Issue w/ creating a new certbot certificate

Got the standard message that I needed to renew my certificate. But under my certificate I had 2 domains, only one of which I still have ownership over. It looked like I couldn’t quickly renew for just one of those 2 domains, so I deleted the certificate. I thought I’d be able to easily create a new cert using the same command as when I first created the initial one following these instructions, but have been getting errors.

My domain is: childcarecheck.info

I ran this command:
sudo certbot --nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/childcarecheck.info/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/childcarecheck.info/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/etc/letsencrypt/live/childcarecheck.info/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/etc/letsencrypt/live/childcarecheck.info/fullchain.pem\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',)

My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
Amazon Lightsail

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

1 Like

Does that file exist?

Can you better detail how that was done and which cert was deleted?

1 Like

I can’t seem to cd into live repo to check if the file exists. I get an error message, -bash: cd: live: Permission denied
When I ran sudo cd live, I got, sudo: cd: command not found

I ran sudo certbot certificates to find that there was one active certificate. And then I ran sudo certbot delete & it informed me that it had deleted all files relating to certificate childcarecheck.info (which had the both domains listed under it).

You have deleted a certificate that was still being used by nginx. This has resulted in your nginx configuration becoming invalid. As a result, certbot --nginx can’t do it’s job anymore.

The most straightforward way out of here: you can modify your nginx configuration by hand, so that it no longer references /etc/letsencrypt/live/childcarecheck.info/. If necessary, you can generate a self-signed certificate and use that temporarily, in order to make your webserver configuration valid. You can check if it’s valid with sudo nginx -t.

1 Like

Hi @hanndull,

I think your underlying difficulty here has to do with deleting this certificate. Certbot (when run with --nginx) will modify your nginx configuration to add references to new certificates, but it won’t modify the nginx configuration to remove these references, even if you ask Certbot to delete the certificate. (There is a certbot revert command that undoes Certbot’s changes to your web server configuration, but we haven’t emphasized it very much in the last couple of years; it has the difficulty that it restores a backed-up copy of that configuration, which would overwrite your own changes to the configuration files in question, if there were any.)

You will probably have to manually edit your nginx configuration to remove Certbot’s changes to it. If you don’t know how to do this, but you could show us the configuration, we could advise you about that.

The other difficulties you encountered later on have to do with sudo and its proper use.

Basically, you can never sudo cd because sudo can only run external commands as root, but cd is a shell built-in command and doesn’t exist anywhere on disk. This all has to do with the Unix process model, where a particular process is run as a particular user.

If you do want a shell that runs as root, so that you can cd into directories that a regular user can’t access, you can get it with sudo -s. (Be careful with that because then all of the commands you run inside of that shell will be run as root!)

I don’t recall making any changes to the configuration myself. Would you recommend going ahead and try running, certbot revert?
If so, I haven’t found anything about it through the help command – are there any add’l arguments needed? (I did see rollback which looks like it might do something sort of similar)

I ran the following nginx config syntax test, sudo nginx -t, and got this output that it had failed:
nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/childcarecheck.info/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/childcarecheck.info/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) nginx: configuration file /etc/nginx/nginx.conf test failed

I'm sorry, I think it's been so long since I've used that command that I may have misremembered the name (!).

Could you show us the contents of /etc/nginx/nginx.conf?

or maybe sudo grep -r /etc/letsencrypt/live /etc/nginx would be more useful :slight_smile:

or maybe sudo grep -r /etc/letsencrypt/live /etc/nginx would be more useful

This returned:
/etc/nginx/sites-enabled/child-care-licensing-violations.conf: ssl_certificate /etc/letsencrypt/live/childcarecheck.info/fullchain.pem; # managed by Certbot /etc/nginx/sites-enabled/child-care-licensing-violations.conf: ssl_certificate_key /etc/letsencrypt/live/childcarecheck.info/privkey.pem; # managed by Certbot

Thanks! If you edit /etc/nginx/sites-enabled/child-care-licensing-violations.conf with a text editor, you should be able to delete the entire server block (i.e., everything from the opening

server {

up to the closing matching

}

) that contains those two references. Then nginx should be able to start up again.

So I was able to use nano to delete that section as you’d suggested, & then run sudo certbot --nginx successfully.

But now my site is not loading. Conducted a test with ssllabs.com/ssltest/ and it says that the site’s HTTP status code = “Request failed (Too many Redirection)”. Wondering if this might have to do with selecting Make all requests redirect to secure HTTPS access. during the certbot process…

Also, looking back at the certbot certificate creation process, near the beginning (end of this quote), it had said there was a conflcting server name ignored-- not sure if that’s typical:

Which names would you like to activate HTTPS for?


1: childcarecheck.info 2: johnsonh.com


Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/child-care-licensing-violations.conf nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored

Nevermind re: my issues of the site not loading. I think the
conflicting server name ""
was due to the empty block
server{ }
that I’d left behind in the config file. When I removed it, the site started working again.

Thanks for all of your help!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.