New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What to do if parsing of renewal config file fails? #2550

Open
lu-x opened this Issue Feb 25, 2016 · 23 comments

Comments

Projects
None yet
@lu-x

lu-x commented Feb 25, 2016

Seems like one of my config-files is broken somehow.
I get this when trying to renew my cert:
WARNING:letsencrypt.cli:Renewal configuration file /etc/letsencrypt/renewal/*.conf is broken. Skipping. and
Additionally, the following renewal configuration files were invalid: /path/to/conf (parsefail)

@pde

This comment has been minimized.

Show comment
Hide comment
@pde

pde Feb 25, 2016

Member

That's odd. Is there anything in /etc/letsencrypt/renewal/?

Member

pde commented Feb 25, 2016

That's odd. Is there anything in /etc/letsencrypt/renewal/?

@pde

This comment has been minimized.

Show comment
Hide comment
@pde

pde Feb 25, 2016

Member

Also, what version of the client are you running?

Member

pde commented Feb 25, 2016

Also, what version of the client are you running?

@pde

This comment has been minimized.

Show comment
Hide comment
@pde

pde Feb 25, 2016

Member

Or is it possible that you actually edited the output to make it say *.conf? Because I can't see how the 0.4.0 client could have produced that message...

Member

pde commented Feb 25, 2016

Or is it possible that you actually edited the output to make it say *.conf? Because I can't see how the 0.4.0 client could have produced that message...

@pde

This comment has been minimized.

Show comment
Hide comment
@pde

pde Feb 25, 2016

Member

In general, you either want to fix the renewal conf file, or delete it and optionally the associated certs in /etc/letsencrypt/live and /etc/letsencrypt/archive, then re-obtain the cert; when you do that, you'll get a new and correct renewal conf file...

But my questions about the mysterious *.conf in your error message still stand.

Member

pde commented Feb 25, 2016

In general, you either want to fix the renewal conf file, or delete it and optionally the associated certs in /etc/letsencrypt/live and /etc/letsencrypt/archive, then re-obtain the cert; when you do that, you'll get a new and correct renewal conf file...

But my questions about the mysterious *.conf in your error message still stand.

@lu-x

This comment has been minimized.

Show comment
Hide comment
@lu-x

lu-x Feb 26, 2016

yep, sorry. * is a placeholder for my domain. ok, thanks, i'll try.

lu-x commented Feb 26, 2016

yep, sorry. * is a placeholder for my domain. ok, thanks, i'll try.

@lu-x

This comment has been minimized.

Show comment
Hide comment
@lu-x

lu-x Feb 26, 2016

Don't know exactly what is broken. I obtained a new certificate for the same domain. Now the folder is named domain-0001 in /etc/letsencrypt/live/.
Also, i'm not able to revoke the old cert (i get: letsencrypt: error: argument --cert-path: No such file or directory).

lu-x commented Feb 26, 2016

Don't know exactly what is broken. I obtained a new certificate for the same domain. Now the folder is named domain-0001 in /etc/letsencrypt/live/.
Also, i'm not able to revoke the old cert (i get: letsencrypt: error: argument --cert-path: No such file or directory).

@bmw

This comment has been minimized.

Show comment
Hide comment
@bmw

bmw Feb 26, 2016

Contributor

Don't know exactly what is broken. I obtained a new certificate for the same domain. Now the folder is named domain-0001 in /etc/letsencrypt/live/.

If you want the folder to use the same name, you should delete (or move) the files/directories /etc/letsencrypt/renewal/domain.conf, /etc/letsencrypt/live/domain, and /etc/letsencrypt/archive/domain. If the certificates you're having problems with are the only ones you care about on this system, it may be easier to just delete (or move) the entire /etc/letsencrypt directory.

Also, i'm not able to revoke the old cert (i get: letsencrypt: error: argument --cert-path: No such file or directory).

I have to ask, does the path you provided to --cert-path exist?

Contributor

bmw commented Feb 26, 2016

Don't know exactly what is broken. I obtained a new certificate for the same domain. Now the folder is named domain-0001 in /etc/letsencrypt/live/.

If you want the folder to use the same name, you should delete (or move) the files/directories /etc/letsencrypt/renewal/domain.conf, /etc/letsencrypt/live/domain, and /etc/letsencrypt/archive/domain. If the certificates you're having problems with are the only ones you care about on this system, it may be easier to just delete (or move) the entire /etc/letsencrypt directory.

Also, i'm not able to revoke the old cert (i get: letsencrypt: error: argument --cert-path: No such file or directory).

I have to ask, does the path you provided to --cert-path exist?

@lu-x

This comment has been minimized.

