JUST HORRIBLE TIME - continues???

I was getting odd SMTP errors this morning and discovered that my ssl cert attached to postfix was length 0!
in /etc/postfix:
lrwxrwxrwx 1 root root 54 Jun 23 2019 smtpd.cert -> /etc/letsencrypt/live/ns9.cdbsystems.com/fullchain.pem
-rw-r--r-- 1 root root 2163 May 13 2018 smtpd.cert-180519192132.bak
lrwxrwxrwx 1 root root 52 Jun 23 2019 smtpd.key -> /etc/letsencrypt/live/ns9.cdbsystems.com/privkey.pem
in /etc/letsencrypt/live/ns9.cdbsystems.com:
lrwxrwxrwx 1 root root 43 Sep 1 14:35 cert.pem -> ../../archive/ns9.cdbsystems.com/cert15.pem
lrwxrwxrwx 1 root root 44 Sep 1 14:35 chain.pem -> ../../archive/ns9.cdbsystems.com/chain15.pem
lrwxrwxrwx 1 root root 48 Sep 1 14:35 fullchain.pem -> ../../archive/ns9.cdbsystems.com/fullchain15.pem
lrwxrwxrwx 1 root root 46 Sep 1 14:35 privkey.pem -> ../../archive/ns9.cdbsystems.com/privkey15.pem

and the privkey and fullchain files were ZERO length. (they are not above because they are now the same as the xxxx14.pem keys)
I manually copied *14.pem to *15.pem. so put cert14.pem on cert15.pem, privekey14.pem on privkey15.pem etc.
now TLS sessions were validated, but cert was expired (according to test site I had run check).
I thought to myself 'lets be clever' and ran
/opt/certbot/certbot-auto (no parameters).
I told it c to cancel out rather than give any numbers for domains, but thought it would update the ns9 key since it should appear old???.
was there some parameter I should have passed??? or was this a really stupid thing to do?
(probably the latter with my luck these days).
then I went to ispconfig3 and unchecked the SSL/Letsencrypt boxes for ns9.cdbystems.com (vhost). waited for red circle to go away.
then checked them again thinking it would recreate the certs for ns9.
but it has not... so I still get TLS sessions that are encrypted, but with an expired key. and I'm still using the old pems that I copied from sept 1.
how do I recreate JUST the ns9.cdbsystems.com key if the above does not work???
thanks.

and would running certbot-auto have any other bad effect that I have to panic over?

thanks again!
cdb.

 

Certbot-auto is NOT the way to go, it is just to install/update certbot manually.
You have to use "certbot renew" if system-certbot is installed or "/opt/eff.org/venv/bin/certbot renew" if not.

Side note: PLEASE stop using those thread titles. They are disturbing and mis-leading.

 

will do its just my life

 

I ran certbot its in /opt/eff.org/certbot/venv/bin .. but it says...
Processing /etc/letsencrypt/renewal/ns9.cdbsystems.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/crypto_util.py", line 351, in _load_cert_or_req
return load_func(typ, cert_or_req_str)
File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/OpenSSL/crypto.py", line 1794, in load_certificate
_raise_current_error()
File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
Error: [('PEM routines', 'get_name', 'no start line')]
Renewal configuration file /etc/letsencrypt/renewal/ns9.cdbsystems.com.conf (cert: ns9.cdbsystems.com) produced an unexpected error: [('PEM routines', 'get_name', 'no start line')]. Skipping.

ack!!!

 

ok found one of the *15.pem files was zero again. copied all *14.pem files to *15.pem files and reran .certbot renew
and voila! ns9 now has a shiny new cert and problem seems solved!

many thanks. and sorry if my titles were disturbing. I've been VERY DISTURBED <grin>
but you folks have (as always) been super.
cdb.

 

have been checking my ssl cert for ns9.cdbsystems.com (after I restarted httpd - so the online checkers would see the new cert and one of them gives a clean bill of health the other says that my cert is good chain cert is good - but Root 1 is missing! do I care?
it offers to let me download it.
thanks again...