Re-install certificates after server crash


#1

Hi,

I was using let’s encrypt certificates for an XMPP-Server and a file sharing server on my raspberry pi. Unfortunately, my raspberry crashed the other day and the SD card with the OS did not survive the crash. I do have a copy of the broken SD Card, though, but I don’t know if all files are fine.
I had to reinstall the OS (raspbian), and then copied the content of /etc/letsencrypt to the newly installed SD card.
However, now the XMPP server does not read the certificates anylonger and when I start ./letsencrypt-auto renew it fails and tells me something about “expected link in /etc/letsencrypt/live/[domain]/privkey.pem” (sorry, I do not have the exact error message here at the moment).

How can I restore my current certificate, i.e., how should the directory layout be? (Another problem might be that I’m using a dynamic DNS provider that hits the rate limit and thus cannot easily create a new certificate or can I?)

Thanks for any help,
kartoffelsalat


#2

Did you copy /etc/letsencrypt using a method that would preserve symlink structure? (For example, copying onto a FAT filesystem would probably not preserve it; neither would using cp without -P or -a.) If you do

ls -l /etc/letsencrypt/live/[domain]

are the items that you see symlinks, or do they appear to be copies of the actual files?


#3

Thanks for the quick reply.

No, in the rush of doing things quick (before the SD card completely dies), I copied the files only with cp -Rv. Good to know for the next time!

ls -l /etc/letsencrypt/live/[domain] looks like there are ordinary files in the folder – no symlinks.

Can I fix this somehow?


#4

Each file in /etc/letsencrypt/live/example.com should be a symlink to another file with the structure $filename + $counter in /etc/letsencrypt/archive/example.com. As an example, /etc/letsencrypt/live/example.com/privkey.pem might be a symlink to /etc/letsencrypt/archive/example.com/privkey1.pem. If you have multiple files with different “counters” in /archive, you’ll want the one with the highest number (that would be the most recent file).

To create a symlink, you can use ln -s.


#5

As I understand it, newly issued certificates are considered renewals for rate limiting purposes if they contain the exact same set of FQDNs (domains and subdomains) as an existing certificate - it should not matter whether you use the renew command or not.


#6

Right, as @pfg says, you should be able to fix it via

cd /etc/letsencrypt/live/example.com
ls -l
ls -l ../../archive/example.com
# Make sure that the associated archive files actually exist before continuing!
# Supposing that the most recent archive version of everything is "4":
rm cert.pem chain.pem fullchain.pem privkey.pem
ln -s ../../archive/example.com/cert4.pem cert.pem
ln -s ../../archive/example.com/chain4.pem chain.pem
ln -s ../../archive/example.com/fullchain4.pem fullchain.pem
ln -s ../../archive/example.com/privkey4.pem privkey.pem

Note to other people reading this thread: please don’t do something like this unless you understand what it does and are certain that you have exactly the same problem for the same reasons!


#7

Alright, thanks, I managed to get at least the XMPP server working again. In the end it turned out that I needed to delete the folder /etc/letsencrypt/live/example.com completely and then to re-create it. Apparently, this folder was somehow corrupt and had different permissions than it told me with a ls -la.

Thanks for your quick support!