Renewal - Cert is required but missing for this certificate - All config looks correct

GrimzEcho · January 17, 2024, 2:51pm

cert is required but missing for this certificate

I'm running certbot in manual mode within a Debian 12 container that also runs nginx. The certificate was issued successfully and is currently valid, but the certbot renew command is failing. All of the symlinks, paths, and configuration looks correct, so I'm not sure why certbot renew can't find the current certificate. nginx is working correctly, has loaded the certificate and is properly serving HTTPS traffic.

There are no other folders/domains in the live or archive folders.

I know the easy fix is to just remove the cert directories (or really the Docker volume they are stored on) and re-request the certs, but I'd like to figure out why the renewal is failing first, so I can prevent it in the future.

root@6c2c13ace383:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/appdev.planetiq.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate appdev.planetiq.io with error: cert is required but missing for this certificate.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/appdev.planetiq.io/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

root@6c2c13ace383:/# tail -n 100  /var/log/letsencrypt/letsencrypt.log
2024-01-17 14:47:23,071:DEBUG:certbot._internal.main:certbot version: 2.8.0
2024-01-17 14:47:23,072:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2024-01-17 14:47:23,072:DEBUG:certbot._internal.main:Arguments: []
2024-01-17 14:47:23,072:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-route53:auth,PluginEntryPoint#dns-route53,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-01-17 14:47:23,084:DEBUG:certbot._internal.log:Root logging level set at 30
2024-01-17 14:47:23,085:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/appdev.planetiq.io.conf
2024-01-17 14:47:23,088:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-01-17 14:47:23,091:DEBUG:certbot._internal.storage:No matches for target cert.
2024-01-17 14:47:23,091:ERROR:certbot._internal.renewal:Failed to renew certificate appdev.planetiq.io with error: cert is required but missing for this certificate.
2024-01-17 14:47:23,092:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/renewal.py", line 522, in handle_renewal_request
    renewal_candidate.ensure_deployed()
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/storage.py", line 870, in ensure_deployed
    if self.has_pending_deployment():
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/storage.py", line 890, in has_pending_deployment
    raise errors.Error(f"{item} is required but missing for this certificate.")
certbot.errors.Error: cert is required but missing for this certificate.

2024-01-17 14:47:23,093:DEBUG:certbot._internal.display.obj:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-01-17 14:47:23,093:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2024-01-17 14:47:23,094:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/appdev.planetiq.io/fullchain.pem (failure)
2024-01-17 14:47:23,094:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-01-17 14:47:23,095:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/main.py", line 1869, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/main.py", line 1642, in renew
    renewed_domains, failed_domains = renewal.handle_renewal_request(config)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2024-01-17 14:47:23,095:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

root@6c2c13ace383:/# ls -lah /etc/letsencrypt/
total 32K
drwxr-xr-x 7 root root 4.0K Jan 17 14:32 .
drwxr-xr-x 1 root root 4.0K Jan 16 21:48 ..
drwx------ 3 root root 4.0K Jun 29  2023 accounts
drwx------ 3 root root 4.0K Nov 21 14:48 archive
drwx------ 3 root root 4.0K Oct 18 21:39 live
drwxr-xr-x 2 root root 4.0K Nov 21 14:24 renewal
drwxr-xr-x 5 root root 4.0K Jun 29  2023 renewal-hooks

root@6c2c13ace383:/# ls -lah /etc/letsencrypt/archive/appdev.planetiq.io/
total 28K
drwxr-xr-x 2 root root 4.0K Nov 21 14:48 .
drwx------ 3 root root 4.0K Nov 21 14:48 ..
-rw-r--r-- 1 root root 1.5K Nov 21 14:24 cert.pem
-rw-r--r-- 1 root root 3.7K Nov 21 14:24 chain.pem
-rw-r--r-- 1 root root 5.2K Nov 21 14:24 fullchain.pem
-rw------- 1 root root  241 Nov 21 14:24 privkey.pem

