Renewal failure after server migration


#1

My domain is: homunity.com

I ran this command: sudo certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/preprodv2.homunity.com.conf


Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 64, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 439, in init
self._check_symlinks()
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 498, in _check_symlinks
“expected {0} to be a symlink”.format(link))
certbot.errors.CertStorageError: expected /opt/psa/var/modules/letsencrypt/etc/live/preprodv2.homunity.com/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/preprodv2.homunity.com.conf is broken. Skipping.


Processing /etc/letsencrypt/renewal/homunity.com.conf


Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 64, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 439, in init
self._check_symlinks()
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 498, in _check_symlinks
“expected {0} to be a symlink”.format(link))
certbot.errors.CertStorageError: expected /opt/psa/var/modules/letsencrypt/etc/live/homunity.com/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/homunity.com.conf is broken. Skipping.


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

No renewals were attempted.

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/preprodv2.homunity.com.conf (parsefail)
/etc/letsencrypt/renewal/homunity.com.conf (parsefail)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


0 renew failure(s), 2 parse failure(s)

My web server is (include version): ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Hi,

About one month ago i did a server migration for this website. Copying the cert files over from the old to the new server. Now i just tried a dry run before setting the crontab, but the renewal fails. Can you help we out to get the renewal working out again ?

Thanks you very much


#2

I tried dealing with the error message expected /opt/psa/var/modules/letsencrypt/etc/live/preprodv2.homunity.com/cert.pem to be a symlink by creating simlinks to the correct directories but this did not work out. I don’t understand what is going wrong. I did this on a test vhost preprodv2. Here is the error message after that :

sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/preprodv2.homunity.com.conf


Attempting to renew cert (preprodv2.homunity.com) from /etc/letsencrypt/renewal/preprodv2.homunity.com.conf produced an unexpected error: ‘<’ not supported between instances of ‘NoneType’ and ‘NoneType’. Skipping.


Processing /etc/letsencrypt/renewal/homunity.com.conf


Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 64, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 439, in init
self._check_symlinks()
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 498, in _check_symlinks
“expected {0} to be a symlink”.format(link))
certbot.errors.CertStorageError: expected /opt/psa/var/modules/letsencrypt/etc/live/homunity.com/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/homunity.com.conf is broken. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/opt/psa/var/modules/letsencrypt/etc/live/preprodv2.homunity.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/opt/psa/var/modules/letsencrypt/etc/live/preprodv2.homunity.com/fullchain.pem (failure)

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/homunity.com.conf (parsefail)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 1 parse failure(s)

Please any help much appreciated!


#3

certbot expects the files in the /live/${certname}/ directory to be symbolic links to their most recent counterparts in the /archive/${certname} directory.

If you’d run a tree /etc/letsencrypt, it should look like this:

/etc/letsencrypt
├── accounts
│   └── acme-v02.api.letsencrypt.org
│       └── directory
│           └── ${account_ID}
│               ├── meta.json
│               ├── private_key.json
│               └── regr.json
├── archive
│   └── preprodv2.homunity.com
│       ├── cert1.pem
│       ├── cert2.pem
│       ├── cert3.pem
│       ├── chain1.pem
│       ├── chain2.pem
│       ├── chain3.pem
│       ├── fullchain1.pem
│       ├── fullchain2.pem
│       ├── fullchain3.pem
│       ├── privkey1.pem
│       ├── privkey2.pem
│       └── privkey3.pem
├── cli.ini
├── csr
│   ├── 0000_csr-certbot.pem
│   ├── 0001_csr-certbot.pem
│   └── XXXX_csr-certbot.pem
├── keys
│   ├── 0000_key-certbot.pem
│   ├── 0001_key-certbot.pem
│   └── XXXX_key-certbot.pem
├── live
│   └── preprodv2.homunity.com
│       ├── cert.pem -> ../../archive/preprodv2.homunity.com/cert3.pem
│       ├── chain.pem -> ../../archive/preprodv2.homunity.com/chain3.pem
│       ├── fullchain.pem -> ../../archive/preprodv2.homunity.com/fullchain3.pem
│       └── privkey.pem -> ../../archive/preprodv2.homunity.com/privkey3.pem
├── options-ssl-apache.conf
└── renewal
    └── preprodv2.homunity.com.conf

I see you’re using two separate directories in your log:

  • /opt/psa/var/modules/letsencrypt/etc/
  • /etc/letsencrypt/

Is this deliberate? Are the configuration files in /etc/letsencrypt/renewal/ linking to the files in /opt/psa/var/modules/letsencrypt/etc/live/?


