PermissionError: [Errno 1] Operation not permitted: '/etc/letsencrypt/archive/app.domain.co/cert32.pem' -> '/etc/letsencrypt/live/app.domain.co/previous_cert.pem'
That seems like an odd command to be trying. It is best if you do not modify the /etc/letsencrypt folders with manual commands. Certbot expects those to look a certain way and you can disrupt its proper operation
That said, the error seems clear. Does the user account you issue that command from have the proper permission to read that cert and write into the ../live folder?
I'd still recommend re-thinking what you are doing to avoid problems with Certbot
2 Likes
@MikeMcQ It looks like it's a Python error, possibly from Certbot trying to make or update a symlink.
@Maharshi-Trivedi Please provide WAY more information than just copy/pasting JUST the error message and a thread title. It's not like we have crystal balls to see what's going on in your setup. Thus:
When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
2 Likes
That's a good guess. Although, the specific fake names make it look like something they were doing manually.
That is, in ../live/ they showed the name as previous_cert.pem
Looked to me like they were trying to make a copy of something they found in archive for some other purpose.
But, agree, way more info would be helpful so we did not have to guess so much
3 Likes
My domain is: Developer
I ran this command: Sudo certbot --nginx -d app.domain.co -v
It produced this output:
navya@prod-user-web01:/etc/letsencrypt$ sudo certbot --nginx -d app.domain.co -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
An RSA certificate named app.domain.co already exists. Do you want to
update its key type to ECDSA?
(U)pdate key type/(K)eep existing key type: K
Found a new certificate /archive/ that was not linked to in /live/; fixing...
An unexpected error occurred:
PermissionError: [Errno 1] Operation not permitted: '/etc/letsencrypt/archive/app.blockhealth.co/cert32.pem' -> '/etc/letsencrypt/live/app.blockhealth.co/previous_cert.pem'
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): nginx (1.14.0)
The operating system my web server runs on is (include version): 18.04
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): GCP VM
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.11.0
That's not good.
Did someone manually mess up the files in /etc/letsencrypt/live/ and /archive/ by any chance?
1 Like
Please show the outputs of:
certbot certificates
ls -lt /etc/letsencrypt/archive/app.blockhealth.co/*
ls -lt /etc/letsencrypt/live/app.blockhealth.co/*
2 Likes
Thanks Guys!, We got it working by changing the permission for the folder but we did not change anything manually
2 Likes
You should NOT have to do anything to anything within the /etc/letsencrypt/ folders.
3 Likes
As noticed by Mike before, the file previous_cert.pem is not generated by Certbot.. So how did it get there?
Also the message "Found a new certificate /archive/ that was not linked to in /live/; fixing" suggests there is MORE than just a permission problem here.
2 Likes
We have changed the permission to default again after fixing our issue, but we still need to figure out a way to renew the certificate automatically.
certbot generally sets up automatic renewals via cron or systemd timers.
Let's try to get you back on track...
3 Likes
Hi @rg305 ,
So here's what happened today. Our original setup uses cert-manager and controller from kubernetes to generate the certificate. However, due to the downtime in the let's encrypt on Sept 27, our renewal process got stuck. The clusterissuer is unable to generate the certificate anymore. and now we have actually tried resolving the issue by manually installing the certbot and generate the certificate and during this process is where the above issue began. I guess you're point of the file not created by certbot makes sense since it was different application that was originally responsible to do this.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.