I've totally screwed up my Nextcloud certs...Is it possible to manually remove all Letsencrypt certs and begin anew?

I'm running NextcloudPI and an update last week messed some stuff up. Trying to fix it, I made things way worse. I'd now just like to totally clear out all Letsencrypt certs and get a new one. I know I can do this by totally reinstalling the whole Nextcloud server, but I'd like to know whether it's possible to just reinitialize letsencrypt?

Could I just delete /etc/letsencrypt and try to get a new cert?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: n.trey.nyc

I ran this command: sudo certbot renew --dry-run

It produced this output:


Processing /etc/letsencrypt/renewal/n.trey.nyc.conf


Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 68, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 463, in init
self._check_symlinks()
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
"expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/n.trey.nyc/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/n.trey.nyc.conf is broken. Skipping.


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

No renewals were attempted.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/n.trey.nyc.conf (parsefail)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


0 renew failure(s), 1 parse failure(s)

My web server is (include version):
Server version: Apache/2.4.38 (Debian)
Server built: 2021-06-10T10:13:06

The operating system my web server runs on is (include version):
Debian GNU/Linux 10 (buster) x86_64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

1 Like

In short, yes.

It would be like you had just installed Certbot. Make sure to use --dry-run when creating your new cert until you prove it works. You have already issued a few this past week and you want to avoid hitting the 5 certs/week rate limit.
https://crt.sh/?q=+n.trey.nyc

After deleting the letsencrypt folders the first new cert will create a new account key and so on. This often is not an issue and you would likely know if it would be for you.

Presumably your server conf is already setup so you could use certonly to request the next cert.

2 Likes

Wow thanks for the quick answer!

I ran

sudo certbot certonly --standalone --preferred-challenges http -d n.trey.nyc --dry-run

and got this output:

sudo certbot certonly --standalone --preferred-challenges http -d n.trey.nyc --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxx


Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-staging-v02.api.letsencrypt.org/directory


(A)gree/(C)ancel: A
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for n.trey.nyc
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

How's that look to you?

2 Likes

It failed. The --standalone option is for when you do not have a web server. You have Apache.

You could re-try the command you originally used. If you had not damaged your server conf it should be fine. It was probably something like
sudo certbot --apache

The certonly alternative would look more like this:
sudo certbot certonly --webroot -w XXX -d n.trey.nyc
Where XXX should be the DocumentRoot from Apache conf.
As noted, it wont touch your Apache conf if that is not needed.

2 Likes

This worked, thanks for the help. :slight_smile:

3 Likes

Terrific!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.