lrwxrwxrwx. 1 root root 50 Nov 15 17:00 cert.pem -> /etc/letsencrypt/archive/rollingstone.ai/cert1.pem
lrwxrwxrwx. 1 root root 51 Nov 15 17:01 chain.pem -> /etc/letsencrypt/archive/rollingstone.ai/chain1.pem
lrwxrwxrwx. 1 root root 55 Nov 15 17:02 fullchain.pem -> /etc/letsencrypt/archive/rollingstone.ai/fullchain1.pem
lrwxrwxrwx. 1 root root 53 Nov 15 17:03 privkey.pem -> /etc/letsencrypt/archive/rollingstone.ai/privkey1.pem

/etc/letsencrypt/live/stagging.rollingstone.ai:
total 20
drwxrwxrwx. 2 root root 4096 Nov 15 17:06 .
drwxr-xr-x. 6 root root 4096 Nov 15 16:51 ..
lrwxrwxrwx. 1 root root 59 Nov 15 17:06 cert.pem -> /etc/letsencrypt/archive/stagging.rollingstone.ai/cert1.pem
lrwxrwxrwx. 1 root root 60 Nov 15 17:06 chain.pem -> /etc/letsencrypt/archive/stagging.rollingstone.ai/chain1.pem
lrwxrwxrwx. 1 root root 64 Nov 15 17:06 fullchain.pem -> /etc/letsencrypt/archive/stagging.rollingstone.ai/fullchain1.pem
lrwxrwxrwx. 1 root root 62 Nov 15 17:06 privkey.pem -> /etc/letsencrypt/archive/stagging.rollingstone.ai/privkey1.pem

/etc/letsencrypt/renewal:
total 24
drwxr-xr-x. 2 rsadmini rsadmini 4096 Nov 15 16:46 .
drwxr-xr-x. 9 root root 4096 Dec 1 17:12 ..
-rw-r--r--. 1 rsadmini rsadmini 592 Nov 6 05:46 live.rollingstone.ai.conf
-rw-r--r--. 1 root root 587 Sep 10 06:24 pma.rollingstone.ai.conf
-rw-r--r--. 1 root root 567 Sep 10 06:23 rollingstone.ai.conf
-rw-r--r--. 1 root root 612 Sep 10 12:30 stagging.rollingstone.ai.conf

/etc/letsencrypt/renewal-hooks:
total 20
drwxr-xr-x. 5 root root 4096 Nov 6 05:39 .
drwxr-xr-x. 9 root root 4096 Dec 1 17:12 ..
drwxr-xr-x. 2 root root 4096 Nov 6 05:39 deploy
drwxr-xr-x. 2 root root 4096 Nov 6 05:39 post
drwxr-xr-x. 2 root root 4096 Nov 6 05:39 pre

/etc/letsencrypt/renewal-hooks/deploy:
total 8
drwxr-xr-x. 2 root root 4096 Nov 6 05:39 .
drwxr-xr-x. 5 root root 4096 Nov 6 05:39 ..

/etc/letsencrypt/renewal-hooks/post:
total 8
drwxr-xr-x. 2 root root 4096 Nov 6 05:39 .
drwxr-xr-x. 5 root root 4096 Nov 6 05:39 ..

/etc/letsencrypt/renewal-hooks/pre:
total 8
drwxr-xr-x. 2 root root 4096 Nov 6 05:39 .
drwxr-xr-x. 5 root root 4096 Nov 6 05:39 ..

2 Likes
4

Thanks! Looking good.

Run this to correct the ownership of the certbot data:

sudo chown -hR root:root /etc/letsencrypt

What are the outputs of:

sudo cat /etc/letsencrypt/cli.ini
sudo cat /etc/letsencrypt/renewal/live.rollingstone.ai.conf
sudo cat /etc/letsencrypt/renewal/pma.rollingstone.ai.conf
sudo cat /etc/letsencrypt/renewal/rollingstone.ai.conf
sudo cat /etc/letsencrypt/renewal/stagging.rollingstone.ai.conf

Please put 3 backticks above and below each output, like this:

```
output
```

2 Likes
6

sudo cat /etc/letsencrypt/cli.ini

preconfigured-renewal = True

[rsadmini@live ~]$ sudo cat /etc/letsencrypt/renewal/live.rollingstone.ai.conf

renew_before_expiry = 30 days

version = 1.11.0

archive_dir = /etc/letsencrypt/archive/live.rollingstone.ai

cert = /etc/letsencrypt/live/live.rollingstone.ai/cert.pem

privkey = /etc/letsencrypt/live/live.rollingstone.ai/privkey.pem

chain = /etc/letsencrypt/live/live.rollingstone.ai/chain.pem

fullchain = /etc/letsencrypt/live/live.rollingstone.ai/fullchain.pem

Options used in the renewal process

[renewalparams]

