Need help recreating symlinks

ianhobson · June 13, 2021, 2:54pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: coachmaster.co.uk and others

I ran this command:

It produced this output:

My web server is (include version): nginx 1.20.0

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: bitfolk

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0 on old machine.

I am trying to test a rebuild of my server, while the old machine is still running.

I cannot auto-upgrade ubuntu, because the accumulated changes from 2010 (08?) are too many and the 18.04 to 20.04 upgrade breaks badly. It has come to the point where I have to rebuild the server in ubuntu 20.04. I can't test the webserver without the certificates, and I can't install via certbot because the new server is not on-line. I have discovered that the backup I have taken with rsnapshot does not include the symlinks!

So what symlinks must I re-create so that nginx is happy again.

Having set them up, with the latest restored files from the backup, should it work off-line, or will I have recertification woes?

I also note that I have been collecting csr/*.pem files on a daily basis, and keys/*.pem files even more frequently. What can I clear out to tidy up and regain some space?

Many thanks
Ian

schoen · June 15, 2021, 4:49am

Hi @ianhobson,

What you should do to recreate a set of symlinks:

(as root)

cd /etc/letsencrypt/archive/example.com
ls -lrt *.pem

check what the most recent version number at the bottom is (e.g. cert7.pem or cert3.pem or whatever; below, I'll pretend it was cert4.pem, but replace the number 4 with the appropriate number for this specific certificate), and then

cd /etc/letsencrypt/live/example.com
rm cert.pem privkey.pem chain.pem fullchain.pem
ln -s ../archive/example.com/cert4.pem cert.pem
ln -s ../archive/example.com/privkey4.pem privkey.pem
ln -s ../archive/example.com/chain4.pem chain.pem
ln -s ../archive/example.com/fullchain4.pem fullchain.pem

If you have more than one certificate, repeat this whole process for each certificate name (indicated as example.com above). Note that the version number for each individual certificate (e.g. cert4.pem) may be different from each other certificate.

It should probably work again after that.

I'm not sure what you mean by "off-line" here, but I think certbot renew should work to renew your certificate(s). You can try sudo certbot renew --dry-run to test it after fixing the symlinks.

The /etc/letsencrypt/csr and /etc/letsencrypt/keys directories are just backups and not needed for Certbot's ongoing operations. In fact, it's been proposed on occasion that Certbot probably should not save these files at all, or not for very long.

ianhobson · June 15, 2021, 11:42am

Hi Schoen,
What a superbly helpful and precise answer. Thank you very much.
Ian

system · July 15, 2021, 11:43am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.