OSError: [Errno 17] File exists: '/etc/letsencrypt/archive/domain/privkey8.pem'

After once again discovering changes to cert-bot that broke it for my platform and having run letsencrypt over and over again with the no upgrade options I still end up having to fix this stupid thing about once a month.

Now I’m getting:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: gluesniffer.org: see https://letsencrypt.org/docs/rate-limits/

after zero successful updates. So am I SOL and have to wait a whole week to fix my domain again?

Do you have copies any of the 1 or 2 dozen unexpired gluesniffer.org certificates that exist? Or at least their private keys?

Do you really need another certificate immediately?

That error probably indicates that something is wrong with /etc/letsencrypt/archive/ or /etc/letsencrypt/live/ – likely that some of the directories have been moved around, and Certbot is unable to make sense of it.

Have you fixed whatever the problem is?

Even if /etc/letsencrypt/ is badly damaged, you can keep your website running with one of the current certificates as long as you have a private key from /etc/letsencrypt/archive/ or /etc/letsencrypt/keys/.

There’s also another option.

Can you post the output of “sudo ls -alR /etc/letsencrypt/” and “sudo certbot certificates”?


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

I checked the copies and they’re all from a month ago. The directories themselves have had mtime updates to the time I tried to perform the updates.

Upgrades seem to fail as this system is older debian without fully functional pip

Upgrading certbot-auto 0.30.2 to 0.37.2…
Replacing certbot-auto…
Creating virtual environment…
Installing Python packages…
/opt/eff.org/certbot/venv/bin/python: No module named pip.main; ‘pip’ is a package and cannot be directly executed
Traceback (most recent call last):
File “/tmp/tmp.pr0DxJDOba/pipstrap.py”, line 177, in
sys.exit(main())
File “/tmp/tmp.pr0DxJDOba/pipstrap.py”, line 149, in main
pip_version = StrictVersion(check_output([python, ‘-m’, ‘pip’, ‘–version’])
File “/usr/lib/python2.7/subprocess.py”, line 544, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command ‘[’/opt/eff.org/certbot/venv/bin/python’, ‘-m’, ‘pip’, ‘–version’]’ returned non-zero exit status 1

The keys for the newer certificates have all been lost?

Even a certificate from a month ago is still valid for two more months.

What version of Debian?

Sorry for the delay, it’s been a busy week and this domain was lower priority for me. Anyways I just ran:
root@hal:~/letsencrypt# ./certbot-auto.1 certonly --webroot --renew-by-default -w /var/www/htdocs --no-bootstrap --no-self-upgrade --domains gluesniffer.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
An unexpected error occurred:
OSError: [Errno 17] File exists: ‘/etc/letsencrypt/archive/www.gluesniffer.org/privkey8.pem’
Please see the logfiles in /var/log/letsencrypt for more details.

2019-09-07 10:54:31,880:DEBUG:acme.client:Error during a POST-as-GET request, your ACME CA may not support it:
urn:ietf:params:acme:error:malformed :: The request message was malformed :: Invalid Content-Type header on POST. Content-Type must be “application/jose+json”
2019-09-07 10:54:31,880:DEBUG:acme.client:Retrying request with GET.
2019-09-07 10:54:31,880:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/cert/042a7737441761537b0b81f01f263063299b.
2019-09-07 10:54:31,881:DEBUG:urllib3.connectionpool:Resetting dropped connection: acme-v02.api.letsencrypt.org
2019-09-07 10:54:38,019:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /acme/cert/042a7737441761537b0b81f01f263063299b HTTP/1.1” 200 3904
2019-09-07 10:54:38,020:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/pem-certificate-chain
Content-Length: 3904
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sat, 07 Sep 2019 16:54:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 07 Sep 2019 16:54:38 GMT
Connection: keep-alive

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

2019-09-07 10:54:38,022:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1365, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1250, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 317, in renew_cert
lineage.save_successor(prior_version, new_cert, new_key.pem, new_chain, config)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/storage.py”, line 1104, in save_successor
with util.safe_open(target[“privkey”], “wb”, chmod=BASE_PRIVKEY_MODE) as f:
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/util.py”, line 229, in safe_open
os.open(path, os.O_CREAT | os.O_EXCL | os.O_RDWR, *open_args),
OSError: [Errno 17] File exists: ‘/etc/letsencrypt/archive/www.gluesniffer.org/privkey8.pem’
2019-09-07 10:54:38,026:ERROR:certbot.log:An unexpected error occurred:

This is a debian 7.11 machine and it’s using a version of certbot-auto I found here for older operating systems as the newer self-upgrading certbot wants to use a version of pip which doesn’t seem to work right on this box.

