Re-install certificates after server crash



I was using let’s encrypt certificates for an XMPP-Server and a file sharing server on my raspberry pi. Unfortunately, my raspberry crashed the other day and the SD card with the OS did not survive the crash. I do have a copy of the broken SD Card, though, but I don’t know if all files are fine.
I had to reinstall the OS (raspbian), and then copied the content of /etc/letsencrypt to the newly installed SD card.
However, now the XMPP server does not read the certificates anylonger and when I start ./letsencrypt-auto renew it fails and tells me something about “expected link in /etc/letsencrypt/live/[domain]/privkey.pem” (sorry, I do not have the exact error message here at the moment).

How can I restore my current certificate, i.e., how should the directory layout be? (Another problem might be that I’m using a dynamic DNS provider that hits the rate limit and thus cannot easily create a new certificate or can I?)

Thanks for any help,


Did you copy /etc/letsencrypt using a method that would preserve symlink structure? (For example, copying onto a FAT filesystem would probably not preserve it; neither would using cp without -P or -a.) If you do

ls -l /etc/letsencrypt/live/[domain]

are the items that you see symlinks, or do they appear to be copies of the actual files?


Thanks for the quick reply.

No, in the rush of doing things quick (before the SD card completely dies), I copied the files only with cp -Rv. Good to know for the next time!

ls -l /etc/letsencrypt/live/[domain] looks like there are ordinary files in the folder – no symlinks.

Can I fix this somehow?


Each file in /etc/letsencrypt/live/ should be a symlink to another file with the structure $filename + $counter in /etc/letsencrypt/archive/ As an example, /etc/letsencrypt/live/ might be a symlink to /etc/letsencrypt/archive/ If you have multiple files with different “counters” in /archive, you’ll want the one with the highest number (that would be the most recent file).

To create a symlink, you can use ln -s.


As I understand it, newly issued certificates are considered renewals for rate limiting purposes if they contain the exact same set of FQDNs (domains and subdomains) as an existing certificate - it should not matter whether you use the renew command or not.


Right, as @pfg says, you should be able to fix it via

cd /etc/letsencrypt/live/
ls -l
ls -l ../../archive/
# Make sure that the associated archive files actually exist before continuing!
# Supposing that the most recent archive version of everything is "4":
rm cert.pem chain.pem fullchain.pem privkey.pem
ln -s ../../archive/ cert.pem
ln -s ../../archive/ chain.pem
ln -s ../../archive/ fullchain.pem
ln -s ../../archive/ privkey.pem

Note to other people reading this thread: please don’t do something like this unless you understand what it does and are certain that you have exactly the same problem for the same reasons!


Alright, thanks, I managed to get at least the XMPP server working again. In the end it turned out that I needed to delete the folder /etc/letsencrypt/live/ completely and then to re-create it. Apparently, this folder was somehow corrupt and had different permissions than it told me with a ls -la.

Thanks for your quick support!