Migrated from one server to another, copied /etc/letsencrypt

loudestnoise · March 3, 2019, 11:26pm

I was able to renew them, but I get this when I use --dry-run

Like the title says, I moved from one DigitalOcean VPS to another and I am fairly certain I copied the entire /etc/letsencrypt folder. I’m thinking there’s some symlink issue I don’t quite understand going on based on some other posts I read.

My domain is: davidcintron.org

I ran this command:
sudo certbot renew --dry-run
It produced this output:


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/davidcintron.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 64, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 441, in __init__
    "file reference".format(self.configfile))
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/davidcintron.org.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/davidcintron.org-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cgms.davediabet.es
http-01 challenge for davidcintron.com
http-01 challenge for davidcintron.org
http-01 challenge for loudestnoi.se
http-01 challenge for pickletron.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/davidcintron.org-0001/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/davidcintron.org-0001/fullchain.pem (success)

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/davidcintron.org.conf (parsefail)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 1 parse failure(s)

My web server is (include version):

⇢  nginx -v
nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04
My hosting provider, if applicable, is:
DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know):
Yep
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

_az · March 3, 2019, 11:50pm

How did you copy it?

If you created a tarball and extracted it on the other side, the symlinks (by default) would be preserved:

tar cf letsencrypt.tar /etc/letsencrypt # (good)

but if you did something like an rsync or scp, it would (again by default) destroy the symlinks and copy their targets:

rsync -r /etc/letsencrypt root@other-server:/etc/letsencrypt # (bad)

loudestnoise · March 3, 2019, 11:52pm

Unfortunately, I just scp-ed it from one box to another. I wasn't thinking of such things when I did it. The old VPS is gone now. It sank into the depths of the digital ocean

_az · March 3, 2019, 11:53pm

If you’re using --nginx for all of your domains, there’s no big tragedy in starting from scratch .

It’s possible to manually repair the symlinks but I don’t really have my head around doing that, someone else might though.

Edit: hey, check this out - https://github.com/Bielecki/certbot-renew_fix

loudestnoise · March 3, 2019, 11:54pm

I am using --nginx, and just did a renewal today (which did work), I just saw that in the logs and thought I should figure out how to resolve it.

I wasn’t clear about the rate limiting of requesting new certs, or how you go about doing it from scratch say around next renewal time.

system · April 2, 2019, 11:54pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Renewal failure after server migration Help	12	3110	January 27, 2019
Certbot Symlink file broken for renewal due to moving files Help	14	7531	September 17, 2018
CertStorageError (Symlink) and renewal.conf broken Help	4	5255	February 25, 2019
Renewal configuration file ***.conf is broken. Skipping Help	13	3303	February 20, 2022
Error updating certbot certificate Help	9	378	October 6, 2023

Migrated from one server to another, copied /etc/letsencrypt

Related topics