Let’s Encrypt Free TLS/SSL Certificate Renewal Errors

Last Updated: May 24th, 2016 Guoan Xiao (Admin)
1 Comment
Linux Server

When I launched this Web site in 2015, I was using a very cheap VPS which costs $10 per year. I obtained a free TLS/SSL certificate from Let’s Encrypt and configured Nginx to serve HTTPS traffic.

In March 2016, I migrated my Web site to a digital Ocean (without affiliate link) SSD cloud server which costs $5 per month (Get $10 free credit from my affiliate link). To continue to serve HTTPS traffic, I also need to transfer my TLS/SSL certificate to the new server.

Nginx requires two files to serve HTTPS traffic: a full chain certificate and your private key. In the case of Let’s Encrypt, These two files are located at

/etc/letsencrypt/live/your-site.com/fullchain.pem

/etc/letsencrypt/live/your-site.com/privkey.pem

Correctly speaking, these two files are symbolic links that point to the following two files respectively.

/etc/letsencrypt/archive/yoursite.com/fullchain1.pem

/etc/letsencrypt/archive/yoursite.com/privkey1.pem

So I thought I simply need to copy the above two files to my Digital Ocean SSD server and I did so.

The Problem of Certificate Renewal

As you may probably know, Let’s Encrypt certificates last 90 days. You have to renew your certificates every 3 months.

I had difficulties in renewing my certificates due to the fact that I only have fullchain1.pem and privkey1.pem on my server. All other files related to my Let’s encrypt files are gone. These two files enables Nginx to serve HTTPS traffic but they are not sufficient when you renew your certificates.

The command that I use to renew certificate is

sudo letsencrypt renew

But Let’s Encrypt client did not try to renew my certificate. This is because the client relies on a renewal configuration file in order to know how to renew your certificates, i.e, use what plugin and what options.

So I found a sample renewal configuration file and created one with the below command .

sudo nano /etc/letsencrypt/renewal/linuxbabe.com.conf

And put the following lines in the file.

cert = /etc/letsencrypt/live/linuxbabe.com/cert.pem
privkey = /etc/letsencrypt/live/linuxbabe.com/privkey.pem
chain = /etc/letsencrypt/live/linuxbabe.com/chain.pem
fullchain = /etc/letsencrypt/live/linuxbabe.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = 7b3fa88c32887c234036234f6cc6358ab
webroot_path = /usr/share/nginx/linuxbabe.com,
[[webroot_map]]
linuxbabe.com = /usr/share/nginx/linuxbabe.com

The above configuration tells Let’s Encrypt client to use Webroot plugin to renew certificate. Then run the renew command again.  The first error I encountered was:

renewal configuration file is broken

This is because of two reasons:

  1. I don’t have cert.pem and chain.pem file on my server.
  2. I use the real files instead of symbolic link.

cert.pem is your certificate issued by Let’s Encrypt, and chain.pem is the intermediate certificate of Let’s Encrypt which is issued by a root certificate authority. These two files are used to create the fullchain.pem file. You can find that cert.pem is above chain.pem in the fullchain.pem file.

So to get cert.pem and chain.pem, simply copy the upper half of fullchain.pem and save it to a file named cert.pem. Then copy the lower half of fullchain.pem and save it to a file named chain.pem.

Now I have cert.pem, chain.pem fullchain.pem and privkey.pem under /etc/letsencrypt/archive/linuxbabe.com directory.

Then create symbolic links.

sudo ln -sf /etc/letsencrypt/archive/linuxbabe.com/cert.pem /etc/letsencrypt/live/linuxbabe.com/cert.pem

sudo ln -sf /etc/letsencrypt/archive/linuxbabe.com/chain.pem /etc/letsencrypt/live/linuxbabe.com/chain.pem

sudo ln -sf /etc/letsencrypt/archive/linuxbabe.com/fullchain.pem /etc/letsencrypt/live/linuxbabe.com/fullchain.pem

sudo ln -sf /etc/letsencrypt/archive/linuxbabe.com/privkey.pem /etc/letsencrypt/live/linuxbabe.com/privkey.pem

Run the certificate renew command again.

sudo letsencrypt renew

This time, I got this error:

max() arg is an empty sequence

This above message is a common error message in python. But it didn’t tell you what really happened. To solve this error, I simply need to rename the four pem files under /etc/letsencrypt/archive/linuxbabe.com/.

cd /etc/letsencrypt/archive/linuxbabe.com

mv cert.pem cert1.pem

mv chain.pem chain1.pem

mv fullchain.pem fullchain1.pem

mv privkey.pem privekey1.pem

Then create symbolic links again. Now I can renew my certificate without problems.

Rate this tutorial
[Total: 0 Average: 0]

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here

linux system security course LPIC 2

Featured Tutorials

pCloud 65% Off Cloud Storage

pcloud 2TB lifetime

VPS Hosting 30 Days Free Trial

Kamatera 30 days free trial