Symlink seem to be pointing to wrong location

Hi All

I have a newish Ubuntu Server which has Lets encrypt installed for for Nginx. The cert has failed it's 1st renewal and whilst checking the files in the live folder I found the privkey.pem highlighted in red as it sees the file as missing

919080 lrwxrwxrwx 1 root root 43 Dec 28 09:05 cert.pem -> ../../archive/
919082 lrwxrwxrwx 1 root root 44 Dec 28 09:05 chain.pem -> ../../archive/
919083 lrwxrwxrwx 1 root root 48 Dec 28 09:05 fullchain.pem -> ../../archive/
919100 lrwxrwxrwx 1 root root 45 Dec 28 09:05 privkey.pem -> ../../archive/

I believe this is my issue and that the link should be pointing to the number 1 as the rest of the file ../../archive/

I am no good with symlinks so how would I get this to point to it's correct location


1 Like

Ok so worked out the symlink

ln -s ../../archive/ privkey.pem

Renewed ok but and ls -li of the directory shows it pointing to the wrong file again

privkey.pem -> ../../archive/

Anywhere I can correct this with our manual doing the gym,ink every 2 months or so?


1 Like

That's a new one. My first guess is it is related to permissions since it only affects the privkey and not the cert files

Are you running as root or using sudo certbot ?


Running as root as the server is not accessible to the net until we open the firewall so happy to run all as root.

What does this look like

ls -l /etc/letsencrypt/archive/

Thanks, here we go

-rw-r--r-- 1 root root 1858 Oct 19 09:31 cert1.pem
-rw-r--r-- 1 root root 1854 Dec 28 10:11 cert2.pem
-rw-r--r-- 1 root root 3750 Oct 19 09:31 chain1.pem
-rw-r--r-- 1 root root 3750 Dec 28 10:11 chain2.pem
-rw-r--r-- 1 root root 5608 Oct 19 09:31 fullchain1.pem
-rw-r--r-- 1 root root 5604 Dec 28 10:11 fullchain2.pem
-rw------- 1 root root 1704 Oct 19 09:31 privkey1.pem
-rw------- 1 root root 1704 Dec 28 10:11 privkey2.pem

1 Like

Certbot would not make incorrect symbolic links on its own. Perhaps you have a --deploy-hook or --post-hook set with a script messing things up? This could be in the renewal configuration file in /etc/letsencrypt/renewal/ or in the cli.ini configuration file, if present (usually /etc/letsencrypt/cli.ini).

Another thing that's weird is that your cert1.pem is from October, but the symlinks pointing to that file has a date mentioning Dec 28 at 09:05. So something is making those symbolic links, but it was not when the first certificate was issued. So probably not Certbot, but something else entirely.


The October dates where the day the server was built and the certificate created.

This is the command I use to renew the cert this morning and noticed the issue

certbot renew --post-hook 'ln -sf /etc/letsencrypt/live/'

I guess I could have been given duff info for my renewal as this is running on a crm in nginx

That post hook doesn't look complete, but such a command would probably be the reason for this issue. Why is it there anyway? What is it suppose to do?


Not sure about the hook an inherited this project. I will need to do some digging.

It's just install for nginx so can't be anything to complex to achieve I would have though

That --post-hook seems incomplete AND totally unnecessary.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.