Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What to do if parsing of renewal config file fails? #2550

Closed
lu-x opened this issue Feb 25, 2016 · 28 comments
Closed

What to do if parsing of renewal config file fails? #2550

lu-x opened this issue Feb 25, 2016 · 28 comments

Comments

@lu-x
Copy link

@lu-x lu-x commented Feb 25, 2016

Seems like one of my config-files is broken somehow.
I get this when trying to renew my cert:
WARNING:letsencrypt.cli:Renewal configuration file /etc/letsencrypt/renewal/*.conf is broken. Skipping. and
Additionally, the following renewal configuration files were invalid: /path/to/conf (parsefail)

@pde
Copy link
Member

@pde pde commented Feb 25, 2016

That's odd. Is there anything in /etc/letsencrypt/renewal/?

@pde
Copy link
Member

@pde pde commented Feb 25, 2016

Also, what version of the client are you running?

@pde
Copy link
Member

@pde pde commented Feb 25, 2016

Or is it possible that you actually edited the output to make it say *.conf? Because I can't see how the 0.4.0 client could have produced that message...

@pde
Copy link
Member

@pde pde commented Feb 25, 2016

In general, you either want to fix the renewal conf file, or delete it and optionally the associated certs in /etc/letsencrypt/live and /etc/letsencrypt/archive, then re-obtain the cert; when you do that, you'll get a new and correct renewal conf file...

But my questions about the mysterious *.conf in your error message still stand.

@lu-x
Copy link
Author

@lu-x lu-x commented Feb 26, 2016

yep, sorry. * is a placeholder for my domain. ok, thanks, i'll try.

@lu-x
Copy link
Author

@lu-x lu-x commented Feb 26, 2016

Don't know exactly what is broken. I obtained a new certificate for the same domain. Now the folder is named domain-0001 in /etc/letsencrypt/live/.
Also, i'm not able to revoke the old cert (i get: letsencrypt: error: argument --cert-path: No such file or directory).

@bmw
Copy link
Member

@bmw bmw commented Feb 26, 2016

Don't know exactly what is broken. I obtained a new certificate for the same domain. Now the folder is named domain-0001 in /etc/letsencrypt/live/.

If you want the folder to use the same name, you should delete (or move) the files/directories /etc/letsencrypt/renewal/domain.conf, /etc/letsencrypt/live/domain, and /etc/letsencrypt/archive/domain. If the certificates you're having problems with are the only ones you care about on this system, it may be easier to just delete (or move) the entire /etc/letsencrypt directory.

Also, i'm not able to revoke the old cert (i get: letsencrypt: error: argument --cert-path: No such file or directory).

I have to ask, does the path you provided to --cert-path exist?

@lu-x
Copy link
Author

@lu-x lu-x commented Feb 28, 2016

Renaming the files/directories didn't work. I got the parser error again. However, after changing it back, everything seems to work fine.
A little off-topic: Is it save to delete revoked certificate-folders?

@pcav
Copy link

@pcav pcav commented Mar 3, 2016

I have the same error, and the file is empty. Any suggestion on how to properly fix this would be welcome.

@bmw
Copy link
Member

@bmw bmw commented Mar 7, 2016

@kas70, yes, it should be safe to delete revoked certificate folders. To do this properly, you should delete /etc/letsencrypt/archive/<domain>, /etc/letsencrypt/live/<domain>, and /etc/letsencrypt/renewal/<domain>.conf (assuming default paths).

@pcav, your file in /etc/letsencrypt/renewal/domain.conf is empty? Can you describe what you've done with letsencrypt so far?

@pcav
Copy link

@pcav pcav commented Mar 8, 2016

Thanks. Yes, the file is empty. Sorry I did too many attempts, and I cannot replicate the steps.
I'm waiting to be allowed to issue new certificates, I'll redo all more cleanly and I'll report back.

@ghost
Copy link

@ghost ghost commented Mar 16, 2016

In case it may help someone, the parsefail issue could also occur because the cert files in /etc/letsencrypt/live/yoursite.com are NOT symlinked from /etc/letsencrypt/archive/youtsite.com. This fixed it for me:

sudo mv /etc/letsencrypt/live/youtsite.com/fullchain.pem /etc/letsencrypt/live/youtsite.com/fullchain.pem.old
sudo ln -s /etc/letsencrypt/archive/youtsite.com/fullchain1.pem /etc/letsencrypt/live/youtsite.com/fullchain.pem

sudo mv /etc/letsencrypt/live/youtsite.com/cert.pem /etc/letsencrypt/live/youtsite.com/cert.pem.old
sudo ln -s /etc/letsencrypt/archive/youtsite.com/cert1.pem /etc/letsencrypt/live/youtsite.com/cert.pem

sudo mv /etc/letsencrypt/live/youtsite.com/chain.pem /etc/letsencrypt/live/youtsite.com/chain.pem.old
sudo ln -s /etc/letsencrypt/archive/youtsite.com/chain1.pem /etc/letsencrypt/live/youtsite.com/chain.pem

sudo mv /etc/letsencrypt/live/youtsite.com/privkey.pem /etc/letsencrypt/live/youtsite.com/privkey.pem.old
sudo ln -s /etc/letsencrypt/archive/youtsite.com/privkey1.pem /etc/letsencrypt/live/youtsite.com/privkey.pem
@lukyer
Copy link

@lukyer lukyer commented Mar 20, 2016

@gonchs thans, it helped me with this issue!

@AykutCevik
Copy link

@AykutCevik AykutCevik commented May 6, 2016

@gonchs Thanks!

