Renew fails due to links not found

If I run sudo certbot renew I get the following errors:

 sudo certbot renew
[sudo] password for vvelev: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ventsy.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/ventsy.com.conf is broken.
The error was: expected /etc/letsencrypt/live/ventsy.com/cert.pem to be a symlink
Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.ventsy.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate www.ventsy.com with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/www.ventsy.com/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/ventsy.com.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 1 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The certs in /etc/letsencrypt/live/ventsy.com/ are actual files, not links.

But /etc/letsencrypt/live/www.ventsy.com/fullchain.pem is actually a link to
/etc/letsencrypt/live/www.ventsy.com/fullchain.pem -> ../../archive/www.ventsy.com/fullchain1.pem

The log is returning the following error:

2023-08-20 16:12:40,027:ERROR:certbot._internal.renewal:Failed to renew certificate www.ventsy.com with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')

I've see similar questions, but I none of the answers really explained what the underlying problem was. It was all - try this or that.

So:

  1. Why are some certs created without the necessary links? Why is that even a problem?
  2. Can I renew manual certs? I'm using godaddy it doesn't seem to support authomatic lets encrypt certs.

I would expect with manual certs, that the cert will be issued locally and I'll just upload it by hand?

First, please show:

sudo ls -lR /etc/letsencrypt/{live,archive,renewal}

As to your questions ...

The symlinks are how Certbot makes it easy for you to always reference the latest cert while also maintaining some history. The symlink points to the latest set of files in the /archive folder.

You must have done something to overwrite those symlinks. Maybe there is some sort of non-default config option that would do that. But, some people use other ACME clients (like acme.sh) and overwrite them (not realizing the problems it causes).

Could anything like this have happened?

Sure, manually. Or, use the --manual-auth-hook to manage the challenge info. (link here)

Yes. You might also search this forum for CertSage as that ACME client was designed for GoDaddy shared hosting specifically.

3 Likes
/etc/letsencrypt/
├── accounts
│   └── acme-v02.api.letsencrypt.org
│       └── directory
│           └── 0e3b941071acbb8ea040a007a83b3f56
│               ├── meta.json
│               ├── private_key.json
│               └── regr.json
├── archive
│   ├── ventsy.com
│   │   ├── cert1.pem
│   │   ├── chain1.pem
│   │   ├── fullchain1.pem
│   │   └── privkey1.pem
│   └── www.ventsy.com
│       ├── cert1.pem
│       ├── chain1.pem
│       ├── fullchain1.pem
│       └── privkey1.pem
├── cli.ini
├── csr
│   ├── 0000_csr-certbot.pem
│   ├── 0001_csr-certbot.pem
│   ├── 0002_csr-certbot.pem
│   ├── 0003_csr-certbot.pem
│   ├── 0004_csr-certbot.pem
│   ├── 0005_csr-certbot.pem
│   ├── 0006_csr-certbot.pem
│   ├── 0007_csr-certbot.pem
│   ├── 0008_csr-certbot.pem
│   └── 0009_csr-certbot.pem
├── keys
│   ├── 0000_key-certbot.pem
│   ├── 0001_key-certbot.pem
│   ├── 0002_key-certbot.pem
│   ├── 0003_key-certbot.pem
│   ├── 0004_key-certbot.pem
│   ├── 0005_key-certbot.pem
│   ├── 0006_key-certbot.pem
│   ├── 0007_key-certbot.pem
│   ├── 0008_key-certbot.pem
│   └── 0009_key-certbot.pem
├── live
│   ├── README
│   ├── ventsy.com
│   │   ├── cert.pem
│   │   ├── chain.pem
│   │   ├── fullchain.pem
│   │   ├── privkey.pem
│   │   └── README
│   └── www.ventsy.com
│       ├── cert.pem -> ../../archive/www.ventsy.com/cert1.pem
│       ├── chain.pem -> ../../archive/www.ventsy.com/chain1.pem
│       ├── fullchain.pem -> ../../archive/www.ventsy.com/fullchain1.pem
│       ├── privkey.pem -> ../../archive/www.ventsy.com/privkey1.pem
│       └── README
├── renewal
│   ├── ventsy.com.conf
│   └── www.ventsy.com.conf
└── renewal-hooks
    ├── deploy
    ├── post
    └── pre

All I did was run
sudo certbot certonly --manual --preferred-challenges dns -d www.ventsy.com

I think I also ran same but ventsy.com (without the www) or maybe with both domains at the same time (2 -d options) but if I remember correctly, I got errors on that one.

I haven't touched anything since, I certainly haven't messed with the links...

I've been reading the documentation, and it seems to suggest that cert renewal in manual mode requires an authorization script. Since I don't have a way to do that, I would have to go through the challenges as if I was getting a new cert.

I was hoping that the renew can re-use the challenges from when the cert was issued. Those DNS records are still there.

Is that not the case?

This is not how it should be. Those should be symlinks.

More investigation is needed to correct this. If you know who/why edited these files, it can be helpful.

Did you use manual mode before?

3 Likes

Yeah. I use manual mode because GoDaddy doesn't support letsencrypt (or rather they don't want to)

No one edited them. I'm the only one who uses this machine, and I haven't done it.

So you're not running certbot on your webserver?

Ok, you know how to renew certificates manually. You might want to search for CertSage (on this forum).

The symlinks issue is still there, tho.

That's spooky.

3 Likes

Not sure that I do. Seems certbot renew --manual doesn't really work (see error messages in original post). Even if the link issue wasn't present, it seems I can only renew with authentication script.

So it seems I need to basically request a new cert everytime and go through the authentication process?

Yes. Unless you can write a script to perform the actions you're asked to do, that's --manual-auth-hook

I mentioned CertSage because it's made with GoDaddy's limitations in mind, it could simplify things for you.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.