Hey everyone, Another Lets Encrypt problem I discovered today when the certificate went invalid, this problem apparently occured already on the 8th of February, but haven't come to my attention until now. It seems that there is a file error? "CertStorageError: expected /etc/letsencrypt/live/sub.topdomain.com/cert.pem to be a symlink" I'm running ISPConfig 3.1.11 and in the config for the subdomain, here called "sub.topdomain.com", both SSL and Lets Encrypt is ticked. What is wrong and what can I do? What other files do you need to see? Hope you can help me! Many thanks in advance! Oh, and this has happened for all my domains, luckily though its only one domain that expired today, next is in April. The log from /var/log/letsencrypt/letsencrypt.log Code: 2018-02-08 07:50:24,096:DEBUG:certbot.main:certbot version: 0.21.1 2018-02-08 07:50:24,098:DEBUG:certbot.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"] 2018-02-08 07:50:24,098:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2018-02-08 07:50:24,121:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages. 2018-02-08 07:50:24,121:DEBUG:certbot.cli:Deprecation warning circumstances: /opt/eff.org/certbot/venv/bin/certbot / {'LANG': 'sv_SE.UTF-8', 'SHELL': '/bin/sh', 'SHLVL': '3', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'root', 'HOME': '/root', 'PATH': '/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin', '_': '/opt/eff.org/certbot/venv/bin/certbot'} 2018-02-08 07:50:24,163:DEBUG:certbot.log:Root logging level set at 20 2018-02-08 07:50:24,164:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2018-02-08 07:50:24,212:WARNING:certbot.renewal:expected /etc/letsencrypt/live/sub.topdomain.com/cert.pem to be a symlink 2018-02-08 07:50:24,212:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/sub.topdomain.com.conf is broken. Skipping. 2018-02-08 07:50:24,213:DEBUG:certbot.renewal:Traceback was: Traceback (most recent call last): File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py", line 60, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/storage.py", line 434, in __init__ self._check_symlinks() File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/storage.py", line 493, in _check_symlinks "expected {0} to be a symlink".format(link)) CertStorageError: expected /etc/letsencrypt/live/sub.topdomain.com/cert.pem to be a symlink 2018-02-08 07:50:24,245:DEBUG:certbot.log:Exiting abnormally: Traceback (most recent call last): File "/opt/eff.org/certbot/venv/bin/certbot", line 11, in <module> sys.exit(main()) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1240, in main return config.func(config, plugins) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1142, in renew renewal.handle_renewal_request(config) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py", line 443, in handle_renewal_request len(renew_failures), len(parse_failures))) Error: 0 renew failure(s), 6 parse failure(s)
https://www.howtoforge.com/community/threads/please-read-before-posting.58408/ https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
Debian 8 Jessie, ISPConfig 3.1.11, Apache/2.4.10, PHP5 - Check that you have Let’s Encrypt installed. Obviously, yes. - When your server is behind a NAT router so that the server itself can not reach the hosted domains, then enable the option "Skip Letsencrypt check" under System > Server config > web. Sits behind a nat, "Skip Lets Encrypt check" is ticked - Check that all domain names (icl auto subdomain www etc), subdomains and aliasdomains really point to the right website and are working. Open one after another in your browser and test that. All the sites work and has been for over a month - no changes done and all the sites work - except one which obviously the certificate has expired on - hence the reason I created this thread. - If you still use Apache 2.2, then update your ispconfig to git-stable branch with the ispconfig_update.sh script to get an updated vhost template. After you did that, use Tools > resync to apply the new template to all sites or apply it to a single site by altering a value in the site settings and press save, before you try to activate Let’s Encrypt again. This is only necessary on apache 2.2 systems, newer apache 2.4 or nginx systems are not affected. Using Apache 2.4.10 - If you updated to ISPConfig 3.1 and deselected the "reconfigure services" option during update (which is selected by default), then Let’s Encrypt will fail as your server is missing the Let’s Encrypt configuration in the ispconfig apache configuration files. Redo the update and chose to reconfigure services in that case. "reconfigure services" was used when updating to ISPConfig 3.1.11 Downloaded "htf-common-issues.php" and ran it, this is the resulting htf_report.txt file Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** IP-address(es) (as per ifconfig): ***.