@meansl63
Copy link

@meansl63 meansl63 commented May 18, 2016

gonchs - this was the exact fix i needed for my renew process to work after being broken. Thanks alot

@keith24
Copy link

@keith24 keith24 commented Jun 4, 2016

@kas70 Taking a wild guess here... You don't have wildcards in your letsencrypt.cli, do you? They aren't supported.

@alexweissman
Copy link

@alexweissman alexweissman commented Aug 17, 2016

I'm having this problem with nginx on Ubuntu:

WARNING:letsencrypt.cli:Renewal configuration file /etc/letsencrypt/renewal/<site>.conf is broken. Skipping.
** DRY RUN: simulating 'letsencrypt renew' close to cert expiry
**          (The test certificates below have not been saved.)

No renewals were attempted.

Additionally, the following renewal configuration files were invalid: 
  /etc/letsencrypt/renewal/<site>.conf (parsefail)
** DRY RUN: simulating 'letsencrypt renew' close to cert expiry
**          (The test certificates above have not been saved.)
0 renew failure(s), 1 parse failure(s)

My symlinks are correct.

@egeu5
Copy link

@egeu5 egeu5 commented Aug 18, 2016

I had the same issue - all the symlinks where correct. I tried different solutions but none worked for me. At the end it was fixed by:

  1. mv /etc/letsencrypt/renewal/YOURDOMAIN.conf /etc/letsencrypt/renewal/YOURDOMAIN.conf.old
  2. mv /etc/letsencrypt/archive/ /etc/letsencrypt/archive.old
  3. Run certbot certonly --webroot -w /var/www/html/SOMEDIRECTORY/ -d SOMEDOMAIN.bla (In my opinion you should first always try it with --dry-run)
  4. Furthermore the certificates where saved under a new location (instead of /etc/letsencrypt/live/mydomein.bla/ they where now in /etc/letsencrypt/live/SOMEDOMAIN.bla-0001/) So i had to edit the config files of the domains (eg. nano /etc/httpd/sites-enabled/YOURDOMAIN.bla-le-ssl.conf and change the path lines of the cert, privkey and chain)
    It's not a real solution but worked for me.
    I'm using Centos 7 - some files are saved under a different location if you use another distro (eg. /etc/apache insted of /etc/httpd
@alexweissman
Copy link

@alexweissman alexweissman commented Aug 18, 2016

For me, it ended up being a combination of issues:

  • Updating from letsencrypt to the new certbot client.
  • Permissions. I have root login disabled on my VPS. When I ran certbot-auto renew it still failed with a "parse error", but then when I ran sudo certbot-auto renew, it succeeded!

I didn't want to have to run as root so I gave my user account ownership and permissions of my config file, as well as my certs and the log file, but certbot-auto renew still failed with a "parse error". So, it looks like it has to be run with root permissions. Fortunately, adding it to sudo crontab -e seems to let it run as root automatically now.

I think some checking of required permissions, and more verbosity than just "parse error", would be extremely helpful here.

@helgatheviking
Copy link

@helgatheviking helgatheviking commented Sep 7, 2016

Updating from letsencrypt to the new certbot client.

This helped me too. The install from the ubuntu repo is apparently still letsencrypt. I had to install from a git clone. Though renewal still won't run successfully while apache is running, but I presume that's a different issue.

@vstokarev
Copy link

@vstokarev vstokarev commented Mar 16, 2017

I had the same issue and resolved it by just copying conf file from another domain and replacing domain name in its name and its content. Can be helpful if you have several domains and one of them doesn't want to renew, but another one works fine.

@counterpoint
Copy link

@counterpoint counterpoint commented Aug 5, 2017

I'm having this problem with certbot version 0.10.2 in Debian Stretch. A number of domains were set up, so far as I know in exactly the same way. When attempting "certbot renew" 13 domains appear correct - currently they are listed and skipped as renewal is not yet needed. But the other 7 are listed under "Additionally, the following renewal configuration files were invalid:". Each one is listed as "/etc/letsencrypt/renewal/example.com.conf (parsefail)". I cannot see any difference between the files that are described as "parsefail" and the corresponding files that do not fail (apart from the different domain names). All the files mentioned in the .conf file exist, are owned by root and have reasonable permissions. Is there any robust solution for this?

@counterpoint
Copy link

@counterpoint counterpoint commented Aug 5, 2017

Probably my fault, although I don't know how. Deleting and recreating the problem domains fixed it.

@Bielecki
Copy link

@Bielecki Bielecki commented Dec 14, 2018

@gonchs thank you. I wrote a short script using your fix, so if anyone has more than one domain - you can use it from my repo: Bielecki/certbot-renew_fix

@schoen
Copy link
Contributor

@schoen schoen commented Jan 29, 2019

I think #775 and #6276 are currently better places to track this in our issue tracker (although I agree that this is still a real concern).

@schoen schoen closed this Jan 29, 2019
@l2zeo
Copy link

@l2zeo l2zeo commented Apr 25, 2019

@gonchs thank you. I wrote a short script using your fix, so if anyone has more than one domain - you can use it from my repo: Bielecki/certbot-renew_fix

It was very helpful.
Thank you.

@ermenkov
Copy link

@ermenkov ermenkov commented May 27, 2020

Just backup the got damn /etc/letsencrypt/renewal/domain.com.conf file and delete it.

That costed an hour of my life that nobody will give me back.

@xibsked
Copy link

@xibsked xibsked commented Sep 3, 2020

Just backup the got damn /etc/letsencrypt/renewal/domain.com.conf file and delete it.

That costed an hour of my life that nobody will give me back.

You saved my precious hours ! Thanks a ton!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.