#4

Thanks for your answer.

For the history, i migrated the website to a new server about a month ago. But the previous server was managed by plesk. It seems to be that plesk has its own way to manage vhosts files, so migration was a bit hard.

So having two folders is not deliberate, i just found out where the /etc/letsencrypt folder was on the plesk server and copied it over via ssh.

I am checking what you told me.
the tree gives me this:

.
├── accounts
│   └── acme-v01.api.letsencrypt.org
│       └── directory
│           └── 5a62f7c3674458...
│               ├── meta.json
│               ├── private_key.json
│               └── regr.json
├── archive
│   ├── homunity.com
...
│   │   ├── cert16.pem
│   │   ├── cert1.pem
│   │   ├── cert9.pem
...
│   │   ├── chain16.pem
│   │   ├── chain1.pem
│   │   ├── chain9.pem
│   │   ├── fullchain16.pem
...
│   │   ├── fullchain9.pem
│   │   ├── privkey15.pem
│   │   ├── privkey16.pem
│   │   ├── privkey1.pem
...
│   │   └── privkey9.pem
│   ├── _plesk_domain
│   └── preprodv2.homunity.com
│       ├── cert10.pem
│       ├── cert1.pem
│       ├── cert2.pem
│       ├── cert3.pem
│       ├── cert4.pem
│       ├── cert5.pem
│       ├── cert6.pem
│       ├── cert7.pem
│       ├── cert8.pem
│       ├── cert9.pem
│       ├── chain10.pem
│       ├── chain1.pem
│       ├── chain2.pem
│       ├── chain3.pem
│       ├── chain4.pem
│       ├── chain5.pem
│       ├── chain6.pem
│       ├── chain7.pem
│       ├── chain8.pem
│       ├── chain9.pem
│       ├── fullchain10.pem
│       ├── fullchain1.pem
│       ├── fullchain2.pem
│       ├── fullchain3.pem
│       ├── fullchain4.pem
│       ├── fullchain5.pem
│       ├── fullchain6.pem
│       ├── fullchain7.pem
│       ├── fullchain8.pem
│       ├── fullchain9.pem
│       ├── privkey10.pem
│       ├── privkey1.pem
│       ├── privkey2.pem
│       ├── privkey3.pem
│       ├── privkey4.pem
│       ├── privkey5.pem
│       ├── privkey6.pem
│       ├── privkey7.pem
│       ├── privkey8.pem
│       └── privkey9.pem
├── cli.ini
├── csr
│   ├── 0000_csr-certbot.pem
│   ├── 0001_csr-certbot.pem
...
│   ├── 0008_csr-certbot.pem
│   └── 0009_csr-certbot.pem
├── keys
│   ├── 0000_key-certbot.pem
│   ├── 0001_key-certbot.pem
...
│   ├── 0008_key-certbot.pem
│   └── 0009_key-certbot.pem
├── live
│   ├── homunity.com
│   │   ├── cert.pem
│   │   ├── chain.pem
│   │   ├── fullchain.pem
│   │   ├── privkey.pem
│   │   └── README
│   ├── _plesk_domain
│   └── preprodv2.homunity.com
│       ├── cert.pem
│       ├── chain.pem
│       ├── fullchain.pem
│       ├── privkey.pem
│       └── README
├── renewal
│   ├── homunity.com.conf
│   └── preprodv2.homunity.com.conf
└── renewal-hooks
├── deploy
├── post
└── pre

So, basically, these files in the /etc/letsencrypt/live/ are not symbolic links as you said they should be… The current certificate is pointing to these files directly:

ls -l /etc/letsencrypt/live/
total 12
drwxr-xr-x 2 root root 4096 Oct 27 17:48 homunity.com
drwx------ 2 root root 4096 Nov  7 17:48 _plesk_domain
drwxr-xr-x 2 root root 4096 Oct 19 15:48 preprodv2.homunity.com




cat /etc/letsencrypt/renewal/preprodv2.homunity.com.conf 
# renew_before_expiry = 30 days
version = 0.8.1
cert = /opt/psa/var/modules/letsencrypt/etc/live/preprodv2.homunity.com/cert.pem
privkey = /opt/psa/var/modules/letsencrypt/etc/live/preprodv2.homunity.com/privkey.pem
chain = /opt/psa/var/modules/letsencrypt/etc/live/preprodv2.homunity.com/chain.pem
fullchain = /opt/psa/var/modules/letsencrypt/etc/live/preprodv2.homunity.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 5a62f7c367445812587159946f2ad551
work_dir = /opt/psa/var/modules/letsencrypt/lib
authenticator = letsencrypt-plesk:plesk
logs_dir = /opt/psa/var/modules/letsencrypt/logs
installer = letsencrypt-plesk:plesk
config_dir = /opt/psa/var/modules/letsencrypt/etc

This is the config file for renewal, and it seems that it points to /opt/psa/var/modules/letsencrypt/ which did not even exist. So yesterday, what i did was to create symbolic links from /etc/letsencrypt/live/preprodv2.homunity.com/*.pem files to /opt/psa/var/modules/letsencrypt/etc/live/preprodv2.homunity.com/ which it was complaining about.