***.***.*** [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.1.11 ##### VERSION CHECK ##### [INFO] php (cli) version is 5.6.33-0+deb8u1 [INFO] php-cgi (used for cgi php in default vhost!) is version 5.6.33-0+deb8u1 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 5491) [INFO] I found the following mail server(s): Postfix (PID 14208) [INFO] I found the following pop3 server(s): Dovecot (PID 14452) [INFO] I found the following imap server(s): Unknown process (init) (PID 1) [INFO] I found the following ftp server(s): PureFTP (PID 14600) ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:995 (14452/dovecot) [localhost]:10023 (809/postgrey.pid) [anywhere]:57287 (510/rpc.statd) [localhost]:10024 (14444/amavisd-new) [localhost]:10025 (14208/master) [localhost]:10026 (14444/amavisd-new) [anywhere]:3306 (13952/mysqld) [localhost]:10027 (14208/master) [anywhere]:587 (14208/master) [localhost]:11211 (527/memcached) [anywhere]:110 (14452/dovecot) [anywhere]:143 (1/init) [anywhere]:111 (501/rpcbind) [anywhere]:465 (14208/master) ***.***.***.***:53 (11773/named) [localhost]:53 (11773/named) [anywhere]:21 (14600/pure-ftpd) [anywhere]:22 (26354/sshd) [localhost]:953 (11773/named) [anywhere]:25 (14208/master) [anywhere]:993 (1/init) *:*:*:*::*:995 (14452/dovecot) *:*:*:*::*:10023 (809/postgrey.pid) *:*:*:*::*:10024 (14444/amavisd-new) *:*:*:*::*:10026 (14444/amavisd-new) *:*:*:*::*:587 (14208/master) [localhost]10 (14452/dovecot) [localhost]43 (1/init) [localhost]11 (501/rpcbind) *:*:*:*::*:8080 (5491/apache2) *:*:*:*::*:80 (5491/apache2) *:*:*:*::*:8081 (5491/apache2) *:*:*:*::*:465 (14208/master) *:*:*:*::*:53 (11773/named) *:*:*:*::*:21 (14600/pure-ftpd) *:*:*:*::*:22 (26354/sshd) *:*:*:*::*:953 (11773/named) *:*:*:*::*:25 (14208/master) *:*:*:*::*:443 (5491/apache2) *:*:*:*::*:35805 (510/rpc.statd) *:*:*:*::*:993 (1/init) ##### IPTABLES ##### Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-postfix-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25 fail2ban-dovecot-pop3imap tcp -- [anywhere]/0 [anywhere]/0 multiport dports 110,995,143,993 fail2ban-pureftpd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 21 fail2ban-ssh tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-dovecot-pop3imap (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 Chain fail2ban-postfix-sasl (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 Chain fail2ban-pureftpd (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 Obviously there is something wrong in the behind the scenes, perhaps some file that was created wrongly by ISPConfig? As seen on this row from log from /var/log/letsencrypt/letsencrypt.log as shown in the first post. Code: CertStorageError: expected /etc/letsencrypt/live/sub.topdomain.com/cert.pem to be a symlink There are errors for every domain, but as I said, only one domain so far has expired - the others still work but will face the same problem if this error isn't fixed.
Have you tried the trick of: - unselect Let's Encrypt for that website - save - wait two minutes - select Let's Encrypt back for that webisite - save see logs and check whether it works now You got complaint about old certbot version. There is new available in Jessie Backports: https://packages.debian.org/jessie-backports/certbot
Alright, I updated certbot with Jessie Backports enabled. So that should be ok now at least. I did your trick with unselect, save, wait, select, wait and nope.. still doesn't work. Let's Encrypt is still checked in ISPConfig for that website, so it didn't just fail out at least. Here is the logfile; Code: 2018-03-20 15:31:09,898:DEBUG:certbot.main:Root logging level set at 20 2018-03-20 15:31:09,900:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2018-03-20 15:31:09,901:DEBUG:certbot.main:certbot version: 0.10.2 2018-03-20 15:31:09,901:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'sub.topdomain.com', '--webroot-path', '/usr/local/ispconfig/interface/acme'] 2018-03-20 15:31:09,903:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone) 2018-03-20 15:31:09,904:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2018-03-20 15:31:09,912:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot Description: Place files in webroot directory Interfaces: IAuthenticator, IPlugin Entry point: webroot = certbot.plugins.webroot:Authenticator Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fd197fa2d50> Prep: True 2018-03-20 15:31:09,914:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7fd197fa2d50> and installer None 2018-03-20 15:31:10,579:DEBUG:certbot.main:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/letsencrypt", line 11, in <module> load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')() File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main