Impossible to renew certificates, symlink problem, privkey2.pem problem

Help
1

Please help me out, i've ran out of ideas.
My domain is: duet-marriage.ru

I ran this command: sudo certbot renew --force-renewal
(normal renewal doesn't work either)

It produced this output:
Processing /etc/letsencrypt/renewal/duet-marriage.ru-0001.conf

Renewal configuration file /etc/letsencrypt/renewal/duet-marriage.ru-0001.conf is broken.

The error was: expected /etc/letsencrypt/live/duet-marriage.ru-0001/privkey.pem to be a symlink

Skipping.

Processing /etc/letsencrypt/renewal/duet-marriage.ru-0002.conf

Renewal configuration file /etc/letsencrypt/renewal/duet-marriage.ru-0002.conf is broken.

The error was: expected /etc/letsencrypt/live/duet-marriage.ru-0002/cert.pem to be a symlink

Skipping.

Processing /etc/letsencrypt/renewal/duet-marriage.ru-0003.conf

Renewal configuration file /etc/letsencrypt/renewal/duet-marriage.ru-0003.conf is broken.

The error was: expected /etc/letsencrypt/live/duet-marriage.ru-0003/cert.pem to be a symlink

Skipping.

Processing /etc/letsencrypt/renewal/duet-marriage.ru.conf

Renewing an existing certificate for duet-marriage.ru

Failed to renew certificate duet-marriage.ru with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: duet-marriage.ru, retry after 2024-01-21T21:01:21Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/

All renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/duet-marriage.ru/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid:

/etc/letsencrypt/renewal/duet-marriage.ru-0001.conf (parsefail)

/etc/letsencrypt/renewal/duet-marriage.ru-0002.conf (parsefail)

/etc/letsencrypt/renewal/duet-marriage.ru-0003.conf (parsefail)

1 renew failure(s), 3 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I can login to a root shell on my machine

2

Welcome @varvara

You must stop using the --force-renewal. This does not fix problems and usually gets you Rate Limited which you are now. But, it also has you getting a fresh cert nearly every day which is very wasteful.

See your cert history with a tool like this (Let's Debug Toolkit)

You also have damaged list of Certbot cert renewal profiles. We can fix all these problems but first we need to know what domain names you want on your cert. In the past most of your certs have just this one name in them:

duet-marriage.ru

But recently you got one cert with these two

duet-marriage.ru
www.duet-marriage.ru

I assume you want both names but it is essential to know what you want before we proceed.

4 Likes
3

Thank you!

duet-marriage.ru is enough for me.

What do I do next?

4

I'd start by removing those files.
Then show:
certbot certificates

2 Likes
5

here they are:

Found the following certs:
Certificate Name: duet-marriage.ru
Serial Number: 48b1aadcc68d0d96a5c15a48871a0ed2cee
Key Type: ECDSA
Domains: duet-marriage.ru
Expiry Date: 2023-11-22 18:32:52+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/duet-marriage.ru/fullchain.pem
Private Key Path: /etc/letsencrypt/live/duet-marriage.ru/privkey.pem

6

What shows?:

certbot renew

2 Likes
7

Also, show this file:
/etc/letsencrypt/renewal/duet-marriage.ru

2 Likes
9

Duplicate Certificate Limit

Description All issuance requests are subject to a Duplicate Certificate limit of 5 per week. You should receive an error message like the following from your ACME client when you’ve exceeded the Duplicate Certificate limit:

too many certificates (5) already issued for this exact set of domains in the last 168 hours: example.com login.example.com: see Duplicate Certificate Limit - Let's Encrypt The “exact set” that this error refers to is the set of hostnames requested for this certificate: in this example, example...

Юлька Бирюкова, [Feb 5, 2024 at 11:57:39]:

Renewing an existing certificate for duet-marriage.ru

Failed to renew certificate duet-marriage.ru with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: duet-marriage.ru, retry after 2024-02-06T13:01:04Z: see Duplicate Certificate Limit - Let's Encrypt

All renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/duet-marriage.ru/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

10

root@varyarodio-vps-1:/etc/letsencrypt/renewal# open duet-marriage.ru.conf

/usr/bin/open: 882: www-browser: not found

/usr/bin/open: 882: links2: not found

/usr/bin/open: 882: elinks: not found

/usr/bin/open: 882: links: not found

/usr/bin/open: 882: lynx: not found

/usr/bin/open: 882: w3m: not found

xdg-open: no method available for opening 'duet-marriage.ru.conf'

