Live directory exists for

Hello.
When updating certificates An error appears (if I understood it correctly, then before updating, you must delete the mail.test.com.ua directory of the same name from the folder: /etc/letsencrypt/live/, or did I misunderstand ?:

certbot certonly --standalone --force-renewal --preferred-chain "ISRG Root X1"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): mail.test.com.ua
Attempting to parse the version 1.26.0 renewal configuration file found at /etc/letsencrypt/renewal/mail.test.com.ua-0001.conf with version 1.11.0 of Certbot. This might not work.
Requesting a certificate for mail.test.com.ua
live directory exists for mail.test.com.ua

Directory output:

[root@mail ~]# ls -alR /etc/letsencrypt/{archive,live,renewal}
/etc/letsencrypt/archive:
total 16
drwx------. 4 root root 4096 May 7 09:38 .
drwxr-xr-x. 9 root root 4096 May 8 07:25 ..
drwxr-xr-x 2 root root 4096 Feb 5 13:23 mail.test.com.ua-0001
drwxr-xr-x. 2 root root 4096 Apr 17 2022 mail.test.com.ua-0002

/etc/letsencrypt/archive/mail.test.com.ua-0001:
total 24
drwxr-xr-x 2 root root 4096 Feb 5 13:23 .
drwx------. 4 root root 4096 May 7 09:38 ..
-rw-r--r-- 1 root root 1952 Feb 5 13:23 cert1.pem
-rw-r--r-- 1 root root 1826 Feb 5 13:23 chain1.pem
-rw-r--r-- 1 root root 3778 Feb 5 13:23 fullchain1.pem
-rw------- 1 root root 1704 Feb 5 13:23 privkey1.pem

/etc/letsencrypt/archive/mail.test.com.ua-0002:
total 40
drwxr-xr-x. 2 root root 4096 Apr 17 2022 .
drwx------. 4 root root 4096 May 7 09:38 ..
-rw-r--r--. 1 root root 1850 Apr 16 2022 cert1.pem
-rw-r--r-- 1 root root 1980 Apr 17 2022 cert2.pem
-rw-r--r--. 1 root root 1826 Apr 16 2022 chain1.pem
-rw-r--r-- 1 root root 1826 Apr 17 2022 chain2.pem
-rw-r--r--. 1 root root 3676 Apr 16 2022 fullchain1.pem
-rw-r--r-- 1 root root 3806 Apr 17 2022 fullchain2.pem
-rw-------. 1 root root 1704 Apr 16 2022 privkey1.pem
-rw------- 1 root root 1704 Apr 17 2022 privkey2.pem

/etc/letsencrypt/live:
total 16
drwx------. 3 zimbra zimbra 4096 May 8 07:26 .
drwxr-xr-x. 9 root root 4096 May 8 07:25 ..
drwxr-xr-x 2 root root 4096 Feb 5 13:23 mail.test.com.ua
-rw-r--r--. 1 root root 740 Apr 16 2022 README

/etc/letsencrypt/live/mail.test.com.ua:
total 12
drwxr-xr-x 2 root root 4096 Feb 5 13:23 .
drwx------. 3 zimbra zimbra 4096 May 8 07:26 ..
lrwxrwxrwx 1 root root 47 Feb 5 13:23 cert.pem -> ../../archive/mail.test.com.ua-0001/cert1.pem
lrwxrwxrwx 1 root root 48 Feb 5 13:23 chain.pem -> ../../archive/mail.test.com.ua-0001/chain1.pem
lrwxrwxrwx 1 root root 52 Feb 5 13:23 fullchain.pem -> ../../archive/mail.test.com.ua-0001/fullchain1.pem
lrwxrwxrwx 1 root root 50 Feb 5 13:23 privkey.pem -> ../../archive/mail.test.com.ua-0001/privkey1.pem
-rw-r--r-- 1 root root 692 Feb 5 13:23 README

/etc/letsencrypt/renewal:
total 16
drwxr-xr-x. 2 root root 4096 May 8 07:23 .
drwxr-xr-x. 9 root root 4096 May 8 07:25 ..
-rw-r--r-- 1 root root 605 Feb 5 13:23 mail.test.com.ua-0001.conf
-rw-r--r-- 1 root root 0 May 8 07:23 mail.test.com.ua.conf
-rw-r--r-- 1 root root 580 Apr 17 2022 mail.test.com.ua.conf1

Why are you using this force?