return config.func(config, plugins) File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 621, in obtain_cert le_client = _init_le_client(config, auth, installer) File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 399, in _init_le_client acc, acme = _determine_account(config) File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 364, in _determine_account acc = display_ops.choose_account(accounts) File "/usr/lib/python2.7/dist-packages/certbot/display/ops.py", line 83, in choose_account "Please choose an account", labels, force_interactive=True) File "/usr/lib/python2.7/dist-packages/certbot/display/util.py", line 480, in menu self._interaction_fail(message, cli_flag, "Choices: " + repr(choices)) File "/usr/lib/python2.7/dist-packages/certbot/display/util.py", line 442, in _interaction_fail raise errors.MissingCommandlineFlag(msg) MissingCommandlineFlag: Missing command line flag or config entry for this setting: Please choose an account Choices: ['sub.topdomain.com@2018-02-06T10:55:35Z (802d)', 'old_account...@2017-06-12T12:26:31Z (a2f5)'] I have two accounts also, one for the new "server" and one for the old one that just got back when I reinstalled the server.. Some weeks ago I accidentally removed files that weren't possible to restore, so I just flushed the server and reinstalled it according to a perfect server guide for Debian Jessie. All great, except Let's Encrypt couldn't get the certificates back for some reason.. till said that I should deactivate the Let's Encrypt check and after that it downloaded the certificates and it worked.. until now, when the certificates can't renew.. Anyhow, I didn't think about the account when I reinstalled the server, so apparently the "old_account" got downloaded and I got two separate ones now.. maybe this is because it fails to renew the certificates? Not sure how to remove an account.. maybe this could solve the problem?
Did a "certbot renew --dry-run" and got the following log; Code: 2018-03-20 15:39:32,539:DEBUG:certbot.main:Root logging level set at 20 2018-03-20 15:39:32,541:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2018-03-20 15:39:32,543:DEBUG:certbot.main:certbot version: 0.10.2 2018-03-20 15:39:32,543:DEBUG:certbot.main:Arguments: ['--dry-run'] 2018-03-20 15:39:32,544:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone) 2018-03-20 15:39:32,567:WARNING:certbot.storage:Attempting to parse the version 0.18.1 renewal configuration file found at /etc/letsencrypt/renewal/registrera.topdomain.com-0001.conf with version 0.10.2 of Certbot. This might not work. 2018-03-20 15:39:32,569:WARNING:certbot.renewal:expected /etc/letsencrypt/live/registrera.topdomain.com-0001/cert.pem to be a symlink 2018-03-20 15:39:32,569:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/registrera.topdomain.com-0001.conf is broken. Skipping. 2018-03-20 15:39:32,586:DEBUG:certbot.renewal:Traceback was: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 59, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/usr/lib/python2.7/dist-packages/certbot/storage.py", line 392, in __init__ self._check_symlinks() File "/usr/lib/python2.7/dist-packages/certbot/storage.py", line 431, in _check_symlinks "expected {0} to be a symlink".format(link)) CertStorageError: expected /etc/letsencrypt/live/registrera.topdomain.com-0001/cert.pem to be a symlink 2018-03-20 15:39:32,589:WARNING:certbot.storage:Attempting to parse the version 0.18.1 renewal configuration file found at /etc/letsencrypt/renewal/dev.topdomain.com.conf with version 0.10.2 of Certbot. This might not work. 2018-03-20 15:39:32,591:WARNING:certbot.renewal:expected /etc/letsencrypt/live/dev.topdomain.com/cert.pem to be a symlink 2018-03-20 15:39:32,591:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/dev.topdomain.com.conf is broken. Skipping. 2018-03-20 15:39:32,591:DEBUG:certbot.renewal:Traceback was: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 59, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/usr/lib/python2.7/dist-packages/certbot/storage.py", line 392, in __init__ self._check_symlinks() File "/usr/lib/python2.7/dist-packages/certbot/storage.py", line 431, in _check_symlinks "expected {0} to be a symlink".format(link)) CertStorageError: expected /etc/letsencrypt/live/dev.topdomain.com/cert.pem to be a symlink 2018-03-20 15:39:32,594:WARNING:certbot.storage:Attempting to parse the version 0.15.0 renewal configuration file found at /etc/letsencrypt/renewal/topdomain.com.conf with version 0.10.2 of Certbot. This might not work. 2018-03-20 15:39:32,595:WARNING:certbot.renewal:expected /etc/letsencrypt/live/topdomain.com/cert.pem to be a symlink 2018-03-20 15:39:32,595:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/topdomain.com.conf is broken. Skipping. 