Renewal configuration file broken

My domain is:

mort11.org

I ran this command:

sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mort11.org-0001.conf
-------------------------------------------------------------------------------
expected /etc/letsencrypt/live/mort11.org-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/mort11.org-0001.conf is broken. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mort11.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mort11.org
tls-sni-01 challenge for alumni.mort11.org
tls-sni-01 challenge for dev.mort11.org
tls-sni-01 challenge for gitlab.mort11.org
tls-sni-01 challenge for mort11.com
tls-sni-01 challenge for orders.mort11.org
tls-sni-01 challenge for shop.mort11.org
tls-sni-01 challenge for webcast.mort11.org
tls-sni-01 challenge for wiki.mort11.org
tls-sni-01 challenge for www.mort11.com
tls-sni-01 challenge for www.mort11.org
nginx: [warn] conflicting server name "mort11.org" on 0.0.0.0:443, ignored
Waiting for verification...
Cleaning up challenges
nginx: [warn] conflicting server name "mort11.org" on 0.0.0.0:443, ignored
Attempting to renew cert (mort11.org) from /etc/letsencrypt/renewal/mort11.org.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: alumni.mort11.org,dev.mort11.org,gitlab.mort11.org,mort11.com,mort11.org,orders.mort11.org,shop.mort11.org,webcast.mort11.org,wiki.mort11.org,www.mort11.com,www.mort11.org. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mort11.org-0002.conf
-------------------------------------------------------------------------------
expected /etc/letsencrypt/live/mort11.org-0002/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/mort11.org-0002.conf is broken. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mort11.org-0003.conf
-------------------------------------------------------------------------------
expected /etc/letsencrypt/live/mort11.org-0003/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/mort11.org-0003.conf is broken. Skipping.

All renewal attempts failed. The following certs could not be renewed    :
/etc/letsencrypt/live/mort11.org/fullchain.pem (failure)

Additionally, the following renewal configuration files were invalid: 
  /etc/letsencrypt/renewal/mort11.org-0001.conf (parsefail)
  /etc/letsencrypt/renewal/mort11.org-0002.conf (parsefail)
  /etc/letsencrypt/renewal/mort11.org-0003.conf (parsefail)
1 renew failure(s), 3 parse failure(s)

My web server is (include version):

nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is:

Digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

I have been using this for about a year now and never had any problems but the certificate is going to expire and when I went to renew it I got this error.

Hi @windyGiant,

Your renewal has succeeded more than once a day recently:

https://crt.sh/?Identity=%mort11.org&iCAID=16418

One problem that you may be encountering is that you apparently have several different overlapping certificates managed by Certbot. You can find out about these certificates by running certbot certificates.

However, it also looks like you’ve been tampering with the file structure in /etc/letsencrypt/live by moving or renaming things. Do you have a recollection of having done that? This may have broken some of your certificate lineages so that Certbot is no longer able to renew them.

2 Likes

As far as I know we have not touched anything in /etc/letsencrypt/live but we have been doing some work on the site and something may have been changed accidentally

When I ran certbot certificates this is the output I got

Renewal configuration file /etc/letsencrypt/renewal/mort11.org-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/mort11.org-0001/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/mort11.org-0002.conf produced an unexpected error: expected /etc/letsencrypt/live/mort11.org-0002/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/mort11.org-0003.conf produced an unexpected error: expected /etc/letsencrypt/live/mort11.org-0003/cert.pem to be a symlink. Skipping.


Found the following certs:
Certificate Name: mort11.org
Domains: mort11.org,alumni.mort11.org,dev.mort11.org,gitlab.mort11.org,mort11.com,orders.mort11.org,shop.mort11.org,webcast.mort11.org,wiki.mort11.org,www.mort11.com,www.mort11.org
Expiry Date: 2017-10-27 19:25:00+00:00 (VALID: 2 days)
Certificate Path: /etc/letsencrypt/live/mort11.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mort11.org/privkey.pem

The following renewal configuration files were invalid:
/etc/letsencrypt/renewal/mort11.org-0001.conf
/etc/letsencrypt/renewal/mort11.org-0002.conf
/etc/letsencrypt/renewal/mort11.org-0003.conf

I have no idea what this output means, I know very little about letsencrypt because the person who set it up is no longer available to help and this is the first time something went wrong since they left.

This sounds like someone tried to restore a backup or transfer the configuration from one system to another using a backup method that doesn’t preserve symlink structure.

2 Likes

Maybe someone deleted old certificates from /etc/letsencrypt/live/ but not /etc/letsencrypt/renewal/? (Unless that produces a different error message.)

@windyGiant, could you run “ls -l /etc/letsencrypt/archive /etc/letsencrypt/live /etc/letsencrypt/live/mort11.org-0001 /etc/letsencrypt/renewal”?

1 Like

This is the output I got when I ran that

ls: cannot access ‘/etc/letsencrypt/live/mort11.org-0001’: No such file or directory
/etc/letsencrypt/archive:
total 16
drwxr-xr-x 2 root root 4096 Apr 7 2017 mort11.org
drwxr-xr-x 2 root root 4096 May 1 09:28 mort11.org-0001
drwxr-xr-x 2 root root 4096 May 1 15:44 mort11.org-0002
drwxr-xr-x 2 root root 4096 Jul 29 16:25 mort11.org-0003

/etc/letsencrypt/live:
total 4
drwxr-xr-x 2 root root 4096 Oct 24 00:38 mort11.org

/etc/letsencrypt/renewal:
total 20
-rw-r–r-- 1 root root 480 May 1 09:28 mort11.org-0001.conf
-rw-r–r-- 1 root root 480 May 1 15:44 mort11.org-0002.conf
-rw-r–r-- 1 root root 476 Jul 29 16:25 mort11.org-0003.conf
-rw-r–r-- 1 root root 455 Apr 7 2017 mort11.org.apr2017
-rw-r–r-- 1 root root 451 Oct 24 00:38 mort11.org.conf

How would I go about fixing the symlink structure?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.