Seamless cert renewal procedure

My domain is:

I ran this command: sudo ./certbot-auto renew --debug

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Amazon Linux

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi–am running a production webserver with certbot-auto installed, getting ready to renew this week. The website was migrated to this server a few months ago, and the current cert was brought over in the migration intact (didn’t run certbot, in other words, just moved the files).

Am wondering if I can just run “sudo certbot-auto renew --debug” and expect it to work right. Can I do a dry run first and check?

Well, in this case, do you happen to copy .conf files under certbot??

(Since if not, it will not renew correctly)

(You probably would need to run the program in issuance mode and get a new cert)

Thank you

Yes! :smile:

What happens if you run "sudo certbot-auto renew --dry-run" or "sudo ./certbot-auto renew --dry-run"?

I tried the dry run renew tonight, please tell me what my server is trying to say here. It can’t find a module somewhere? How do I fix this?

[ec2-user@ip-172-31-10-63 ~]$ ./certbot-auto renew –dry-run
Requesting to rerun ./certbot-auto with root privileges...
Upgrading certbot-auto 0.22.0 to 0.23.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Traceback (most recent call last):
  File "/opt/", line 7, in <module>
from certbot.main import main
  File "/opt/                                                              .py", line 10, in <module>
import josepy as jose
  File "/opt/                                                    ", line 41, in <module>
from josepy.interfaces import JSONDeSerializable
  File "/opt/                                                    ", line 8, in <module>
from josepy import errors, util
  File "/opt/                                                              py", line 4, in <module>
import OpenSSL
  File "/opt/                                                    ", line 8, in <module>
from OpenSSL import rand, crypto, SSL
  File "/opt/                                                              .py", line 12, in <module>
from OpenSSL._util import (
  File "/opt/                                                    ", line 6, in <module>
from cryptography.hazmat.bindings.openssl.binding import Binding
ImportError: No module named cryptography.hazmat.bindings.openssl.binding

There are some binaries in /opt/ that probably don’t like being moved to a different server. You can safely rm -rf /opt/ and then rerun certbot-auto and it will recreate this directory for you.

Ah, thanks for the explanation.

I’ll give that a try today and report back. So after nuking the directory should I run the same exact command I did above?

sudo ./certbot-auto renew --dry-run

Yes, running any certbot command will regenerate that directory.

Well, the outcome wasn’t what I expected. First I ran:
sudo rm -rf /opt/
Then I ran:
sudo ./certbot-auto renew --dry-run
and the server said this:

            FATAL: Amazon Linux support is very experimental at present...
            if you would like to work on improving it, please ensure you have backups
            and then run this script again with the --debug flag!
            Alternatively, you can install OS dependencies yourself and run this script
            again with --no-bootstrap.

What do you suggest? This is a production server so I don’t want to cause any issues. The certificate expires on Saturday, I was hoping to renew it tonight but am unsure of the best way to proceed.

Well, I tried just reissuing the cert by running certbot and it failed. Here’s what I got in response:
[ec2-user@ip-172-31-10-63 ~]$ sudo ./certbot-auto --debug
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/opt/", line 11, in <module>
  File "/opt/", line 1266, in main
    return config.func(config, plugins)
  File "/opt/", line 1031, in run
    certname, lineage)
  File "/opt/", line 118, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/", line 374, in obtain_and_enroll_certificate
  File "/opt/", line 1014, in new_lineage
    "archive directory exists for " + lineagename)
CertStorageError: archive directory exists for
Please see the logfiles in /var/log/letsencrypt for more details.

What should I do to fix this?

Did you first remove all of the old /etc/letsencrypt, or only portions of it?

Or, when the

were only portions of /etc/letsencrypt copied, or were they copied in a way that doesn't preserve symbolic links?

Thanks for your suggestions. I finally solved this by removing the entire /etc/letsencrypt directory and then running certbot-auto. It took two tries, but the second time was the charm and I have a new 90-day cert. This time it might actually renew correctly, too! Is it as simple as setting up your server to automatically run certbot-auto renew on a regular basis?

Yes, we recommend running it twice per day. It only attempts to renew certificates when they're less than 30 days from expiry.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.