This is debian 7.11 with a version of certbot-auto I found here which doesn’t use pip and it’s called with --no-self-upgrade and --no-bootstrap because pip doesn’t work right on this platform.

Can you post the output of “sudo ls -alR /etc/letsencrypt/” and “sudo certbot certificates”?

I must have an older version, as i have no ‘certbot’ as part of my distrobution, only certbot-auto. Anyways, here’s the output from the letsencrypt etc directorty: https://pastebin.com/Cth3CXxn

I can’t attach because i’m a new user and can’t post it all here because it’s too long.

I'm sorry -- I should have said "./certbot-auto.1 certificates". In other words, what I meant to ask you to run was the "certificates" subcommand of your Certbot executable.

Thanks!

/etc/letsencrypt/archive/www.gluesniffer.org:
total 60
drwxr-xr-x 2 root root 4096 Sep  1 00:04 .
drwx------ 7 root root 4096 Feb  5  2019 ..
-rw-r--r-- 1 root root 1830 Dec 16  2015 cert1.pem
-rw-r--r-- 1 root root 2179 Feb 13  2016 cert2.pem
-rw-r--r-- 1 root root 2179 Apr 12  2016 cert3.pem
-rw-r--r-- 1 root root 1675 Dec 16  2015 chain1.pem
-rw-r--r-- 1 root root 1675 Feb 13  2016 chain2.pem
-rw-r--r-- 1 root root 1647 Apr 12  2016 chain3.pem
-rw-r--r-- 1 root root 3505 Dec 16  2015 fullchain1.pem
-rw-r--r-- 1 root root 3854 Feb 13  2016 fullchain2.pem
-rw-r--r-- 1 root root 3826 Apr 12  2016 fullchain3.pem
-rw-r--r-- 1 root root 1704 Dec 16  2015 privkey1.pem
-rw-r--r-- 1 root root 3272 Feb 13  2016 privkey2.pem
-rw-r--r-- 1 root root 3268 Apr 12  2016 privkey3.pem
-rw------- 1 root root 3272 Sep  1 00:04 privkey8.pem

Very strange that that privkey8.pem file exists. Certbot probably got confused by the other issue and created it, but I've never seen it happen before.

I guess you should back up the file and delete it.

(If you don't back it up, there's a second copy saved in /etc/letsencrypt/keys, but you might as well back it up anyway.)

/etc/letsencrypt/live:
total 32
drwx------ 7 root root 4096 Jun  1 10:40 .
drwxr-xr-x 9 root root 4096 Sep  7 10:54 ..
drwxr-xr-x 2 root root 4096 Mar  3  2019 gluesniffer.org
drwxr-xr-x 2 root root 4096 Jun  1 10:40 gluesniffer.org-0001
drwxr-xr-x 2 root root 4096 Sep  1 00:04 listings.actprop.com
-rw-r--r-- 1 root root  740 Feb  5  2019 README
lrwxrwxrwx 1 root root   20 Jun  1 10:40 www.gluesniffer.org -> gluesniffer.org-0001
drwxr-xr-x 2 root root 4096 Jul 12  2016 www.gluesniffer.org-0001
drwxr-xr-x 2 root root 4096 Apr 12  2016 www.gluesniffer.org,bk

This won't work right. www.gluesniffer.org shouldn't be a symlink to gluesniffer.org-0001. I don't know if the symlink itself will cause problems, but Certbot expects the www.gluesniffer.org directory to contain symlinks to files in ../../archive/www.gluesniffer.org/, and it expects the gluesniffer.org-0001 directory to contain symlinks to files in ../../archive/gluesniffer.org-0001/.

Try taking a backup, deleting the www.gluesniffer.org symlink, and renaming the www.gluesniffer.org,bk directory back to www.gluesniffer.org.

After that, can you run "./certbot-auto.1 certificates" again?

Certbot doesn't have a command to rename certificates. (It's not technically necessary. Certificate names are only for your usage, they aren't reflected in the certificates or anything.) Computer programs exist to make humans' lives easier (maybe), so it would still be very nice if it had one. But it doesn't.

If you need to manually rename a certificate, there are several steps:

  • Rename the archive directory.
  • Rename the live directory.
  • Change all four symlinks in the live directory.
  • Rename the renewal configuration file.
  • Open the renewal configuration file in a text editor and change all 5+ references to the archive and live directories.

If you miss a step, Certbot will malfunction.

Edit:

It's a moot point, but you should be able to make posts like that now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.