Renewal error for my site


#1

I made a certificate at the end of november, set up my nginx conf and all was good. I created it using this command:

letsencrypt certonly --webroot -w /var/www/danbryg -d danbryg.dk -d www.danbryg.dk

Now I try to renew it but gets an error:

letsencrypt renew

Gives me:

Processing /etc/letsencrypt/renewal/danbryg.dk.conf
2017-02-27 19:33:19,708:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/danbryg.dk.conf produced an unexpected error: [Errno 2] No such file or directory: ‘/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/a407bb0337b6f4248177b21b2dc7ba87/private_key.json’. Skipping.

The directory is there but the private_key.json is missing.

How do I fix this?


#2

First, that’s very odd. Are the other files present (meta.json and regr.json)? Not that it matters, you really need private_key.json for your account to work.

I’m not sure what certbots inner workings are if you try to get a new certificate without using the renew command (i.e., just run the first command you posted again, perhaps to be sure with the --expand switch. Although you’re actually not expanding, this should prevent certbot from making a second directory for the same domain name.)
Perhaps it will generate a new account for you, perhaps it will give the same error as when renewing, I don’t know. We’ll find out when you try :wink:

Edit: My simple test seems to indicate certbot will generate a new account when issuing a new certificate. It’s just the renewal that won’t work, because the renewal configuration specifically points to the broken account. But I’m assuming the renewal configuration will be updated with the new account when you got your new certificate.


#3

Thanks for your reply :slight_smile:

Yes, the meta and regr files are there. Tried to get a new cert and it worked but no new private_key. Then I tried with the expand command and accepted to replace the new cert. That also succeeded but still no new private file for the a4 directory:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/danbryg.dk/fullchain.pem. Your cert will
    expire on 2017-05-28. To obtain a new version of the certificate in
    the future, simply run Let’s Encrypt again.
  • If you like Let’s Encrypt, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

You have new mail in /var/mail/root
root@h2 ~ #
root@h2 ~ # find /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/a407bb0337b6f4248177b21b2dc7ba87
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/a407bb0337b6f4248177b21b2dc7ba87/regr.json
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/a407bb0337b6f4248177b21b2dc7ba87/meta.json
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/f6a07992ea9cd5ca50d1f913d9e001ae
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/f6a07992ea9cd5ca50d1f913d9e001ae/private_key.json
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/f6a07992ea9cd5ca50d1f913d9e001ae/regr.json
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/f6a07992ea9cd5ca50d1f913d9e001ae/meta.json

Perhaps it is because there are another directory with a private file?

So… any idea on how to fix a broken account?


#4

Great!

Correct. It’s impossible to get that back. That’s why it’s called the private key: because it’s private, you’re the only one to have a copy. Unless you chose to, no-one has a copy, not even Let’s Encrypt.

Figure out where your private_key.json went. Files don’t go missing all of a sudden. Perhaps you nade a backup, like certbot should have adviced you? Without the original private_key.json, you can’t restore an account.


#5

That was it! Found it in a 2 month old backup. I guess I messed up a couple of months ago and created a new account so I now have two :-/

Thanks a lot for your help Osiris


#6

As long as you are staying below the rate limits, you might opt for issuing the cert again, but now with your old account and (backup and) delete the new one. That said, you can also opt for resetting the renewal configuration to the old account and just wait until the cert gets renewed again, this time with your old account. After which you can delete the new account.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.