Show comment
Hide comment
@lu-x

lu-x Feb 28, 2016

Renaming the files/directories didn't work. I got the parser error again. However, after changing it back, everything seems to work fine.
A little off-topic: Is it save to delete revoked certificate-folders?

lu-x commented Feb 28, 2016

Renaming the files/directories didn't work. I got the parser error again. However, after changing it back, everything seems to work fine.
A little off-topic: Is it save to delete revoked certificate-folders?

@pcav

This comment has been minimized.

Show comment
Hide comment
@pcav

pcav Mar 3, 2016

I have the same error, and the file is empty. Any suggestion on how to properly fix this would be welcome.

pcav commented Mar 3, 2016

I have the same error, and the file is empty. Any suggestion on how to properly fix this would be welcome.

@bmw

This comment has been minimized.

Show comment
Hide comment
@bmw

bmw Mar 7, 2016

Contributor

@kas70, yes, it should be safe to delete revoked certificate folders. To do this properly, you should delete /etc/letsencrypt/archive/<domain>, /etc/letsencrypt/live/<domain>, and /etc/letsencrypt/renewal/<domain>.conf (assuming default paths).

@pcav, your file in /etc/letsencrypt/renewal/domain.conf is empty? Can you describe what you've done with letsencrypt so far?

Contributor

bmw commented Mar 7, 2016

@kas70, yes, it should be safe to delete revoked certificate folders. To do this properly, you should delete /etc/letsencrypt/archive/<domain>, /etc/letsencrypt/live/<domain>, and /etc/letsencrypt/renewal/<domain>.conf (assuming default paths).

@pcav, your file in /etc/letsencrypt/renewal/domain.conf is empty? Can you describe what you've done with letsencrypt so far?

@pcav

This comment has been minimized.

Show comment
Hide comment
@pcav

pcav Mar 8, 2016

Thanks. Yes, the file is empty. Sorry I did too many attempts, and I cannot replicate the steps.
I'm waiting to be allowed to issue new certificates, I'll redo all more cleanly and I'll report back.

pcav commented Mar 8, 2016

Thanks. Yes, the file is empty. Sorry I did too many attempts, and I cannot replicate the steps.
I'm waiting to be allowed to issue new certificates, I'll redo all more cleanly and I'll report back.

@gonchs

This comment has been minimized.

Show comment
Hide comment
@gonchs

gonchs Mar 16, 2016

In case it may help someone, the parsefail issue could also occur because the cert files in /etc/letsencrypt/live/yoursite.com are NOT symlinked from /etc/letsencrypt/archive/youtsite.com. This fixed it for me:

sudo mv /etc/letsencrypt/live/youtsite.com/fullchain.pem /etc/letsencrypt/live/youtsite.com/fullchain.pem.old
sudo ln -s /etc/letsencrypt/archive/youtsite.com/fullchain1.pem /etc/letsencrypt/live/youtsite.com/fullchain.pem

sudo mv /etc/letsencrypt/live/youtsite.com/cert.pem /etc/letsencrypt/live/youtsite.com/cert.pem.old
sudo ln -s /etc/letsencrypt/archive/youtsite.com/cert1.pem /etc/letsencrypt/live/youtsite.com/cert.pem

sudo mv /etc/letsencrypt/live/youtsite.com/chain.pem /etc/letsencrypt/live/youtsite.com/chain.pem.old
sudo ln -s /etc/letsencrypt/archive/youtsite.com/chain1.pem /etc/letsencrypt/live/youtsite.com/chain.pem

sudo mv /etc/letsencrypt/live/youtsite.com/privkey.pem /etc/letsencrypt/live/youtsite.com/privkey.pem.old
sudo ln -s /etc/letsencrypt/archive/youtsite.com/privkey1.pem /etc/letsencrypt/live/youtsite.com/privkey.pem

gonchs commented Mar 16, 2016

In case it may help someone, the parsefail issue could also occur because the cert files in /etc/letsencrypt/live/yoursite.com are NOT symlinked from /etc/letsencrypt/archive/youtsite.com. This fixed it for me:

sudo mv /etc/letsencrypt/live/youtsite.com/fullchain.pem /etc/letsencrypt/live/youtsite.com/fullchain.pem.old
sudo ln -s /etc/letsencrypt/archive/youtsite.com/fullchain1.pem /etc/letsencrypt/live/youtsite.com/fullchain.pem

sudo mv /etc/letsencrypt/live/youtsite.com/cert.pem /etc/letsencrypt/live/youtsite.com/cert.pem.old
sudo ln -s /etc/letsencrypt/archive/youtsite.com/cert1.pem /etc/letsencrypt/live/youtsite.com/cert.pem

sudo mv /etc/letsencrypt/live/youtsite.com/chain.pem /etc/letsencrypt/live/youtsite.com/chain.pem.old
sudo ln -s /etc/letsencrypt/archive/youtsite.com/chain1.pem /etc/letsencrypt/live/youtsite.com/chain.pem

sudo mv /etc/letsencrypt/live/youtsite.com/privkey.pem /etc/letsencrypt/live/youtsite.com/privkey.pem.old
sudo ln -s /etc/letsencrypt/archive/youtsite.com/privkey1.pem /etc/letsencrypt/live/youtsite.com/privkey.pem
@lukyer

This comment has been minimized.

