How to complete and right create a custom lets encrypt configs


Im use Ansible, for one point of knowledge about my infrastructure, and wants to use the certbot.

We already have the certs from LetsEncrypt, but we want to automate process.

I generate a directories and configs, as example for templating playbook i get working /etc/letsencrypt structure on one server, and:

  1. I do a template for the renewal files, looks like -

    renew_before_expiry = 30 days

version = 0.8.1
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options used in the renewal process

server =
authenticator = webroot
installer = None
account = ##### ACCOUNT ID #########
webroot_path = /opt/certbot-auto/web,
[[webroot_map]] = /opt/certbot-auto/web

  1. I create a self-signed certs and keys for this domain, for first run, in:


  1. I create symlinks to live folder

cert_h1_api_domain_cert_bot.pem -> /etc/letsencrypt/archive/
chain_h1_api_domain_cert_bot.pem -> /etc/letsencrypt/archive/
fullchain_h1_api_domain_cert_bot.pem -> /etc/letsencrypt/archive/
privkey_h1_api_domain_cert_bot.pem -> /etc/letsencrypt/archive/

  1. I created account and other settings like in my current standalone web server without auto-enrolling.

  2. In next step i try to renew certs by configs, but get the error:

Attempting to renew cert from /etc/letsencrypt/renewal/ produced an unexpected error: max() arg is an empty sequence. Skipping.

How to create own configs in first install? How to automate the registration? What i do wrong?

With best regards,

Hi @westsouthnight,

The reason for max() arg is an empty sequence error is that you didn’t follow the naming convention standard the same way that Certbot does. For Certbot, it must be


Both cert.pem and cert1.pem are meaningful names to Certbot’s renewal script and must be used in exactly that form; they cannot be replaced with any other name (like cert_h1_api_domain_cert_bot.pem). If you call them something else, Certbot is unable to realize that this is your cert object (or that its most recently updated version is version 1). The same is true for the other names chain.pem, fullchain.pem, and privkey.pem.

Certbot does allow you to change the string to any other string (as long as the file in conf has a corresponding name), but changing the names of the PEM files within live and archive isn’t allowed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.