2018-03-20 15:39:32,595:DEBUG:certbot.renewal:Traceback was: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 59, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/usr/lib/python2.7/dist-packages/certbot/storage.py", line 392, in __init__ self._check_symlinks() File "/usr/lib/python2.7/dist-packages/certbot/storage.py", line 431, in _check_symlinks "expected {0} to be a symlink".format(link)) CertStorageError: expected /etc/letsencrypt/live/topdomain.com/cert.pem to be a symlink 2018-03-20 15:39:32,598:WARNING:certbot.storage:Attempting to parse the version 0.18.1 renewal configuration file found at /etc/letsencrypt/renewal/connect.topdomain.com.conf with version 0.10.2 of Certbot. This might not work. 2018-03-20 15:39:32,599:WARNING:certbot.renewal:expected /etc/letsencrypt/live/connect.topdomain.com/cert.pem to be a symlink 2018-03-20 15:39:32,599:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/connect.topdomain.com.conf is broken. Skipping. 2018-03-20 15:39:32,599:DEBUG:certbot.renewal:Traceback was: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 59, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/usr/lib/python2.7/dist-packages/certbot/storage.py", line 392, in __init__ self._check_symlinks() File "/usr/lib/python2.7/dist-packages/certbot/storage.py", line 431, in _check_symlinks "expected {0} to be a symlink".format(link)) CertStorageError: expected /etc/letsencrypt/live/connect.topdomain.com/cert.pem to be a symlink 2018-03-20 15:39:32,602:WARNING:certbot.storage:Attempting to parse the version 0.18.1 renewal configuration file found at /etc/letsencrypt/renewal/connect.topdomain.com-0001.conf with version 0.10.2 of Certbot. This might not work. 2018-03-20 15:39:32,603:WARNING:certbot.renewal:expected /etc/letsencrypt/live/connect.topdomain.com-0001/cert.pem to be a symlink 2018-03-20 15:39:32,603:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/connect.topdomain.com-0001.conf is broken. Skipping. 2018-03-20 15:39:32,603:DEBUG:certbot.renewal:Traceback was: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 59, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/usr/lib/python2.7/dist-packages/certbot/storage.py", line 392, in __init__ self._check_symlinks() File "/usr/lib/python2.7/dist-packages/certbot/storage.py", line 431, in _check_symlinks "expected {0} to be a symlink".format(link)) CertStorageError: expected /etc/letsencrypt/live/connect.topdomain.com-0001/cert.pem to be a symlink 2018-03-20 15:39:32,606:WARNING:certbot.storage:Attempting to parse the version 0.18.1 renewal configuration file found at /etc/letsencrypt/renewal/registrera.topdomain.com.conf with version 0.10.2 of Certbot. This might not work. 2018-03-20 15:39:32,607:WARNING:certbot.renewal:expected /etc/letsencrypt/live/registrera.topdomain.com/cert.pem to be a symlink 2018-03-20 15:39:32,607:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/registrera.topdomain.com.conf is broken. Skipping. 2018-03-20 15:39:32,607:DEBUG:certbot.renewal:Traceback was: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 59, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/usr/lib/python2.7/dist-packages/certbot/storage.py", line 392, in __init__ self._check_symlinks() File "/usr/lib/python2.7/dist-packages/certbot/storage.py", line 431, in _check_symlinks "expected {0} to be a symlink".format(link)) CertStorageError: expected /etc/letsencrypt/live/registrera.topdomain.com/cert.pem to be a symlink 2018-03-20 15:39:32,617:DEBUG:certbot.main:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 11, in <module> load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')() File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main return config.func(config, plugins) File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 655, in renew renewal.handle_renewal_request(config) File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request len(renew_failures), len(parse_failures))) Error: 0 renew failure(s), 6 parse failure(s)
Slept on the issue.. continued searching now this morning.. even before work starts! wooh! Anyhow.. found this thread; https://community.letsencrypt.org/t...example-com-cert-pem-to-be-a-symlink/46622/14 The solution, for now at least; After that I did a raw "certbot renew" and it worked. I got a new certificate for the domain I needed and it also update two of the others that needed an update. I guess that ISPConfig or Certbot, as it is installed by the Howtoforge Perfect server guide, that it continues to update the certificates now as it has been in the past? I guess the symlink problems was just a temporary hickup. If not, its a rather simple fix yourself until someone figures out which program is causing the problems Thanks Taleman for nudging me in the right directions to find the problem!