Show comment
Hide comment
@lukyer

lukyer Mar 20, 2016

@gonchs thans, it helped me with this issue!

lukyer commented Mar 20, 2016

@gonchs thans, it helped me with this issue!

@AykutCevik

This comment has been minimized.

Show comment
Hide comment
@AykutCevik

AykutCevik commented May 6, 2016

@gonchs Thanks!

@meansl63

This comment has been minimized.

Show comment
Hide comment
@meansl63

meansl63 May 18, 2016

gonchs - this was the exact fix i needed for my renew process to work after being broken. Thanks alot

meansl63 commented May 18, 2016

gonchs - this was the exact fix i needed for my renew process to work after being broken. Thanks alot

@keith24

This comment has been minimized.

Show comment
Hide comment
@keith24

keith24 Jun 4, 2016

@kas70 Taking a wild guess here... You don't have wildcards in your letsencrypt.cli, do you? They aren't supported.

keith24 commented Jun 4, 2016

@kas70 Taking a wild guess here... You don't have wildcards in your letsencrypt.cli, do you? They aren't supported.

@alexweissman

This comment has been minimized.

Show comment
Hide comment
@alexweissman

alexweissman Aug 17, 2016

I'm having this problem with nginx on Ubuntu:

WARNING:letsencrypt.cli:Renewal configuration file /etc/letsencrypt/renewal/<site>.conf is broken. Skipping.
** DRY RUN: simulating 'letsencrypt renew' close to cert expiry
**          (The test certificates below have not been saved.)

No renewals were attempted.

Additionally, the following renewal configuration files were invalid: 
  /etc/letsencrypt/renewal/<site>.conf (parsefail)
** DRY RUN: simulating 'letsencrypt renew' close to cert expiry
**          (The test certificates above have not been saved.)
0 renew failure(s), 1 parse failure(s)

My symlinks are correct.

alexweissman commented Aug 17, 2016

I'm having this problem with nginx on Ubuntu:

WARNING:letsencrypt.cli:Renewal configuration file /etc/letsencrypt/renewal/<site>.conf is broken. Skipping.
** DRY RUN: simulating 'letsencrypt renew' close to cert expiry
**          (The test certificates below have not been saved.)

No renewals were attempted.

Additionally, the following renewal configuration files were invalid: 
  /etc/letsencrypt/renewal/<site>.conf (parsefail)
** DRY RUN: simulating 'letsencrypt renew' close to cert expiry
**          (The test certificates above have not been saved.)
0 renew failure(s), 1 parse failure(s)

My symlinks are correct.

@egeu5

This comment has been minimized.

Show comment
Hide comment
@egeu5

egeu5 Aug 18, 2016

I had the same issue - all the symlinks where correct. I tried different solutions but none worked for me. At the end it was fixed by:

  1. mv /etc/letsencrypt/renewal/YOURDOMAIN.conf /etc/letsencrypt/renewal/YOURDOMAIN.conf.old
  2. mv /etc/letsencrypt/archive/ /etc/letsencrypt/archive.old
  3. Run certbot certonly --webroot -w /var/www/html/SOMEDIRECTORY/ -d SOMEDOMAIN.bla (In my opinion you should first always try it with --dry-run)
  4. Furthermore the certificates where saved under a new location (instead of /etc/letsencrypt/live/mydomein.bla/ they where now in /etc/letsencrypt/live/SOMEDOMAIN.bla-0001/) So i had to edit the config files of the domains (eg. nano /etc/httpd/sites-enabled/YOURDOMAIN.bla-le-ssl.conf and change the path lines of the cert, privkey and chain)
    It's not a real solution but worked for me.
    I'm using Centos 7 - some files are saved under a different location if you use another distro (eg. /etc/apache insted of /etc/httpd

egeu5 commented Aug 18, 2016

I had the same issue - all the symlinks where correct. I tried different solutions but none worked for me. At the end it was fixed by:

  1. mv /etc/letsencrypt/renewal/YOURDOMAIN.conf /etc/letsencrypt/renewal/YOURDOMAIN.conf.old
  2. mv /etc/letsencrypt/archive/ /etc/letsencrypt/archive.old
  3. Run certbot certonly --webroot -w /var/www/html/SOMEDIRECTORY/ -d SOMEDOMAIN.bla (In my opinion you should first always try it with --dry-run)
  4. Furthermore the certificates where saved under a new location (instead of /etc/letsencrypt/live/mydomein.bla/ they where now in /etc/letsencrypt/live/SOMEDOMAIN.bla-0001/) So i had to edit the config files of the domains (eg. nano /etc/httpd/sites-enabled/YOURDOMAIN.bla-le-ssl.conf and change the path lines of the cert, privkey and chain)
    It's not a real solution but worked for me.
    I'm using Centos 7 - some files are saved under a different location if you use another distro (eg. /etc/apache insted of /etc/httpd
@alexweissman

This comment has been minimized.

