Unable to renew certs as nginx config test fails due to missing file


#1

My domain is: barbour.io

I ran this command: certbot renew

It produced this output:

[karl@barbour-io ~]$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/hynes.barbour.io.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',)
Attempting to renew cert (hynes.barbour.io) from /etc/letsencrypt/renewal/hynes.barbour.io.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',). Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ip.barbour.io.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',)
Attempting to renew cert (ip.barbour.io) from /etc/letsencrypt/renewal/ip.barbour.io.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',). Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ts.barbour.io.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',)
Attempting to renew cert (ts.barbour.io) from /etc/letsencrypt/renewal/ts.barbour.io.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',). Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/barbour.io.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',)
Attempting to renew cert (barbour.io) from /etc/letsencrypt/renewal/barbour.io.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/hynes.barbour.io/fullchain.pem (failure)
  /etc/letsencrypt/live/ip.barbour.io/fullchain.pem (failure)
  /etc/letsencrypt/live/ts.barbour.io/fullchain.pem (failure)
  /etc/letsencrypt/live/barbour.io/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/hynes.barbour.io/fullchain.pem (failure)
  /etc/letsencrypt/live/ip.barbour.io/fullchain.pem (failure)
  /etc/letsencrypt/live/ts.barbour.io/fullchain.pem (failure)
  /etc/letsencrypt/live/barbour.io/fullchain.pem (failure)
-------------------------------------------------------------------------------
4 renew failure(s), 0 parse failure(s)

My web server is (include version): nginx version: nginx/1.12.1 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 17.10

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

As you can see from the output, I am missing a file in /var/lib/letsencrypt/cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt

This is, in fact, true:

[root@barbour-io letsencrypt]# ls /var/lib/letsencrypt/*.crt
/var/lib/letsencrypt/G9P1nEdzjCa8pRhQjLy7kXNWYUKb-K-51dk1XmhAEms.crt  /var/lib/letsencrypt/mw2w3-Zq6J4By9a3Y2l31SHi4TK2srrphYfqh2mI74A.crt

How do I resolve the error, please?


#2

Hi,

This means your Nginx is not working…

Can you please try execute this command?
nginx -t

And please go to your vHosts, and find the vHost contains cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt, remove that line or commant out the vHost…

Thank you


#3

Hi Steven,

Thanks for your reply. nginx -t is, in fact, not working.

Under sites-enabled I tried the following, but I cannot see anything which contains cDnQNtCiVpE8cnsSaHNow9PKxV4l4oUvf-_dt8eZAkk.crt

[root@barbour-io /] cd /etc/nginx/sites-enabled/
[root@barbour-io sites-enabled]# cat * | grep crt
[root@barbour-io sites-enabled]# cat * | grep pem
    ssl_certificate /etc/letsencrypt/live/barbour.io/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/barbour.io/privkey.pem; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/hynes.barbour.io/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/hynes.barbour.io/privkey.pem; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/ip.barbour.io/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ip.barbour.io/privkey.pem; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/ts.barbour.io/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ts.barbour.io/privkey.pem; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

Could you help point me in the right direction of where this string might be?


#4

search through all of /etc/nginx
grep -R 'cDnQNtCiVpE8cnsSaHNow9PKxV4l4oU' /etc/nginx


#5

Hi rg305,

Nothing I can see:

[root@barbour-io nginx]# grep -R 'cDnQNtCiVpE8cnsSaHNow9PKxV4l4oU' /etc/nginx


#6

Try:
nginx -T | grep 'cDnQNtCiVpE8cnsSaHNow9PKxV4l4oU'

Be sure you can account for each of these:
nginx -T | grep -i 'ssl_certificate'


#7

Here’s an interesting one!

I found the string in /etc/letsencrypt/le_tls_sni_01_cert_challenge.conf

If I remove it and make that file:

[root@barbour-io letsencrypt]# cat le_tls_sni_01_cert_challenge.conf
server{listen 443 ssl;server_name f0f716aa7fbd2204c11787988910fcc9.418848dcc79e69eb12226f57a60f8889.acme.invalid;access_log /var/lib/letsencrypt/access.log;error_log /var/lib/letsencrypt/error.log;include /etc/letsencrypt/options-ssl-nginx.conf;location /{root /var/lib/letsencrypt/tls_sni_01_page;}}

then nginx -t then works:


[root@barbour-io letsencrypt]# nginx -t
nginx: [warn] conflicting server name "f0f716aa7fbd2204c11787988910fcc9.418848dcc79e69eb12226f57a60f8889.acme.invalid" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "dev.barbour.io" on 0.0.0.0:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