11

Show:
cat /etc/letsencrypt/renewal/duet-marriage.ru
ls -l /etc/letsencrypt/live/duet-marriage.ru/

2 Likes
12

root@varyarodio-vps-1:/etc/letsencrypt/renewal# cat /etc/letsencrypt/renewal/duet-marriage.ru.conf

# renew_before_expiry = 30 days
version = 2.8.0
archive_dir = /etc/letsencrypt/archive/duet-marriage.ru
cert = /etc/letsencrypt/live/duet-marriage.ru/cert.pem
privkey = /etc/letsencrypt/live/duet-marriage.ru/privkey.pem
chain = /etc/letsencrypt/live/duet-marriage.ru/chain.pem
fullchain = /etc/letsencrypt/live/duet-marriage.ru/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 3f8547d2b721c0bfacc4d2959d623b77
authenticator = nginx
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
installer = nginx
13

root@varyarodio-vps-1:/etc/letsencrypt/live# ls -l /etc/letsencrypt/live/duet-marriage.ru/

total 4
lrwxrwxrwx 1 root root 45 дек 29 06:00 cert.pem -> ../../archive/duet-marriage.ru-0003/cert1.pem
lrwxrwxrwx 1 root root 46 дек 29 06:00 chain.pem -> ../../archive/duet-marriage.ru-0003/chain1.pem
lrwxrwxrwx 1 root root 50 дек 29 06:00 fullchain.pem -> ../../archive/duet-marriage.ru-0003/fullchain1.pem
lrwxrwxrwx 1 root root 48 дек 29 06:00 privkey.pem -> ../../archive/duet-marriage.ru-0003/privkey1.pem
-rw-r--r-- 1 root root 692 авг 24 2023 README

root@varyarodio-vps-1:/etc/letsencrypt/live#

16

This:

Linking to this:

Is very strange...

What shows?:
ls -l /etc/letsencrypt/archive/

2 Likes
17

root@varyarodio-vps-1:~# ls -l /etc/letsencrypt/archive/

total 16

drwxr-xr-x 2 root root 4096 дек 29 06:00 duet-marriage.ru

drwxr-xr-x 2 root root 4096 авг 25 2023 duet-marriage.ru-0001

drwxr-xr-x 2 root root 4096 авг 24 2023 duet-marriage.ru-0002

drwxr-xr-x 2 root root 4096 авг 25 2023 duet-marriage.ru-0003

18

sent the result to you...
what do I do next?
this is killing me

19

You continue to get a cert nearly every day. Something must still be doing the --force-renewal. Please stop doing that. You are currently rate limited for getting new certs which makes it difficult to help you.

What does this show

sudo certbot certificates
3 Likes
20

Here u go:

Found the following certs:
Certificate Name: duet-marriage.ru
Serial Number: 48b1aadcc68d0d96a5c15a48871a0ed2cee
Key Type: ECDSA
Domains: duet-marriage.ru
Expiry Date: 2023-11-22 18:32:52+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/duet-marriage.ru/fullchain.pem
Private Key Path: /etc/letsencrypt/live/duet-marriage.ru/privkey.pem

21

You must have another system that is renewing certificates. You are still getting a new cert almost every day. Do you know where that system is?

Also, please show output of this:

sudo certbot renew --dry-run

and show output of this too

curl -4 https://ifconfig.io

Your recent cert history

image
image2250×696 189 KB

1 Like
22

This "-0003" is a trainwreck:

ls -l /etc/letsencrypt/live/duet-marriage.ru/
cert.pem -> ../../archive/duet-marriage.ru-0003/cert1.pem

That should link to where the cert should be:

Domains: [duet-marriage.ru](http://duet-marriage.ru)
Expiry Date: 2023-11-22 18:32:52+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/duet-marriage.ru/fullchain.pem
23

First one:

Юлька Бирюкова, [Apr 9, 2024 at 16:52:18]:

root@varyarodio-vps-1:~# sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/duet-marriage.ru.conf

Account registered.

Simulating renewal of an existing certificate for duet-marriage.ru

Congratulations, all simulated renewals succeeded:

/etc/letsencrypt/live/duet-marriage.ru/fullchain.pem (success)

Second one:

root@varyarodio-vps-1:~# curl -4 https://ifconfig.io

77.222.53.7