I was facing the same error as described in this post:
Whilst the error was similar, the root cause and solution is not. Since that thread is closed, I want to share an alternative possible root cause for this error, and what solved it for me. Just to avoid others having the same pain.
I’m running a Debian VM using VMWare on Windows 10. I have linked up two domains to that Debian host. I successfully made my way through the certbot auto process and was happy to see both domains served up securely.
I was so delighted to have achieved this, that I decided to make a full backup of my VM to save this wonderful state of configuration. For this I needed to power off the machine. So I did, copied the VM files to a backup drive and then powered on the VM again.
To my surprise, Apache didn’t start. Whereas the post above mentions that for that person Apache did start, yet with errors, mine did not start and got a fatal error instead. The same error: certificate file is missing or empty.
I tried the solution in the post to set higher permissions on the archive dir, as well as the live dir, all to no avail. I tried to inspect the contents of the pem files, but strangely even a cat command told me these files do not exist, even from root privileges.
After doing a ls -lisa on the dir, I noticed the big mistake. These files are not files, they are links. And they were linking to files that do not exist. For example, cert.pem would link to archive/mydomain.com/cert2.pem.
Note the “2” in there! The actual file simply was cert.pem, so after editing the link for all the pem files, it worked again.
It is very well possible that at one point in time, I caused multiple cert files for the same domain. Maybe for the domain and the www sub domain? Maybe because my first attempt failed due to a port issue? I’m not sure what is the reason, but likely it was me.
What does bother me is that a perfectly running setup just breaks from a simple restart. It seems I’m not the only one:
What process can possibly alter a working setup upon a restart? Is it the auto renewal? Something Debian specific?