Renew config file has incorrect 'fullchain_path' 'cert_path' and 'chain_path'

Hi!

I hope this hasn't been asked yet - I've had a look around the forums and couldn't find any similar Qs.

Note - I've replaced the actual domain name with example.com below

I'm automating the setup of a LEMP stack (Ubuntu 16.04.1, NginX, MariaDB and PHP7) and using letsencrypt for cert issuing. I've written a bash file that sets up the server perfectly, installs letsencrypt and issues a cert. The way I'm running the bash file is by git cloning it to a directory, lets say:
~/temp/setup_server_script

Then, I'm running the script from there and letting it do it's thing:
# cd ~/temp/setup_server_script
# sudo ./script.sh

The part in that script that takes care of installing letsencrypt is:
# apt-get -qq install -y letsencrypt > logs/stdout.txt 2>&1
Note - I'm trying to do this as automated and quietly as possible...

And the part in the script that installs the cert is:
# letsencrypt certonly -a webroot --webroot-path=/var/www/html --agree-tos --email example@example.com -d example.com

The problem that I'm having is with renewals. There's only one domain/cert per server so I'm just running

sudo letsencrypt renew

and I get the error:

Processing /etc/letsencrypt/renewal/example.com.conf
2017-01-25 05:34:50,319:WARNING:letsencrypt.cli:Renewal configuration file /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: [Errno 2] No such file or directory. Skipping.

No renewals were attempted.

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/example.com.conf (parsefail)
0 renew failure(s), 1 parse failure(s)

So I checkout the conf file in question:
cat /etc/letsencrypt/renewal/example.com.conf

And I realise that the fullchain_path, cert_path, and chain_path values are all incorrect and are pointing to the directory in which I initiated the bash script to run from:
fullchain_path = /root/temp/setup_server_script/chain.pem
cert_path = /root/temp/setup_server_script/cert.pem
chain_path = /root/temp/setup_server_script/chain.pem

Obviously this is not correct as the .pem files are in:
/etc/letsencrypt/live/example.com

My questions are:
Is this the best (or at least a good) way to automate letsencrypt via shell script?
If so, how can I make sure the renewal .conf file has the correct paths for fullchain_path, cert_path, and chain_path?
Is there a better way to renew or something I'm missing that will fix this?

This is where I'm at so far, but ultimately I'd like to automate the setup of automatic cert renewals by adding some commands to the shell script that will in turn add a line or two to the crontab. Just need to figure out what renewal commands I can add to get this working properly!

Thank you in advance for your help!
Jamie.

As I cannot see your bash script I would just suggest making it run from the correct folder in future so it does not do this in future. To fix it now simply edit the .conf file in the /renewal/ folder and put in the correct locations.

Thanks Mitchell!

I wonder if I can write the letsencrypt commands into a second bash script, then make the original bash script copy over the second script to the correct directory and initiate the script to run. I’ll do some testing and see if that works

So am I right in thinking that any certonly command (inside or outside a bash script) such as:
letsencrypt certonly -a webroot --webroot-path=/var/www/html --agree-tos --email example@example.com -d example.com

Should be run from /etc/letsencrypt/ and can not be run from any other directory or else the renewal config will be incorrect? I feel like I’m missing something. Maybe this only applies when running the commands from a bash script?

Thanks again!
Jamie.

This should not happen this way. Do you think you could share the whole script with us in case there are any other indications for something that could have caused this?

What version of letsencrypt do you have as a result of installing it from the package manager? Would you be willing to try certbot-auto to get a (maybe much) more up-to-date client outside of your package manager?

Just had a check and I can see that my letsencrypt version is 0.4.1, which was installed using the Ubuntu 16.04 package manager.

Bear in mind that this was my first project with bash scripting and was intended to be a learning process.
(In other words, don’t judge my messy code too harshly - there’s still a hell of a lot for me to learn!)

The parts of my script that relate in any way to letsencrypt are:

Firstly, I collect some vars from the script user and call some other .sh files depending on the users choice to setup the server for http or https:

##Vars##
https="" #This var will toggle http or https setup
webname="" #This var will contain the users primary domain name
altwebname="" #This var will contain the users secondary domain name (if they choose to use www. aswell)
numberOfDomains="" #1 or 2 depending on users choice of domain names
ipaddress="1.2.3.4" #IP address of current server collected previously.

## Colors, for fun and learning##
NC='\033[0m' ## NC = No Colour
RED='\033[0;31m'
GREEN="\033[0;32m"

## Variable Collection ##
read -r -p "Do you want to use https? [y/N] " response
case $response in
    [yY][eE][sS]|[yY]) 
        https="https"
        cp resources/default.https resources/default #This copies over a prewritten https serverblock file.
        perl -pi -e "s/SERVER_IP/${ipaddress}/g" resources/default #This puts the current server IP in that file
        echo "Nice!"
        ;;
    *)
        cp resources/default.http resources/default #This copies over a prewritten http serverblock file.
        https="http"
        echo "No worries... http it is!"
        ;;
esac
sleep 1

## after collecting some more vars for other services....

apt-get -qq update -y --force-yes
apt-get -qq upgrade -y > logs/stdout.txt 2>&1

## Install Services ##
if [ "$https" = "https" ]; then
    . scripts/https_installs.sh #This contains the letsencrypt install code (Listed below)
else
    . scripts/installs.sh #This is the rest of the services
fi

## Configure Services ##
. scripts/config_services.sh #Also listed below

So, if https=“https” then here’s the scripts/https_installs.sh contents:

## https installs ##

echo "${GREEN}Installing LetsEncrypt${NC}"
apt-get -qq install -y letsencrypt > logs/stdout.txt 2>&1 

. scripts/installs.sh #This will go ahead and install other things like Nginx, Php etc.etc.

And here’s the part of the scripts/config_services.sh that relates to lets encrypt (excuse the mess):

##Some other services config here##

## Lets Encrypt ##

if [ "$https" = "https" ]; then
	echo "${GREEN}Configuring LetsEncrypt${NC}"
		if [ "$numberOfDomains" = "1" ]; then
		  letsencrypt certonly -a webroot --webroot-path=/var/www/html --agree-tos --email example@example.com -d ${webname}
		  sleep 2
        else 
			if [ "$numberOfDomains" = "2" ]; then
			     letsencrypt certonly -a webroot --webroot-path=/var/www/html --agree-tos --email example@example.com -d ${webname} -d ${altwebname}
			     sleep 2
            fi
		fi
else #if user selected http, there's no need for LetsEncrypt...
	if [ "$https" = "http" ]; then
		echo "${GREEN}No need for for LetsEncrypt - you chose http${NC}"
	fi
fi

Then the script goes on to config some other services.

I would definitely be willing to try certbot-auto , could you recommend best practices for installing a cert using certbot-auto within a shell script?

I’ll have a google around myself and see if I can find anything related

Thanks for your help on this - much appreciated!

I would start out first by using the latest certbot script, that one in the repo is way too old, certbot is currently at 0.10.1.
I run my command lines from /opt/certbot where I have the certbot-auto script, it automatically places certs and renewal.conf files in the correct locations with the correct folder locations in those conf files.

sudo mkdir /opt/cerbot
cd /opt/certbot
sudo wget https://dl.eff.org/certbot-auto

Run your ./certbot-auto commands from /opt/certbot folder

In my experience, letsencrypt 0.4.1 really does set those renewal configuration settings relative to the current directory, but it doesn’t break renewal. cert, privkey, chain and fullchain are set correctly, too. Only cert_path, chain_path and fullchain_path are wrong, and they’re probably ignored.

I suspect the problem is something else.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.