Migrated from one server to another, copied /etc/letsencrypt


#1

I was able to renew them, but I get this when I use --dry-run

Like the title says, I moved from one DigitalOcean VPS to another and I am fairly certain I copied the entire /etc/letsencrypt folder. I’m thinking there’s some symlink issue I don’t quite understand going on based on some other posts I read.

My domain is: davidcintron.org

I ran this command:
sudo certbot renew --dry-run
It produced this output:


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/davidcintron.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 64, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 441, in __init__
    "file reference".format(self.configfile))
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/davidcintron.org.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/davidcintron.org-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cgms.davediabet.es
http-01 challenge for davidcintron.com
http-01 challenge for davidcintron.org
http-01 challenge for loudestnoi.se
http-01 challenge for pickletron.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/davidcintron.org-0001/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/davidcintron.org-0001/fullchain.pem (success)

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/davidcintron.org.conf (parsefail)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 1 parse failure(s)

My web server is (include version):

⇢  nginx -v
nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04
My hosting provider, if applicable, is:
DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know):
Yep
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0


#2

How did you copy it?

If you created a tarball and extracted it on the other side, the symlinks (by default) would be preserved:

tar cf letsencrypt.tar /etc/letsencrypt # (good)

but if you did something like an rsync or scp, it would (again by default) destroy the symlinks and copy their targets:

rsync -r /etc/letsencrypt root@other-server:/etc/letsencrypt # (bad)

#3

Unfortunately, I just scp-ed it from one box to another. I wasn’t thinking of such things when I did it. The old VPS is gone now. It sank into the depths of the digital ocean :ocean:


#4

If you’re using --nginx for all of your domains, there’s no big tragedy in starting from scratch :slight_smile: .

It’s possible to manually repair the symlinks but I don’t really have my head around doing that, someone else might though.

Edit: hey, check this out - https://github.com/Bielecki/certbot-renew_fix


#5

I am using --nginx, and just did a renewal today (which did work), I just saw that in the logs and thought I should figure out how to resolve it.

I wasn’t clear about the rate limiting of requesting new certs, or how you go about doing it from scratch say around next renewal time.


closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.