Renewal configuration file ***.conf is broken. Skipping

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:gitlab2.west-coast.wales

I ran this command:sudo certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/gitlab2.west-coast.wales.conf


Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 67, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 463, in init
self._check_symlinks()
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
"expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/gitlab2.west-coast.wales/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/gitlab2.west-coast.wales.conf is broken. Skipping.


No renewals were attempted.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/gitlab2.west-coast.wales.conf (parsefail)


0 renew failure(s), 1 parse failure(s)

My web server is (include version):
nginx

The operating system my web server runs on is (include version):
Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.31.0

Question is: what happened to the symbolic link?

I have no idea, also the /etc/letsencrypt/live folder only holds a README file!

Also there have been no errors over the last 2 years with auto renewing every 2 months

That's very weird and warrants further inspection of why that directory is suddenly empty (except for the README).

Is the /archive/ directory still filled with the usual stuff?

No, that is empty as well!

Well, that's weird. My advice:

  • find out why those directories are suddenly empty, but /renewal/ isn't;
  • Retreive the contents of the empty directories from a recent backup.

Is there any option to re-install? We only backup user data not system files.

You can run certbot again as if it were a brand new certificate. That's the quickest option.

Thanks, I'll look that up and see how to do it.

If you don't remember all of the used configuration options, there are hints in the renewal configuration file. Such as the entry installer = apache would mean the apache installer plugin was used.

Ok, looks like mine is Nginx

All sorted now, the person who set this up has left the company and I hadn't realised certificate handling was inside gitlab itself! Updated gitlab to the latest version and it renewed the certificate itself. Thanks for your help Osiris, much appreciated.