Migrated from one server to another, copied /etc/letsencrypt

I was able to renew them, but I get this when I use --dry-run

Like the title says, I moved from one DigitalOcean VPS to another and I am fairly certain I copied the entire /etc/letsencrypt folder. I’m thinking there’s some symlink issue I don’t quite understand going on based on some other posts I read.

My domain is: davidcintron.org

I ran this command:
sudo certbot renew --dry-run
It produced this output:


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/davidcintron.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 64, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 441, in __init__
    "file reference".format(self.configfile))
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/davidcintron.org.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/davidcintron.org-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cgms.davediabet.es
http-01 challenge for davidcintron.com
http-01 challenge for davidcintron.org
http-01 challenge for loudestnoi.se
http-01 challenge for pickletron.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/davidcintron.org-0001/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/davidcintron.org-0001/fullchain.pem (success)

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/davidcintron.org.conf (parsefail)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 1 parse failure(s)

My web server is (include version):

⇢  nginx -v
nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04
My hosting provider, if applicable, is:
DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know):
Yep
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

How did you copy it?

If you created a tarball and extracted it on the other side, the symlinks (by default) would be preserved:

tar cf letsencrypt.tar /etc/letsencrypt # (good)

but if you did something like an rsync or scp, it would (again by default) destroy the symlinks and copy their targets:

rsync -r /etc/letsencrypt root@other-server:/etc/letsencrypt # (bad)

Unfortunately, I just scp-ed it from one box to another. I wasn't thinking of such things when I did it. The old VPS is gone now. It sank into the depths of the digital ocean :ocean:

If you’re using --nginx for all of your domains, there’s no big tragedy in starting from scratch :slight_smile: .

It’s possible to manually repair the symlinks but I don’t really have my head around doing that, someone else might though.

Edit: hey, check this out - https://github.com/Bielecki/certbot-renew_fix

I am using --nginx, and just did a renewal today (which did work), I just saw that in the logs and thought I should figure out how to resolve it.

I wasn’t clear about the rate limiting of requesting new certs, or how you go about doing it from scratch say around next renewal time.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.