Renewal configuration file broken

Help
1

My domain is: piquiz.co.in

I ran this command: sudo certbot renew --dry-run

It produced this output:
Renewal configuration file /etc/letsencrypt/renewal/piquiz.co.in-0001.conf is broken.
The error was: expected /etc/letsencrypt/live/piquiz.co.in-0001/cert.pem to be a symlink
Skipping.

My web server is (include version): Apache Tomcat

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: godaddy

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

additional info:
/etc/letsencrypt/renewal folder i have
-- /piquiz.co.in-0001.conf
-- /piquiz.co.in-0002.conf
-- //piquiz.co.in.conf

how to overcome this issue, i have also assign scheduling based auto renewal, kindly give your suggestions, thank you

2

What happened to the symbolic links in /etc/letsencrypt/live/piquiz.co.in-0001/?

3

in live folder present piquiz.co.in folder only

4

Where did the other directories go?

1 Like
5

Hi, Thank you for your reply :slight_smile:

Actually our problem , i have only one domain piquiz.co.in , but unfortunately when i ran ssl, it's create 001 and 002 folder , so i thought , its wrongly generated and deleted those files.

our request is how to solve this problem , now we need , our lets-encrypt call only piquiz.co.in and generate or validate ssl, kindly give your suggestion !

Thank you

1 Like
6

You should not manually modify or remove files in /etc/letsencrypt/ directory.

Now that you did already though, you probably should remove the corresponding renewal configuration files too (and keep the one you need to use).

2 Likes
7

okay, thank you so much ,
may i know , how this 001 and 002 automaticaly created, how to stop that ?

1 Like
8

Usually those get created when you changed the list of domain names that were used previously.

Would you show output of this command?

sudo certbot certificates

And show the Certbot command you used which created the -0001 profile?

2 Likes
9

And usually this was when using ancient versions of Certbot. OP did not mention the version unfortunately. But looking at Ubuntu 18.04 OP might be running such an ancient version.

2 Likes
10

They also have a serious problem with their renewal process. They are getting a fresh cert almost every day. The only reason they don't get more is because of Let's Encrypt Rate Limits.

@Amburose Please review your renewal process. We will help you. Please start by showing the output of certbot certificates as I showed earlier

Also, show the output of certbot --version

image
image1920×1024 413 KB

3 Likes
11

Hi, At first Thank you for your help,

Our certbot version "certbot 2.11.0"

certbot certificates Results:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/piquiz.co.in-0001.conf produ ced an unexpected error: expected /etc/letsencrypt/live/piquiz.co.in-0001/cert.p em to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/piquiz.co.in-0002.conf produ ced an unexpected error: expected /etc/letsencrypt/live/piquiz.co.in-0002/cert.p em to be a symlink. Skipping.

Found the following certs:

Certificate Name: piquiz.co.in
Serial Number: 307aaaa5e624aaaab2ab092aaaa9f0aaaa
Key Type: ECDSA
Domains: piquiz.co.in
Expiry Date: 2024-03-28 03:34:44+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/piquiz.co.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/piquiz.co.in/privkey.pem

Certificate Name: www.pi3ddecor.com
Serial Number: 432102faaaa00f9ceaaaa194036b7bbba1
Key Type: ECDSA
Domains: piquiz.co.in pi3ddecor.com www.pi3ddecor.com www.piquiz.co.in
Expiry Date: 2024-08-21 06:21:23+00:00 (VALID: 39 days)
Certificate Path: /etc/letsencrypt/live/www.pi3ddecor.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.pi3ddecor.com/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/piquiz.co.in-0001.conf
/etc/letsencrypt/renewal/piquiz.co.in-0002.conf

kindly look and give suggestion :slight_smile:
pi3ddecor another domain , its works well

1 Like
12

Hmmm. You have a lot of problems.

First, you should delete these two .conf files. You manually deleted the files related to them and it is now easier to delete only those two .conf files

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/piquiz.co.in-0001.conf
/etc/letsencrypt/renewal/piquiz.co.in-0002.conf

I edited your post to highlight your two other cert profiles.

The first one named piquiz.co.in only has one domain name in it. And, that domain name (and its www subdomain) are also in the second cert named www.pi3ddecor.com.

So, you don't need that first cert and could just change your Apache to use that one.

But, WARNING, your domain pi3ddecor.com doesn't use that second cert either. It uses a different cert that we don't even see in that list.

I also see you have certs with just the preintelligence basename and www subdomains but let's leave that issue for later. They don't show in your list either.

How did you make the cert with 6 domain names in it? This is the one CURRENTLY used by your pi3ddecor.com and preintelligence.com domains. The highlights of this cert are below. See details here: crt.sh | 13155908665

subject=CN = piquiz.co.in
issuer=C = US, O = Let's Encrypt, CN = R3
notBefore=May 23 06:21:24 2024 GMT
notAfter=Aug 21 06:21:23 2024 GMT

SANs:
pi3ddecor.com
piquiz.co.in
preintelligence.com
www.pi3ddecor.com
www.piquiz.co.in
www.preintelligence.com
5 Likes
13

Really Great All !!!, Actually i have face this problem last 6 months , i tried with so many way. Finally understood your point :slight_smile:

Thank you so much !!!
"Helping People without Expectation , its really worth :slight_smile: "

How did you make the cert with 6 domain names in it? i don't have any idea how did i create that , i had simply surf from internet and using the command.

our crontab file is

m h dom mon dow command

45 2 * * 6 cd /etc/letsencrypt/ && ./cerbot-auto renew && /etc/init.d/apache2 restart

your suggestion always welcome :slight_smile:

1 Like
14

We need to find that cert with 6 domain names in it. That is your active cert and is not shown by Certbot.

Would you show output of this? I am pretty sure this works for Tomcat the same as "regular" Apache

sudo apache2ctl -t -D DUMP_VHOSTS

Also, the certbot-auto script was deprecated a very long time ago. And, those crontab options are a poor choice. It only runs once per week.

You get a cert nearly every day for one of your domains so something else must also be requesting certs.

I'm not sure I have enough time to work through all your problems. I think you should consult with an Apache Tomcat / Ubuntu server admin specialist. Your Ubuntu needs updating anyway as it is no longer a supported version.

I can help you find where these other certs are being created. But, I doubt I will have enough time to work through all of your problems one post at a time.

There are some paid consultants which might be better given the scope of your problems. See

2 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.