Manual Renewal and Email change


I have a Let's Encrypt certificate for my ec2 instance. I have set up auto renewal with

echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

Which to my understanding renews the certificate at noon and midnight.
How do I verify the renewal, or see how many days are left out of the 90? Also, if the certificate does expire, do I just manually re-do the whole process? Can that be done before it actually expires?

If someone could please verify that the update email command is

certbot update_account --email

incase I need to change it. Sorry for the many questions. Thank you in advance!

You can run sudo certbot certificates to see the current certificates and the days until expiration.

You could do that. Or just run sudo certbot renew? You can do that manually too. It doesn't matter if the certificate is expired.

Yes, Certbot by default won't renew if there's more than 30 days until expiry left. It'll start to renew if 30 days or less are left.

Looks correct.

Also, I've moved your thread to the Help section as it isn't really an Issuance Policy thread IMO.


Thank you for your prompt response and I apologize for putting it in the wrong section. When I ran the sudo certbot certificates I got this is in return

Renewal configuration file /etc/letsencrypt/renewal/ produced an unexpected error: expected /etc/letsencrypt/live/ to be a symlink. Skipping.

The following renewal configurations were invalid:

1 Like

Then someone or something destroyed the /etc/letsencrypt/ directory. One should not manually add/remove/modify or in any other way change the files and directories in that directory.


So what do I do from there? Can I fix it? Do I create a new certificate?

That's a possibility. Are there any subdirectories in /etc/letsencrypt/live/ and /etc/letsencrypt/archive/?

1 Like


Can you please show the output of:

ls -l /etc/letsencrypt/live/ /etc/letsencrypt/archive/

total 20
-rw-r--r--. 1 root root 1484 Jul 28 22:04 cert1.pem
-rw-r--r--. 1 root root 3749 Jul 28 22:04 chain1.pem
-rw-r--r--. 1 root root 5233 Jul 28 22:04 fullchain1.pem
-rw-------. 1 root root 549 Aug 7 12:41 privkey1.pem

total 16
-rw-r--r--. 1 root root 692 Jul 28 22:04 README
lrwxrwxrwx. 1 root root 37 Jul 28 22:04 cert.pem -> ../../archive/
lrwxrwxrwx. 1 root root 38 Jul 28 22:04 chain.pem -> ../../archive/
lrwxrwxrwx. 1 root root 42 Jul 28 22:04 fullchain.pem -> ../../archive/
-rw-------. 1 root root 4575 Jul 28 22:06 keystore.p12
-rw-------. 1 root root 227 Aug 7 12:45 privkey.pem

Maybe because of the private key I tried to make? I needed it for an rds issue that I had.

1 Like

Yes, that should be a symbolic link, not a file. Please do not overwrite any existing files in those directories.

I don't know what that current /etc/letsencrypt/live/ actually is (it's half the size of the privkey1.pem from the /archive/ directory, but if you want to fix your Certbot, you could run:

sudo mv /etc/letsencrypt/live/ /etc/letsencrypt/live/
sudo ln -s ../../archive/ /etc/letsencrypt/live/

Then your Certbot should be fixed.


It asked for a pem passphrase to run sudo certbot certificates?

Enter PEM pass phrase:
An unexpected error occurred:
TypeError: Password was not given but private key is encrypted

I entered what password it would be had I made one and it didn't work.

Well, that's weird. Certbot doesn't encrypt its private keys. Did you also modify stuff in the /etc/letsencrypt/archive/ directory?

Maybe it's just better to start all over again.

Is there anything using the certificate in /etc/letsencrypt/ at all?

If not you could delete the cert using sudo certbot delete --cert-name and start over.


Again, thank you for your time and prompt responses. I deleted the cert but it broke my instance because apache was looking for the ssl files. I had already automated the installation of tls with certbot so I just created a new instance and ran my script. You were correct. Once I redid everything it worked fine and I can now see when it expires.

Thank you again for answering all my questions.

1 Like

Well, that's why I asked:

But I'm glad you got it working in the end somehow.

Please be more careful in the future and don't modify anything inside /etc/letsencrypt/ manually.


I will, thank you. After panic creating a new instance, I sat back and I fixed my issue. The instance is fine. I removed the symbolic link between apache and the old certificate. That and a couple other things managed to do the trick.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.