No live directory in /etc/letsencrypt

I am a beginner at all this server stuff, and I did a few stupid things. This domain is my first time delving into this world, so I had to rebuild my DigitalOcean droplet quite a few times. My project is a Mezzanine Blog, and so I use the fabric file they supply. I have rebuilt my droplet around 4 or 5 times. I also hit my rate limit on making certs, as the command output shows below.

In my /etc/letsencrypt/csr directory, I see my past certs, I believe. My site is currently not secured, and it all started after I ran my fabric file. I assume that messed up where certs were installed, so I rebuilt my droplet. Now I still have the issue. When I run sudo certbot certificates I get no certs found.

How can I make my site secure again?

My domain is: Chairbirds.com

I ran this command: $ sudo certbot --nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


1: chairbirds.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: chairbirds.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.03

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

1 Like

The live directory is not created until the first certificate is issued.

The csr directory contains past certificate requests, not certificates themselves.

When you rebuilt the droplet, the private keys to your certificates were permanently destroyed. Unless you can recover the private key files somehow (backups), those previous certificates are no longer recoverable.

Thre is no way to reset rate limits with Let’s Encrypt, you have to wait, or request a non-duplicative certificate.

You could also consider using Certbot to request a certificate from a different certificate authority, such as BuyPass, since other CAs do not share the same rate limit data as Let’s Encrypt. Doing so would be quite simple, just add:

--server 'https://api.buypass.com/acme/directory'

In the future, back up your /etc/letsencrypt directory if you are planning to recreate your droplet.

2 Likes

If you don’t mind me asking further questions, I would like to know if BuyPass is as good as letsencrypt? I am very ignorant in this realm, but I assume different certificate authorities provide the same type of certificates?

So, either I can wait for my rate limit to reset, get a new certificate, and then back up my /etc/letsencrypt directory from now on, or use a different certificate authority?

Thanks a lot for the reply, @_az !

1 Like

Also, another question. When I ran the fab deploy command from my fabric file, the certificates must’ve been destroyed. I wonder if you understand why that would be? I would prefer to use fab deploy whenever I make changes, but if it screws up my certificates every time, then I don’t know if I should continue using this method of deploying.

1 Like

All certificates of the DV type are as good as each other. The differences come down to which browsers trust what CAs, but BuyPass has been around longer than Let's Encrypt, so I doubt that the browser support is any worse (but I don't know for sure). Either way, it can tide you over for your week of rate limit and then you can switch to Let's Encrypt afterwards if you want.

I interpreted your first post as saying that you wiped your droplet to a fresh state. If that's not what you did, then I have no idea why the certificates would have disappeared.

I imagine fab is some kind of config management tool, and they usually don't delete data unless you tell them to.

1 Like

Oh, awesome! That sounds good. I appreciate the suggestions! I will definitely look into BuyPass to tide me over. That sounds a lot better.

@_az
I interpreted your first post as saying that you wiped your droplet to a fresh state. If that’s not what you did, then I have no idea why the certificates would have disappeared.
I imagine fab is some kind of config management tool, and they usually don’t delete data unless you tell them to.

So yeah, I did wipe my droplet to a fresh state and receive this error. I now know that the live folder wasn't created, because my rate limit had been reached. Before wiping my droplet this last time, I had run the fab deploy command that screwed up my certificates somehow. Fabric is a config management tool, and I will now try troubleshooting why that caused my certificates to disappear.

Thanks again, @_az ! You solved my issue, and now I will begin troubleshooting my next issue!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.