root@6c2c13ace383:/# ls -lah /etc/letsencrypt/live/appdev.planetiq.io/
total 12K
drwxr-xr-x 2 root root 4.0K Nov 21 14:50 .
drwx------ 3 root root 4.0K Oct 18 21:39 ..
-rw-r--r-- 1 root root  692 Oct 18 21:32 README
lrwxrwxrwx 1 root root   41 Nov 21 14:50 cert.pem -> ../../archive/appdev.planetiq.io/cert.pem
lrwxrwxrwx 1 root root   42 Nov 21 14:50 chain.pem -> ../../archive/appdev.planetiq.io/chain.pem
lrwxrwxrwx 1 root root   46 Nov 21 14:50 fullchain.pem -> ../../archive/appdev.planetiq.io/fullchain.pem
lrwxrwxrwx 1 root root   44 Nov 21 14:50 privkey.pem -> ../../archive/appdev.planetiq.io/privkey.pem

root@6c2c13ace383:/# ls -lah /etc/letsencrypt/renewal
total 12K
drwxr-xr-x 2 root root 4.0K Nov 21 14:24 .
drwxr-xr-x 7 root root 4.0K Jan 17 14:32 ..
-rw-r--r-- 1 root root  634 Nov 21 14:24 appdev.planetiq.io.conf

root@6c2c13ace383:/# cat /etc/letsencrypt/renewal/appdev.planetiq.io.conf
# renew_before_expiry = 30 days
version = 2.6.0
archive_dir = /etc/letsencrypt/archive/appdev.planetiq.io
cert = /etc/letsencrypt/live/appdev.planetiq.io/cert.pem
privkey = /etc/letsencrypt/live/appdev.planetiq.io/privkey.pem
chain = /etc/letsencrypt/live/appdev.planetiq.io/chain.pem
fullchain = /etc/letsencrypt/live/appdev.planetiq.io/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = [redacted]
authenticator = webroot
webroot_path = /var/www/certbot,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
appdev.planetiq.io = /var/www/certbot

My domain is: appdev.planetiq.io

I ran this command:
certbot renew

My web server is (include version): nginx v1.18.0

The operating system my web server runs on is (include version): Debian Bullseye

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.8.0

Osiris · January 17, 2024, 6:26pm

Certbot expects the files in the /archive/ directory to be postfixed with numbers, e.g. cert1.pem. Somehow your numbers got removed, probably a manual action by someone.

If you rename all the four files in the /archive/appdev.planetiq.io/ directory to the corresponding filename, but with a 1 behind it(e.g.cert.pem->cert1.pem) and also update the symlinks in the /live/appdev.planetiq.io/` directory to match their targets, your Certbot should be fixed again.

Please don't manually update the files in the /archive/ and/or /live/ directory in the future

GrimzEcho · January 17, 2024, 7:26pm

@Osiris Thanks for the reply.

I haven't manually named or renamed any files. The command that was used to originally request the certificates was

certbot certonly --webroot --webroot-path /var/www/certbot/ --non-interactive \
  -m admin@ourcompany.com --agree-tos  -d appdev.planetiq.io -v

I will try appending a 1 to the cert names. I assume I will also have to manually update the paths in /etc/letsencrypt/renewal/appdev.planetiq.io.conf as well?

---- update -----
Thanks!
Renaming the files in archive, re-creating the symlinks in live and updating the paths in renewal/...conf fixed the issue. Not sure why those files were created without the postfix #. I'm 99% positive no manual edits were made since the filenames without the postfix were also present in the renew configuration.

Topic		Replies	Views
Certbot renew returns "cert is required but missing for this certificate" Help	3	2051	April 17, 2022
Certbot renewal failed: configuration file is broken Help	12	3135	March 23, 2023
I need to upgrade from certbot-auto Help	6	1639	October 17, 2021
No Renewal Config Found Help	5	527	June 28, 2023
Renew Expired Cert Failure Help	8	829	December 30, 2020

Renewal - Cert is required but missing for this certificate - All config looks correct

Related topics