authenticator = nginx

installer = nginx

account = a858702fa5a31120a6e4560f1e1ceb93

manual_public_ip_logging_ok = None

server = https://acme-v02.api.letsencrypt.org/directory

[rsadmini@live ~]$ sudo cat /etc/letsencrypt/renewal/pma.rollingstone.ai.conf

renew_before_expiry = 30 days

version = 1.11.0

archive_dir = /etc/letsencrypt/archive/pma.rollingstone.ai

cert = /etc/letsencrypt/live/pma.rollingstone.ai/cert.pem

privkey = /etc/letsencrypt/live/pma.rollingstone.ai/privkey.pem

chain = /etc/letsencrypt/live/pma.rollingstone.ai/chain.pem

fullchain = /etc/letsencrypt/live/pma.rollingstone.ai/fullchain.pem

Options used in the renewal process

[renewalparams]

authenticator = nginx

installer = nginx

account = 6893b220661cd7685680280a26f1a89b

manual_public_ip_logging_ok = None

server = https://acme-v02.api.letsencrypt.org/directory

[rsadmini@live ~]$ sudo cat /etc/letsencrypt/renewal/rollingstone.ai.conf

renew_before_expiry = 30 days

version = 1.11.0

archive_dir = /etc/letsencrypt/archive/rollingstone.ai

cert = /etc/letsencrypt/live/rollingstone.ai/cert.pem

privkey = /etc/letsencrypt/live/rollingstone.ai/privkey.pem

chain = /etc/letsencrypt/live/rollingstone.ai/chain.pem

fullchain = /etc/letsencrypt/live/rollingstone.ai/fullchain.pem

Options used in the renewal process

[renewalparams]

authenticator = nginx

installer = nginx

account = 6893b220661cd7685680280a26f1a89b

manual_public_ip_logging_ok = None

server = https://acme-v02.api.letsencrypt.org/directory

[rsadmini@live ~]$ sudo cat /etc/letsencrypt/renewal/stagging.rollingstone.ai.conf

renew_before_expiry = 30 days

version = 1.11.0

archive_dir = /etc/letsencrypt/archive/stagging.rollingstone.ai

cert = /etc/letsencrypt/live/stagging.rollingstone.ai/cert.pem

privkey = /etc/letsencrypt/live/stagging.rollingstone.ai/privkey.pem

chain = /etc/letsencrypt/live/stagging.rollingstone.ai/chain.pem

fullchain = /etc/letsencrypt/live/stagging.rollingstone.ai/fullchain.pem

Options used in the renewal process

[renewalparams]

authenticator = nginx

installer = nginx

account = 6893b220661cd7685680280a26f1a89b

manual_public_ip_logging_ok = None

server = https://acme-v02.api.letsencrypt.org/directory

2 Likes
7

In all four renewal configuration files, change the account line to this:

account = 43a440a2f0c7db42339617adea9f4ad9

then show the output of this:

sudo certbot renew --dry-run
2 Likes
8

it got fixed when I run sudo certbot --force-renewal -d rollingstone.ai,www.rollingstone.ai,stagging.rollingstone.ai,pma.rollingstone.ai without changing the account

2 Likes
9

That makes little to no sense, but I'm glad you got it fixed. :slightly_smiling_face:

@_az

Did I miss something here?

Update: I may have figured it out.

2 Likes
10

Yeah, without changing the account number it seems the dry run was successfully, its bit weird why without force-renewal it got error
sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/live.rollingstone.ai.conf

Simulating renewal of an existing certificate for live.rollingstone.ai

Processing /etc/letsencrypt/renewal/pma.rollingstone.ai.conf

Simulating renewal of an existing certificate for pma.rollingstone.ai

Processing /etc/letsencrypt/renewal/rollingstone.ai.conf

Simulating renewal of an existing certificate for rollingstone.ai and www.rollingstone.ai

Processing /etc/letsencrypt/renewal/stagging.rollingstone.ai.conf

Simulating renewal of an existing certificate for stagging.rollingstone.ai

Congratulations, all simulated renewals succeeded:

/etc/letsencrypt/live/live.rollingstone.ai/fullchain.pem (success)

/etc/letsencrypt/live/pma.rollingstone.ai/fullchain.pem (success)

/etc/letsencrypt/live/rollingstone.ai/fullchain.pem (success)

/etc/letsencrypt/live/stagging.rollingstone.ai/fullchain.pem (success)

1 Like
11

That's why I pinged a certbot developer. Some things happened here that just don't add up on the surface. I'm wondering what underlying logic might have caused the outdated content in the renewal files to either be updated or ignored.

2 Likes
12

That will generate a single certificate covering all of those domain names, but won't fix any of the existing, broken certificate lineages other than possibly one of them that already covered all of those domain names. Of course a new certificate (or an existing, working one) will use the current, functioning ACME credentials. I think the dry runs all succeeded because the current ACME staging credentials are functional.

What's the output of:

sudo certbot certificates

2 Likes
13

Actually this is not the server where the certs was initially registered, we migrated the certs from a server to current server

2 Likes
14

This is the first thing that popped into my head as I was reading through this thread.

Splicing files together across multiple Certbot installations is tricky to get right. At least, I assume that's what happened here.

I think this worked because the verb here is certbot [run], not certbot renew.

certbot run ignores all existing renewal parameters, including the previous account ID. So Certbot just replaced the certificate with a new one, using whatever ACME account was available.

certbot renew on the other hand, respects existing renewal parameters, and would error out when it couldn't find a matching account.

3 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.