However, if I run certbot renew I now get:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/hynes.barbour.io.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for hynes.barbour.io
nginx: [warn] conflicting server name "f0f716aa7fbd2204c11787988910fcc9.418848dcc79e69eb12226f57a60f8889.acme.invalid" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "f0f716aa7fbd2204c11787988910fcc9.418848dcc79e69eb12226f57a60f8889.acme.invalid" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "dev.barbour.io" on 0.0.0.0:80, ignored
nginx: [error] invalid PID number "" in "/run/nginx.pid"
Cleaning up challenges
Unable to recover files from /var/lib/letsencrypt/temp_checkpoint
Incomplete or failed recovery for /var/lib/letsencrypt/temp_checkpoint
Encountered exception during recovery
Unable to revert temporary config
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 124, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 972, in perform
    self.restart()
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 787, in restart
    nginx_restart(self.conf('ctl'), self.nginx_conf)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 1042, in nginx_restart
    "nginx restart failed:\n%s\n%s" % (out.read(), err.read()))
certbot.errors.MisconfigurationError: nginx restart failed:
b''
b''

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/reverter.py", line 292, in _recover_checkpoint
    os.path.basename(path) + "_" + str(idx)), path)
  File "/usr/lib/python3.6/shutil.py", line 257, in copy2
    copyfile(src, dst, follow_symlinks=follow_symlinks)
  File "/usr/lib/python3.6/shutil.py", line 120, in copyfile
    with open(src, 'rb') as fsrc:
FileNotFoundError: [Errno 2] No such file or directory: '/var/lib/letsencrypt/temp_checkpoint/_8'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/reverter.py", line 82, in revert_temporary_config
    self._recover_checkpoint(self.config.temp_checkpoint_dir)
  File "/usr/lib/python3/dist-packages/certbot/reverter.py", line 297, in _recover_checkpoint
    "Unable to recover files from %s" % cp_dir)
certbot.errors.ReverterError: Unable to recover files from /var/lib/letsencrypt/temp_checkpoint

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/plugins/common.py", line 170, in revert_temporary_config
    self.reverter.revert_temporary_config()
  File "/usr/lib/python3/dist-packages/certbot/reverter.py", line 87, in revert_temporary_config
    raise errors.ReverterError("Unable to revert temporary config")
certbot.errors.ReverterError: Unable to revert temporary config

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/error_handler.py", line 100, in _call_registered
    self.funcs[-1]()
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 303, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 990, in cleanup
    self.revert_challenge_config()
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 921, in revert_challenge_config
    self.revert_temporary_config()
  File "/usr/lib/python3/dist-packages/certbot/plugins/common.py", line 172, in revert_temporary_config
    raise errors.PluginError(str(err))
certbot.errors.PluginError: Unable to revert temporary config
Attempting to renew cert (hynes.barbour.io) from /etc/letsencrypt/renewal/hynes.barbour.io.conf produced an unexpected error: nginx restart failed:
b''
b''. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ip.barbour.io.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Unable to recover files from /var/lib/letsencrypt/temp_checkpoint
Incomplete or failed recovery for /var/lib/letsencrypt/temp_checkpoint
Attempting to renew cert (ip.barbour.io) from /etc/letsencrypt/renewal/ip.barbour.io.conf produced an unexpected error: Unable to revert temporary config. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ts.barbour.io.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Unable to recover files from /var/lib/letsencrypt/temp_checkpoint
Incomplete or failed recovery for /var/lib/letsencrypt/temp_checkpoint
Attempting to renew cert (ts.barbour.io) from /etc/letsencrypt/renewal/ts.barbour.io.conf produced an unexpected error: Unable to revert temporary config. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/barbour.io.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Unable to recover files from /var/lib/letsencrypt/temp_checkpoint
Incomplete or failed recovery for /var/lib/letsencrypt/temp_checkpoint
Attempting to renew cert (barbour.io) from /etc/letsencrypt/renewal/barbour.io.conf produced an unexpected error: Unable to revert temporary config. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/hynes.barbour.io/fullchain.pem (failure)
  /etc/letsencrypt/live/ip.barbour.io/fullchain.pem (failure)
  /etc/letsencrypt/live/ts.barbour.io/fullchain.pem (failure)
  /etc/letsencrypt/live/barbour.io/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/hynes.barbour.io/fullchain.pem (failure)
  /etc/letsencrypt/live/ip.barbour.io/fullchain.pem (failure)
  /etc/letsencrypt/live/ts.barbour.io/fullchain.pem (failure)
  /etc/letsencrypt/live/barbour.io/fullchain.pem (failure)
-------------------------------------------------------------------------------
4 renew failure(s), 0 parse failure(s)

#8

That should be a temporary add in used by --nginx
Something broke during the process…
Check your diskspace: df -h

service nginx restart

Be sure you can account for each of these:
nginx -T | grep -i ‘ssl_certificate’

Show:
/etc/letsencrypt/renewal/<cert.name>.conf

And these have to be found and corrected:


#9

Hi all,

I managed to get this working.

I found two major issues:

Duplicate vhost entry

I somehow had a file named ? in /etc/nginx/sites-available which was a duplicate of another vhost - unsure how this has happened, but removing it removed the warnings mentioned earlier

Invalid nginx.conf line

It seems a renewal had failed and left an entry on line 12 of my nginx.conf:

include /etc/letsencrypt/le_tls_sni_01_cert_challenge.conf;

I removed this line and now have a working renewal.

Thanks @rg305 for pointing me in the right directions.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.