On centos8.1 I’ve installed certbot using the method explained at https://www.tecmint.com/secure-nginx-with-lets-encrypt-on-centos-8/ so not sure if that’s the right way to install it, anyway, i’ve installed some certificates but when i try to gather info about them I’ll get:
So, what does this error mean? And also… I see many of the threads people referring to certbot but here certbot is not available and I’m using certbot-auto instead… Could you please clarify?
The file /etc/letsencrypt/live/bpl.expert/cert.pem, generated by certbot itself, should be a symbolic link to the most recent certificate file in /etc/letsencrypt/archive/bpl.expert/. It seems that this is not the case, most probably due to manual tampering (certbot itself would never put anything else than a symbolic link in the /live/ directory).
certbot-auto is a wrapper script for the certbot ACME client for Linux distributions without a certbot package in their distributions package list. It also has the added feature of upgrading certbot to the most recent version available, whereas distribution packages are often rather old and not updated that often.
Oh, ok, thanks for the explanation... I wonder at which point the manual tampering was produced... I use winscp to sync files to local... maybe at certain point this was the guilty one? In any case, how could i fix it in order to get the relevant certbot-auto certificates info?
Or said otherwise, how should i proceed in my current state? Isn't there any way to "reset to default" and start from scratch?
But if your certbot-auto is working perfectly, I wouldn’t recommend changing. Could break more than it would fix.
Well, until now it was working ok... i've only run it once and certainly made the necessary changes on the nginx files to give ssl support but now I want to add more domains or even getting information out of it seems things are getting messier...
You could try running certbot-auto update_symlinks
Ok, thanks, I'll do
But if your certbot-auto is working perfectly, I wouldn’t recommend changing. Could break more than it would fix.
I've been reading that official guide and I definitely would like to follow those steps so I'll be in a "official state"... so support will be easier but as you said, maybe it'll break things... how would you uninstall the current one and upgrade to the official one without breaking anything?
OK, looks like something managed to put the actual files in /live/ in stead of the symbolic links. You can fix that by updating the actual files from /live/ to symbolic links to the files in /archive/:
cd /etc/letsencrypt/live/bpl.expert/
for name in cert chain fullchain privkey; do ln -sf ../../archive/bpl.expert/${name}1.pem ${name}.pem; done
Now certbot-auto certificates works wonderfurly and it’s showing me the info from all domains i’ve installed certificates for few days ago. Anyway, before proceeding any further, do you think it’d be possible to uninstall the current certbot-auto I’ve installed following the unofficial way from https://www.tecmint.com/secure-nginx-with-lets-encrypt-on-centos-8/ and installing it from the official packages as recommended few threads ago (at that time i wasn’t even aware such package were available for centos) without breaking anything?
But if it’s that’s not just possible, what’d be the next steps for me to add the new domain names set?
Both packages (certbot-auto and certbot from the official distribution package) should use the same files in /etc/letsencrypt/. I don't have experience with the certbot-auto, so I can't say how you'd uninstall that completely. Just removing /usr/local/bin/certbot-auto isn't enough, as the wrapper script installs certbot somewhere. Could be /opt/eff but I'm not sure.
Ok, no worries… I’m quite familiar with python so it won’t be very difficult to understand what’s certbot-auto script does… although bash scripting isn’t my forte though hehe. In any case, I’ll try to fully understand how certbot-auto works first so I won’t mess up when trying to uninstall it… In any case, I hope the official package will work ok with all the files generated by certbot-auto… it should, right?
Btw, I’ve noticed this last time i’ve run certbot-auto certificates it autoupgraded automatically, ie:
I mean, probably this certbot-auto is more than good enough… but i still feel more comfortable installing from packages… so my provisioning scripts are more “robust” in case to add/deploy to new servers.
The EPEL repo EL-8 has version 1.4.0 of certbot. So if you do switch to the EPEL version of certbot in stead of certbot-auto, you could get a warning message saying the certificate renewal file was generated with a newer version of certbot. I believe however this only matters if you'd update a certificate or would get a new certificate with this new version 1.5.0. Also, I'm not expecting any breaking changes in the renewal configuration files between 1.4.0 and 1.5.0 so the warning can be ignored.
Oh, ok, that’s really relevant info definitely… btw, from what i’ve been able to decypher by reading certbot-auto is when you run it, it tries to autoupgrade automatically (unless specified otherwise) and a python virtualenv will be created at /opt/eff.org by default. Such virtualenv will contain all certbot python scripts as well as its python dependencies. Now I’m just trying to confirm whether other data files have been installed. You see? This is why also installing from packages is really handy… uninstalling, querying package files would be trivial that way… , totally my bad… i screwed up here by trusting random unofficial tutorials from the internet
Ok, in any case, if i wanted to invalidate all the existing certificates before uninstalling certbot-auto and installing from packages so i wouldn’t get any warning (even if that doesn’t matter)… would there be any easy way to do it?
Because it contains contents generated by the certbot python program, not the certbot-auto wrapper script.
Nothing strange there. However, it would be the certbot Python script installed by the certbot-auto wrapper script, not the same certbot Python script installed by your CentOS package manager. Having both installed could and/or would lead to strange behaviour.
To remove certbot-auto, just delete it and the files it places under /opt/eff.org, along with any cronjob or systemd timer you may have created.
Summing up, it seems that removing the certbot-auto as well as the virtualenv and then installing the centos package should be good enough, right? In any case, I'll be trying first on the staging box to be 100% sure i won't screw up the production server
. Thanks!
, totally my bad… i screwed up here by trusting random unofficial tutorials from the internet 