Thanks for your help !


#5

I tried to recreate symbolic links as you said they should be :

cert.pem -> ../../archive/preprodv2.homunity.com/cert10.pem

The certificate for preprodv2 seems to continue working, so this is a good news ! I tried renewing the certificate again, but get some more errors.

Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The requested letsencrypt-plesk:plesk plugin does not appear to be installed
Attempting to renew cert (preprodv2.homunity.com) from /etc/letsencrypt/renewal/preprodv2.homunity.com.conf produced an unexpected error: The requested letsencrypt-plesk:plesk plugin does not appear to be installed. Skipping.

So this is the config file i updated consequently :

# renew_before_expiry = 30 days
version = 0.8.1
cert = /etc/letsencrypt/live/preprodv2.homunity.com/cert.pem
privkey = /etc/letsencrypt/live/preprodv2.homunity.com/privkey.pem
chain = /etc/letsencrypt/live/preprodv2.homunity.com/chain.pem
fullchain = /etc/letsencrypt/live/preprodv2.homunity.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 5a62f7c367445812587159946f2ad551
work_dir = /opt/psa/var/modules/letsencrypt/lib
authenticator = letsencrypt-plesk:plesk
logs_dir = /var/letsencrypt/logs
installer = letsencrypt-plesk:plesk
config_dir = /etc/letsencrypt/

What authenticator = letsencrypt-plesk:plesk should this be ? I found webroot and standalone and i don’t know what to set. @Osiris, i tried nginx and it seems to work for the preprod vhost and fails later for untouched domain. The dry run shows

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/preprodv2.homunity.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for preprodv2.homunity.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/preprodv2.homunity.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/homunity.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Do you confirm that what i did seems to be ok ? Thank you !


#6

Hi @Choppy

is there a plesk? If yes, you shouldn’t use certbot direct. Let plesk do the job.

If you migrate, then it may be much more easier to start new.

Install a new certbot and create a new certificate via command line.


#7

Hi @JuergenAuer,

No there is no plesk. I migrated last month from plesk and copied the files to the new server. Certbot is install and the the certificate is running. But sudo certbot renew --dry-run fails.

Can i just create a new certificate and overwrite the old one ? It will not make conflict ?

Thanks for your answer


#8

Copying files to a new environment without plesk can’t work. Plesk has it’s own todo how to manage Letsencrypt certificates. So your renew configuration is wrong and can’t work.

So your conf files expect plesk stuff - but there is no plesk stuff. Create completely new certificates (use the certonly option), so your old config isn’t used anymore.

It’s impossible to say “that will work”. Test it, then you will see it. Before, create a backup.


#9

Well, we talked about that last time : https://community.letsencrypt.org/t/migration-from-plesk-server-to-new-one/78698

I managed to set the symlinks for preprodv2.homunity.com like i said and tried sudo certbot renew --dry-run and i for preprodv2.homunity.com i had no errors. The output is found above.


#10

@JuergenAuer It seems that the certificate has correctly been renewed for the preprod. Is there anyway to confirm that ? See the symbolic links(and datetime):

Dec 27 15:41 cert.pem -> /etc/letsencrypt/archive/preprodv2.homunity.com/cert11.pem
Dec 27 15:41 chain.pem -> /etc/letsencrypt/archive/preprodv2.homunity.com/chain11.pem
Dec 27 15:41 fullchain.pem -> /etc/letsencrypt/archive/preprodv2.homunity.com/fullchain11.pem
Dec 27 15:41 privkey.pem -> /etc/letsencrypt/archive/preprodv2.homunity.com/privkey11.pem


#11

That seems to be working fine, looking at the output.

You seem to have issued a cert for the domain succesfully, the pre-SCT certificate is already logged: https://crt.sh/?id=1061151221 The “real” certificate should follow shortly in the CT log, but the one on your server is already the correct version.


#12

Thanks a lot @Osiris!
I managed to update the prod server too today and everything seems to be running as normal!