I am not sure because didn’t happen to me, but it looks to me like there is a bad config file (see above in the thread) and letsencrypt reacts by starting over in a new folder ending in 001
Why the bad config? I can’t guess without somebody sharing it
What config are we talking about? The one in the renewal folder?
Let me know what you need to see to figure this out and I am happy to post it here.
The config for the original site seems to be empty. Here’s the output of the 0001 config file:
root@nextcloudpi:/etc/letsencrypt/renewal# ll
total 4.0K
-rw-r--r-- 1 root root 635 Mar 26 18:10 mycoolsite.org-0001.conf
-rw-r--r-- 1 root root 0 Mar 26 18:10 mycoolsite.org.conf
root@nextcloudpi:/etc/letsencrypt/renewal# cat mycoolsite.org-0001.conf
# renew_before_expiry = 30 days
version = 0.30.2
archive_dir = /etc/letsencrypt/archive/mycoolsite.org-0001
cert = /etc/letsencrypt/live/mycoolsite.org-0001/cert.pem
privkey = /etc/letsencrypt/live/mycoolsite.org-0001/privkey.pem
chain = /etc/letsencrypt/live/mycoolsite.org-0001/chain.pem
fullchain = /etc/letsencrypt/live/mycoolsite.org-0001/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = 9pSOMEHASH8y
webroot_path = /var/www/nextcloud,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
mycoolsite.org = /var/www/nextcloud
root@nextcloudpi:/etc/letsencrypt/renewal#
Is the problem that the config for the original site is empty?
Would it help if I copy the lines from the 0001 site config over (minus the -0001)?
Let me know if you need anything else.
I have checked the *.conf files
The file /etc/letsencrypt/renewal/WEB_ADDRESS.conf is completely empty
The file /etc/letsencrypt/renewal/WEB_ADDRESS-0001.conf contains
# renew_before_expiry = 30 days
version = 0.30.2
archive_dir = /etc/letsencrypt/archive/WEB_ADDRESS-0001
cert = /etc/letsencrypt/live/WEB_ADDRESS-0001/cert.pem
privkey = /etc/letsencrypt/live/WEB_ADDRESS-0001/privkey.pem
chain = /etc/letsencrypt/live/WEB_ADDRESS-0001/chain.pem
fullchain = /etc/letsencrypt/live/WEB_ADDRESS-0001/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = somethingSomethingSomething
webroot_path = /var/www/nextcloud,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
WEB_ADDRESS = /var/www/nextcloud
This likely fixes the issue: NCP: problem obtaining letsencrypt certificate
Basically a reinstall. It won’t fix the root cause whatever that may be or have been.
Not a real solution, but may get you going for another while.
Thank you @RdedR
Unfortunately i could not delete /etc/letsencrypt/* (as suggested in the answer) because there is also the cerbot-auto program and no cerbot is otherwise installed.
Needless to say i reversed all the actions and i’m back at the original problem from my first post.
ok, so the issue is that there is an empty cfg file.
Anybody has an idea of what could have caused this? maybe there’s a clue in /var/log/letsencrypt
Everybody here has something in common that happened to them that caused this, can anybody think of a reason or a clue?
Hello!
Nothing really new in the /var/log/letsencrypt/letsencrypt.log file.
It simply says that the /etc/letsencrypt/renewal/nc.net.conf is broken and:
CertStorageError: renewal config file {} is missing a required file reference
Complete log content:
2019-03-27 21:14:27,044:DEBUG:certbot.main:certbot version: 0.32.0
2019-03-27 21:14:27,048:DEBUG:certbot.main:Arguments: ['-n', '--no-self-upgrade', '--webroot', '-w', '/var/www/nextcloud', '--hsts', '--agree-tos', '-m', 'me@mine.org', '-d', 'nc.ddns.net']
2019-03-27 21:14:27,048:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-03-27 21:14:27,153:DEBUG:certbot.log:Root logging level set at 20
2019-03-27 21:14:27,157:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-03-27 21:14:27,160:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2019-03-27 21:14:27,189:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x75c6eb10>
Prep: True
2019-03-27 21:14:27,193:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x75c6eb10> and installer None
2019-03-27 21:14:27,193:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2019-03-27 21:14:27,216:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v0$
2019-03-27 21:14:27,221:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-03-27 21:14:27,230:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2019-03-27 21:14:27,659:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2019-03-27 21:14:27,662:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 27 Mar 2019 20:14:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Mar 2019 20:14:27 GMT
Connection: keep-alive
{
"WK0mIkDPqcw": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2019-03-27 21:14:27,677:DEBUG:certbot.cert_manager:Renewal conf file /etc/letsencrypt/renewal/nc.net.conf is broken. Skipping.
2019-03-27 21:14:27,684:DEBUG:certbot.cert_manager:Traceback was:
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/cert_manager.py", line 383, in _search_lineages
candidate_lineage = storage.RenewableCert(renewal_file, cli_config)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/storage.py", line 444, in __init__
"file reference".format(self.configfile))
CertStorageError: renewal config file {} is missing a required file reference
2019-03-27 21:14:27,711:INFO:certbot.renewal:Cert not yet due for renewal
2019-03-27 21:14:27,712:INFO:certbot.main:Keeping the existing certificate
Yours
SMichel
Some months ago i installed a new NCP instance on a new SD card and then used the ncp restore function. I do not remember if i had to get a new certificate.
Does anyone else here has that history and got that problem afterwards?
Yes, interesting. I’d previously had issues with my NCP on an actual pi before restoring it at least twice successfully (once to new non-pi hardware).
We have no clue of what happened. Maybe a Letsencrypt bug, maybe something else.
To fix it it’s probably fine to remove all certs, then run LE again so the normal one (not 001) is used.
Might have to revert temporarily to the snakeoil certs during the process
But ideally we would find out what happened.
You mean removing both files?
/etc/letsencrypt/renewal/WEB_ADDRESS.conf and
/etc/letsencrypt/renewal/WEB_ADDRESS-0001.conf
Or only delete their content?
Yours
SMichel
Where can I find the certs to remove them?
Yours
SMichel
On mine I located symlinks to cert and key in
/etc/letsencrypt/live/sub.domain.tld/
The actual certs and keys location is:
/etc/letsencrypt/archive/sub.domain.tld/
So I should delete the content of these two folders or only the certl.pem? What about the /my.ddns.net-0001 folders which I’ve found in the live and in the archive folders
Yours
SMichel
I wouldnt delete anything, just move/rename the directories.
I dont really know if there are other folders/files that need to be moved/renamed.
It seems there are also files in:
/etc/letsencrypt/renewal/sub.domain.tld
Ok, i don’t know what i did wrong last time but things seem to work for me again.
What i did:
update ncp to v1.10.9 - not sure if this update is related to our problem
cd /etc/letsencrypt/
mv archive archive_old
mv renewal renewal_old
mv live live_old
then use ncp-config to get new certificates.
