renewal config file {} is missing a required file reference

[artshade]

Dear Developers,

Thank you so much for such app, really.

By the way, there's some strange error when were executed these two commands:

To create cert:

sudo letsencrypt certonly --standalone --agree-tos --email user@example.com -d example.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
archive directory exists for example.com

After that, to check the renewal, also, if it would output: "Cert not yet due for renewal", was executed a command:

sudo certbot renew

...
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/example.com.conf is broken. Skipping.
-------------------------------------------------------------------------------
...
Additionally, the following renewal configuration files were invalid: 
  /etc/letsencrypt/renewal/example.com.conf (parsefail)
-------------------------------------------------------------------------------
0 renew failure(s), 1 parse failure(s)

Also, the file /etc/letsencrypt/renewal/example.com.conf is empty, but exists.

(the real domain was changed to example.com)

Best regards

[joohoi]

Hi, could you please include (or possibly pastebin) the contents of /var/log/letsencrypt/letsencrypt.log and /var/log/letsencrypt/letsencrypt.log.1, or whichever of the log files contain the log for the two runs of Certbot described above. It would help to debug the underlying reason.

I would like to know:

• If you have previously had a certificate and a renewal configuration for the domain(s) you're trying to create certificate for now. I ask this because in the output of initial run, there's a line archive directory exists for example.com.
• The filesystem permissions for /etc/letsencrypt/renewal.

Please also confirm that you have disk space available in /etc.

[DrissiReda]

I have the same problem, and I already had a configuration for the domain, then I removed the certificates

[Jachimo]

I am having this same issue. I attempted to change from webroot authentication to the Cloudflare DNS plugin. I moved both the old renewal/domain.conf and the archive directory out of the way, and the initial command works and gets a certificate. But it doesn't write a new .conf file for renewals. It creates an empty file instead renewal, which obviously causes an error when I go to run certbot renew --dry-run.

As a bonus, I can't even find what should go in the .conf file when using the Cloudflare plugin, because all the tutorials on the web just blindly assume that on first run, the software will correctly create the .conf file for use later.

I can see zero reason why certbot would create an empty file like this. Either it should throw some sort of error if a condition exists that will prevent creating the conf file (in which case, create nothing), or it should write the config values used to get the certificates to the file. Writing a zero-byte file is not a good failure mode.

[joohoi]

Hi @Jachimo could you please provide the Certbot log file from /var/log/letsencrypt/letsencrypt.log to get a better glimpse on what's going wrong there. Certbot version and the way you installed the plugins (OS package repo, Docker image, certbot-auto, pip?) would help us to figure things out as well.

[Jachimo]

I'm using certbot version: 0.28.0, installed via apt from the Debian repos; the machine is running Debian 9.

I believe this is the salient part of the logs:

2019-02-21 14:34:49,982:DEBUG:certbot.storage:Creating directory /etc/letsencrypt/archive.
2019-02-21 14:34:49,983:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1225, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in 
obtain_and_enroll_certificate
    self.config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 1042, in new_lineage
    "live directory exists for " + lineagename)

It seems like, because a live directory already existed for the hostname, certbot aborted before it could write the renewal config file... but it had already created the (empty) file, it seems. This empty file then caused an error when I tested the renewal process with certbot renew --dry-run.

Excerpt of the log file (with identifying details removed) attached.
letsencrypt-excerpt-REDACTED.log

[joohoi]

Oh, I see. The issue here seems to be that moving archive directory, but leaving live directory left the Certbot configuration in an confused state. This is something that we should address at some point, so I'll label the issue as such.

To "reset" the state, please also move the live directory (it only contains symlinks to currently active key material and certificates for each domain, and as such will be broken anyway if archive is moved) and remove the offending renewal configuration file.

[thomasrebele]

I'm using https://github.com/thefinn93/ansible-letsencrypt and encountered a similar error after changing the order of the domains (putting example.com before www.example.com).

I resolved it Q&D as follows

server$ mv /etc/letsencrypt /etc/letsencrypt.backup
pc$ # call ansible
pc$ # check certificate in browser, and if everything works:
server$ rm -rf /etc/letsencrypt.backup

[wolframroesler]

Same issue here (Ubuntu Server 20.04, certbot 0.40.0). Solved like this:

$ ll /etc/letsencrypt/renewal/my.domain.de.conf
-rw-r--r-- 1 root root 0 Jul  3 18:05 /etc/letsencrypt/renewal/my.domain.de.conf

$ sudo rm /etc/letsencrypt/renewal/my.domain.de.conf

The file name (/etc/letsencrypt/renewal/my.domain.de.conf) is the one reported in the Python error message.

With that, sudo certbot renew --dry-run passed successfully.

[stale]

We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed.

[tutnes]

I am still running into this using the certbot docker image

[Hellohi3654]

I am also running into this issue

[andrewhenke]

Still encountering this issue as well with Ubuntu 22.04 LTS via APT installation

[molt2020]

Firstly, thanks to the team for maintaining this fantastic service!

Still same issues in 2024 on ubuntu installed via apt. Worked perfectly until yesterday when it decided to stop. I tried removing the renewal folder as per some posts on the internet but it won't work.

What worked - a bit random:

1. I run certbot -d www.example.com
2. I have 2 certbot accounts, I selected the account I don't use normally, this produced error around "archive for domain already exists" (I have previously been receiving "live directory exists for ..." error)
3. Then I run the command again, this time I selected the correct certbot account
4. voila, it worked!
5. I repeated the same for another domain. The 'secret' appears to be to switch the certbot account (ie the account letsencrypt.org). I guess this cleans some cache files/folders. Very random but it seems to work. A proper fix would be great.

[molt2020]

I was too quick to declare victory. The syslog still shows that certbot throws

The error was: renewal config file {} is missing a required file reference Skipping.

If I run cerbot run I can successfuly replace all certificates. The .conf files in /etc/letsencrypt/renew are empty aside from the last iteration (version) of thie file, so in muy case example.com.conf and example.com.conf-0001 are empty but the -0002 has some configuration in it. I assume this is as it should be but it could be why the certbot is complaining with "renewal config file {} is missing" (??)

certbot 1.21.0