Show comment
Hide comment
@alexweissman

alexweissman Aug 18, 2016

For me, it ended up being a combination of issues:

  • Updating from letsencrypt to the new certbot client.
  • Permissions. I have root login disabled on my VPS. When I ran certbot-auto renew it still failed with a "parse error", but then when I ran sudo certbot-auto renew, it succeeded!

I didn't want to have to run as root so I gave my user account ownership and permissions of my config file, as well as my certs and the log file, but certbot-auto renew still failed with a "parse error". So, it looks like it has to be run with root permissions. Fortunately, adding it to sudo crontab -e seems to let it run as root automatically now.

I think some checking of required permissions, and more verbosity than just "parse error", would be extremely helpful here.

alexweissman commented Aug 18, 2016

For me, it ended up being a combination of issues:

  • Updating from letsencrypt to the new certbot client.
  • Permissions. I have root login disabled on my VPS. When I ran certbot-auto renew it still failed with a "parse error", but then when I ran sudo certbot-auto renew, it succeeded!

I didn't want to have to run as root so I gave my user account ownership and permissions of my config file, as well as my certs and the log file, but certbot-auto renew still failed with a "parse error". So, it looks like it has to be run with root permissions. Fortunately, adding it to sudo crontab -e seems to let it run as root automatically now.

I think some checking of required permissions, and more verbosity than just "parse error", would be extremely helpful here.

@helgatheviking

This comment has been minimized.

Show comment
Hide comment
@helgatheviking

helgatheviking Sep 7, 2016

Updating from letsencrypt to the new certbot client.

This helped me too. The install from the ubuntu repo is apparently still letsencrypt. I had to install from a git clone. Though renewal still won't run successfully while apache is running, but I presume that's a different issue.

helgatheviking commented Sep 7, 2016

Updating from letsencrypt to the new certbot client.

This helped me too. The install from the ubuntu repo is apparently still letsencrypt. I had to install from a git clone. Though renewal still won't run successfully while apache is running, but I presume that's a different issue.

@vstokarev

This comment has been minimized.

Show comment
Hide comment
@vstokarev

vstokarev Mar 16, 2017

I had the same issue and resolved it by just copying conf file from another domain and replacing domain name in its name and its content. Can be helpful if you have several domains and one of them doesn't want to renew, but another one works fine.

vstokarev commented Mar 16, 2017

I had the same issue and resolved it by just copying conf file from another domain and replacing domain name in its name and its content. Can be helpful if you have several domains and one of them doesn't want to renew, but another one works fine.

@counterpoint

This comment has been minimized.

Show comment
Hide comment
@counterpoint

counterpoint Aug 5, 2017

I'm having this problem with certbot version 0.10.2 in Debian Stretch. A number of domains were set up, so far as I know in exactly the same way. When attempting "certbot renew" 13 domains appear correct - currently they are listed and skipped as renewal is not yet needed. But the other 7 are listed under "Additionally, the following renewal configuration files were invalid:". Each one is listed as "/etc/letsencrypt/renewal/example.com.conf (parsefail)". I cannot see any difference between the files that are described as "parsefail" and the corresponding files that do not fail (apart from the different domain names). All the files mentioned in the .conf file exist, are owned by root and have reasonable permissions. Is there any robust solution for this?

counterpoint commented Aug 5, 2017

I'm having this problem with certbot version 0.10.2 in Debian Stretch. A number of domains were set up, so far as I know in exactly the same way. When attempting "certbot renew" 13 domains appear correct - currently they are listed and skipped as renewal is not yet needed. But the other 7 are listed under "Additionally, the following renewal configuration files were invalid:". Each one is listed as "/etc/letsencrypt/renewal/example.com.conf (parsefail)". I cannot see any difference between the files that are described as "parsefail" and the corresponding files that do not fail (apart from the different domain names). All the files mentioned in the .conf file exist, are owned by root and have reasonable permissions. Is there any robust solution for this?

@counterpoint

This comment has been minimized.

Show comment
Hide comment
@counterpoint

counterpoint Aug 5, 2017

Probably my fault, although I don't know how. Deleting and recreating the problem domains fixed it.

counterpoint commented Aug 5, 2017

Probably my fault, although I don't know how. Deleting and recreating the problem domains fixed it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment