Why is cert.pem not being auto generated?


To setup Let’s Encrypt I’m following a guide on DigitalOcean called, “How To Secure Apache with Let’s Encrypt on Ubuntu 18.04”.

My domain is: theinitiate.agency

Here is the corresponding output when running this command:

$ sudo certbot --apache -d theinitiate.agency -d www.theinitiate.agency
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.
AH00526: Syntax error on line 49 of /etc/apache2/sites-enabled/theinitiate.agency-le-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/theinitiate.agency/cert.pem’ does not exist or is empty
The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(“Error while running apache2ctl configtest.\nAction ‘configtest’ failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 49 of /etc/apache2/sites-enabled/theinitiate.agency-le-ssl.conf:\nSSLCertificateFile: file ‘/etc/letsencrypt/live/theinitiate.agency/cert.pem’ does not exist or is empty\n”,)

Here are the relevant contents of my /var/log/letsencrypt/letsencrypt.log :

2018-05-25 14:10:04,517:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f79625066d8>
Prep: Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 49 of /etc/apache2/sites-enabled/theinitiate.agency-le-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/theinitiate.agency/cert.pem’ does not exist or is empty

2018-05-25 14:10:04,521:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None

The contents of the /etc/letsencrypt/live/ includes my other two domains. The contents of this directory are automatically generated. Not sure why theinitiate.agency isn’t there:

#ls /etc/letsencrypt/live/
angeles4four.info summitministry.coffee

Inside that directory should be theinitiate.agency too, right? Why is it not auto generating?

I tried Googling sslcertificatefile does not exist or is empty and certbot apache configuration cert.pem. I sifted through the top search results there and can’t find the answer I am looking for.

I feel like the answer I’ll receive on this board will be trivial. I probably need to enter an obvious command which I am overlooking in the guide I shared above. But I have checked everything to the best of my ability and here I am gnashing at the teeth trying to get this right. Any help? I’m sorry for asking such a novice question.

I made sure to have invoked $ sudo a2ensite theinitiate.agency.conf and $ sudo a2ensite theinitiate.agency-le-ssl.conf .

My web server is (include version):
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-04-25T11:38:24

Thanks for your attention.

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

edit: Add thanks


You need to pass the apache configtest.
It is failing because line 49 of /etc/apache2/sites-enabled/theinitiate.agency-le-ssl.conf
is using a file that does not exist (as shown by your ls command of that directory).
You could:

  • delete the file entirely
  • modify the cert lines to use default values:
    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
  • modify the file to use any other working cert.

Once you pass the configtest it should continue and make all the necessary changes.


This looks like you ran successfully before but then deleted the associated certificates in /etc/letsencrypt. Is that possible?


@schoen: theinitiate.agency, along with my other vhosts were running fine on my previous (now defunct) Ubuntu 14.04 droplet. These past 4 weeks I’ve been in the process of migrating over to 18.04. I do not recall deleting theinitiate entry inside /etc/letsencrypt/live/ on my new Droplet. This is very strange.

@rg305: I’m not sure I understand your 3 options. Here are my thoughts:

  • If I delete theinitiate.agency-le-ssl.conf and its sym link, my website won’t be accessible at all. Are you then suggesting I try recreating the -le-ssl.conf file from scratch? How might my new -le-ssl.conf be different from this old one?

  • Perhaps I could refer to the snakeoil keys. I wasn’t familiar with snakeoil option so I Googled it. Among the top results was an AskUbuntu post from a few years back titled, What is the purpose of the ssl-cert-snakeoil.key. One SO member explains:

    While it does securely encrypt traffic, it is insecure and thus named ‘snakeoil’ because it’s lack of root authority signature means it is vulnerable to the most simple man-in-the-middle attacks.
    Having encountered that piece of advice, perhaps pointing to to snakeoil.pem would not be a good idea.
  • Are you suggesting that inside theinitiate.agency-le-ssl.conf I just point to one of the other active certs, like angeles4four.info for example?

Thanks again for your attention.

edit: thanks


You do get the basic gist of the 3 options.

Yes, certbot will recreate it for you.

It wouldn’t really; but in that recreation process the matching cert will also be created. And hopefully clear up the problem.

As for the snakeoil option, that is just to get it to “work” enough so that you can get a new cert (which should replace the snakeoil cert)


@rg305: I got it working. Thank you for the advice. The solution was really straight forward. Like you said, I deleted my old theinitiate.agency-le-ssl.conf in both my sites-available and the symlink inside sites-enabled. I ran the cert-bot command and let’s encrypt automatically generated a new -le-ssl.conf. My site is accessible now. Thanks again, my friend.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.