Renewal - Cert is required but missing for this certificate - All config looks correct

cert is required but missing for this certificate

I'm running certbot in manual mode within a Debian 12 container that also runs nginx. The certificate was issued successfully and is currently valid, but the certbot renew command is failing. All of the symlinks, paths, and configuration looks correct, so I'm not sure why certbot renew can't find the current certificate. nginx is working correctly, has loaded the certificate and is properly serving HTTPS traffic.

There are no other folders/domains in the live or archive folders.

I know the easy fix is to just remove the cert directories (or really the Docker volume they are stored on) and re-request the certs, but I'd like to figure out why the renewal is failing first, so I can prevent it in the future.

root@6c2c13ace383:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/appdev.planetiq.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate appdev.planetiq.io with error: cert is required but missing for this certificate.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/appdev.planetiq.io/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
root@6c2c13ace383:/# tail -n 100  /var/log/letsencrypt/letsencrypt.log
2024-01-17 14:47:23,071:DEBUG:certbot._internal.main:certbot version: 2.8.0
2024-01-17 14:47:23,072:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2024-01-17 14:47:23,072:DEBUG:certbot._internal.main:Arguments: []
2024-01-17 14:47:23,072:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-route53:auth,PluginEntryPoint#dns-route53,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-01-17 14:47:23,084:DEBUG:certbot._internal.log:Root logging level set at 30
2024-01-17 14:47:23,085:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/appdev.planetiq.io.conf
2024-01-17 14:47:23,088:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-01-17 14:47:23,091:DEBUG:certbot._internal.storage:No matches for target cert.
2024-01-17 14:47:23,091:ERROR:certbot._internal.renewal:Failed to renew certificate appdev.planetiq.io with error: cert is required but missing for this certificate.
2024-01-17 14:47:23,092:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/renewal.py", line 522, in handle_renewal_request
    renewal_candidate.ensure_deployed()
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/storage.py", line 870, in ensure_deployed
    if self.has_pending_deployment():
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/storage.py", line 890, in has_pending_deployment
    raise errors.Error(f"{item} is required but missing for this certificate.")
certbot.errors.Error: cert is required but missing for this certificate.

2024-01-17 14:47:23,093:DEBUG:certbot._internal.display.obj:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-01-17 14:47:23,093:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2024-01-17 14:47:23,094:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/appdev.planetiq.io/fullchain.pem (failure)
2024-01-17 14:47:23,094:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-01-17 14:47:23,095:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/main.py", line 1869, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/main.py", line 1642, in renew
    renewed_domains, failed_domains = renewal.handle_renewal_request(config)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2024-01-17 14:47:23,095:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)
root@6c2c13ace383:/# ls -lah /etc/letsencrypt/
total 32K
drwxr-xr-x 7 root root 4.0K Jan 17 14:32 .
drwxr-xr-x 1 root root 4.0K Jan 16 21:48 ..
drwx------ 3 root root 4.0K Jun 29  2023 accounts
drwx------ 3 root root 4.0K Nov 21 14:48 archive
drwx------ 3 root root 4.0K Oct 18 21:39 live
drwxr-xr-x 2 root root 4.0K Nov 21 14:24 renewal
drwxr-xr-x 5 root root 4.0K Jun 29  2023 renewal-hooks
root@6c2c13ace383:/# ls -lah /etc/letsencrypt/archive/appdev.planetiq.io/
total 28K
drwxr-xr-x 2 root root 4.0K Nov 21 14:48 .
drwx------ 3 root root 4.0K Nov 21 14:48 ..
-rw-r--r-- 1 root root 1.5K Nov 21 14:24 cert.pem
-rw-r--r-- 1 root root 3.7K Nov 21 14:24 chain.pem
-rw-r--r-- 1 root root 5.2K Nov 21 14:24 fullchain.pem
-rw------- 1 root root  241 Nov 21 14:24 privkey.pem
root@6c2c13ace383:/# ls -lah /etc/letsencrypt/live/appdev.planetiq.io/
total 12K
drwxr-xr-x 2 root root 4.0K Nov 21 14:50 .
drwx------ 3 root root 4.0K Oct 18 21:39 ..
-rw-r--r-- 1 root root  692 Oct 18 21:32 README
lrwxrwxrwx 1 root root   41 Nov 21 14:50 cert.pem -> ../../archive/appdev.planetiq.io/cert.pem
lrwxrwxrwx 1 root root   42 Nov 21 14:50 chain.pem -> ../../archive/appdev.planetiq.io/chain.pem
lrwxrwxrwx 1 root root   46 Nov 21 14:50 fullchain.pem -> ../../archive/appdev.planetiq.io/fullchain.pem
lrwxrwxrwx 1 root root   44 Nov 21 14:50 privkey.pem -> ../../archive/appdev.planetiq.io/privkey.pem
root@6c2c13ace383:/# ls -lah /etc/letsencrypt/renewal
total 12K
drwxr-xr-x 2 root root 4.0K Nov 21 14:24 .
drwxr-xr-x 7 root root 4.0K Jan 17 14:32 ..
-rw-r--r-- 1 root root  634 Nov 21 14:24 appdev.planetiq.io.conf
root@6c2c13ace383:/# cat /etc/letsencrypt/renewal/appdev.planetiq.io.conf
# renew_before_expiry = 30 days
version = 2.6.0
archive_dir = /etc/letsencrypt/archive/appdev.planetiq.io
cert = /etc/letsencrypt/live/appdev.planetiq.io/cert.pem
privkey = /etc/letsencrypt/live/appdev.planetiq.io/privkey.pem
chain = /etc/letsencrypt/live/appdev.planetiq.io/chain.pem
fullchain = /etc/letsencrypt/live/appdev.planetiq.io/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = [redacted]
authenticator = webroot
webroot_path = /var/www/certbot,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
appdev.planetiq.io = /var/www/certbot

My domain is: appdev.planetiq.io

I ran this command:
certbot renew

My web server is (include version): nginx v1.18.0

The operating system my web server runs on is (include version): Debian Bullseye

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.8.0

Certbot expects the files in the /archive/ directory to be postfixed with numbers, e.g. cert1.pem. Somehow your numbers got removed, probably a manual action by someone.

If you rename all the four files in the /archive/appdev.planetiq.io/ directory to the corresponding filename, but with a 1 behind it(e.g.cert.pem->cert1.pem) and also update the symlinks in the /live/appdev.planetiq.io/` directory to match their targets, your Certbot should be fixed again.

Please don't manually update the files in the /archive/ and/or /live/ directory in the future :slight_smile:

3 Likes

@Osiris Thanks for the reply.

I haven't manually named or renamed any files. The command that was used to originally request the certificates was

certbot certonly --webroot --webroot-path /var/www/certbot/ --non-interactive \
  -m admin@ourcompany.com --agree-tos  -d appdev.planetiq.io -v

I will try appending a 1 to the cert names. I assume I will also have to manually update the paths in /etc/letsencrypt/renewal/appdev.planetiq.io.conf as well?

---- update -----
Thanks!
Renaming the files in archive, re-creating the symlinks in live and updating the paths in renewal/...conf fixed the issue. Not sure why those files were created without the postfix #. I'm 99% positive no manual edits were made since the filenames without the postfix were also present in the renew configuration.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.