It likely explains why I see:

What shows?:
certbot certificates

You should never had to manually delete anything with the /etc/letsencrypt/ folder.

I don't see the "delete" request in your Certbot output anywhere?

--force-renewal I use because I already have certificates, but their term has expired, this is not true?

Conclusion:
[root@mail ~]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/mail.test.com.ua-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/mail.test.com.ua-0001/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/mail.test.com.ua.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.

"You should never had to manually delete anything with the /etc/letsencrypt/ folder"
I was given the equipment and I only faced this issue, now it is necessary to extend the certificate, and then calmly study)

No, absolutely not. Please read the documentation of any command before actually using it, so you understand what it actually does.

--force-renewal is NOT necessary for regular renewals (i.e.: the certificate is due for renewal because it's within 30 days of expiry or has already expired). Only in VERY STRICT situations this option could be necessary.

Note that the --force-renewal option does NOT magically make any error which might prevent renewal disappear.

Please show:
ls -l /etc/letsencrypt/live/
ls -l /etc/letsencrypt/live/mail.test.com.ua-0001/

[root@mail ~]# ls -l /etc/letsencrypt/live/
total 8
drwxr-xr-x 2 root root 4096 Feb 5 13:23 mail.test.com.ua
-rw-r--r--. 1 root root 740 Apr 16 2022 README

I have no directory /etc/letsencrypt/live/mail.test.com.ua-0001/

[root@mail ~]# ls -l /etc/letsencrypt/live/mail.test.com.ua/
total 4
lrwxrwxrwx 1 root root 47 Feb 5 13:23 cert.pem -> ../../archive/mail.test.com.ua-0001/cert1.pem
lrwxrwxrwx 1 root root 48 Feb 5 13:23 chain.pem -> ../../archive/mail.test.com.ua-0001/chain1.pem
lrwxrwxrwx 1 root root 52 Feb 5 13:23 fullchain.pem -> ../../archive/mail.test.com.ua-0001/fullchain1.pem
lrwxrwxrwx 1 root root 50 Feb 5 13:23 privkey.pem -> ../../archive/mail.test.com.ua-0001/privkey1.pem
-rw-r--r-- 1 root root 692 Feb 5 13:23 README

This is bad.

I would backup the entire /etc/letsencrypt/ folder.
Then I'd try to remove the broken parts [like: /live/ and /archive/] and then reissue the cert.

Do you propose to completely clean the /live/ and /archive/ folders?

[Osiris] I wrote that this team is incorrect in my case, how can I write correctly?
certbot certonly --standalone --force-renewal --preferred-chain "ISRG Root X1"

Thanks for the help!

Yes, after backing them up.
[and don't restart the web service until you have obtained the new cert]

Don't include:

And use the staging environment for all testing: --dry-run

That is, my team will look like this?
certbot certonly --standalone --dry-run --preferred-chain "ISRG Root X1"

That is a good start.

I renamed the configuration file: "/etc/letsencrypt/renewal/mail.test.com.ua.conf" , before that it was called: mail.test.com.ua1.conf and after that the output of the command was successful.

[root@mail ~]# certbot certonly --standalone --dry-run --preferred-chain "ISRG Root X1"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): mail.test.com.ua.conf

An RSA certificate named mail.test.com.ua.conf already exists. Do you want to
update its key type to ECDSA?

(U)pdate key type/(K)eep existing key type: u
Simulating renewal of an existing certificate for mail.seebet.com.ua and 3 more domains
The dry run was successful.

If I understand correctly, now I can run the same command, without the prefix --dry-run ?

here in this form: certbot certonly --standalone --preferred-chain "ISRG Root X1" ?

Although I see in the certificate renewal instructions that a key can be used: --force-renewal

Well, that's a first for me!
It might have been only temporary.
Please try again.

There was a 5 minute window earlier today when the staging RVAs were broken (independent of the current performance issues). --dry-run hits staging in certbot.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.