SSL Certificate files deleted. cannot create new: cert.pem does not exist or is empty


#1

My web server is (include version): Ubuntu 14

I can login to a root shell on my machine Yes

I accidentially deleted folder with cert files

in file webmail.domain-ssl.conf i have pointers to pem files:
SSLCertificateFile /etc/letsencrypt/live/webmail.domain/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/webmail.domain/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/webmail.domain/chain.pem

when i run command:
./letsencrypt-auto --apache -d mail.domain.dk
or ./letsencrypt-auto --apache certonly -d mail.domain.dk

i get error:
AH00526: Syntax error on line 140 of /etc/apache2/sites-enabled/webmail.domain-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/webmail.domain/cert.pem’ does not exist or is empty

I know i does not exist because i deleted it. I thought the abowe command would create new pem files i that dir.

How to create new pem files???

Thanks
/Rasmus


#2

Hi @Trumf,

Your command is correct and it should be able to recreate new certificate files. However, the error is from Apache. Your Apache configuration is no longer valid because it refers to the deleted files. Here, Certbot needs to use Apache in order to obtain the new certificate, but it can’t because Apache can’t even start up due to this error.

If you haven’t modified the webmail.domain-ssl.conf file, the easiest way to fix this is to delete that file so that Apache (temporarily) no longer expects the certificate files to exist.

You should also be sure that the files in /etc/letsencrypt/archive, /etc/letsencrypt/live, and /etc/letsencrypt/renewal that correspond to the files you deleted are all removed. Otherwise, Certbot may be confused because the references in /etc/letsencrypt will be inconsistent.


#3

Hi @schoen

Thanks for answering so fast :slight_smile:

I deleted the .conf file and the files in /etc/letsencrypt/archive , /etc/letsencrypt/live , and /etc/letsencrypt/renewal

Apache is running again. Great.

When i run the command:
./letsencrypt-auto --apache -d mail.domain.dk

It askes for wich .conf file to use.
We were unable to find a vhost with a ServerName or Address of mail.domain.dk.
Which virtual host would you like to choose?

If i recreate the .conf file from before and run the command again the first error comes back.


#4

OK it did create the pem files even though it couldent find the .conf/vhost
then i copied over the .conf and ran it again and everything seems ok.

but no mails is coming in and if i run a test i get an error that SSL fails:
https://www.checktls.com/TestReceiver

seconds test stage and result
[000.086] Connected to server
[000.210] <– 220 ESMTP Postfix
[000.211] We are allowed to connect
[000.211] –> EHLO www6.CheckTLS.com

250-PIPELINING
250-SIZE 20971520
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN|
|[000.299]||We can use this server|
|[000.299]||TLS is an option on this server|
|[000.299]|–>|STARTTLS|
|[000.385]|<–|454 4.7.0 TLS not available due to local problem|
|[000.386]||STARTTLS command rejected|
|[000.386]|–>|MAIL FROM:<test@checktls.com>|
|[000.495]|<–|250 2.1.0 Ok|
|[000.496]||Sender is OK|
|[000.496]|–>|QUIT|
|[000.606]|<–|221 2.0.0 Bye|


#5

Certbot expects your Apache to already have a virtual host listening to unencrypted HTTP on port 80 with the domains in question. It’s complaining that it couldn’t find one.


#6

In that case, there should be a log entry in your mail server’s logs describing what the local problem was.


#7

Hi Schoen

I did look at the log but not close enough.
I have two domains one with a hyphen and one without. one is a serveralias
In the log:
warning: TLS library problem: error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen(’/etc/letsencrypt/live/webmail.d-omain/chain.pem’,‘r’):

and in my .conf i have:
SSLCertificateChainFile /etc/letsencrypt/live/webmail.domain/chain.pem

I realize this is not a letsencrypt problem. It is a configuration mismatch.
Somehow i have “told” the server that it should look for the pem file at /etc/letsencrypt/live/webmail.d-omain/chain.pem (with a hyphen) and it is actually located at /etc/letsencrypt/live/webmail.domain/chain.pem

So how do I tell the server to look at the other path for the pem file?


#8

If they’re in the same virtual host with a ServerAlias, you need to issue one single certificate covering both names (with two -d options for Certbot, for example). Apache doesn’t have a way to have multiple certificates for an individual virtual host.

Alternatively, you can split the virtual host into two separate virtual hosts (possibly with the same configuration except for the domain name itself), and then each one can refer to a different certificate on disk.


#9

Thanks schoen, you have been great help
Last issue solved by changing postfix main.cf

Great forum

Good day