Let’s Encrypt Free TLS/SSL Certificate Renewal Errors
When I launched this Web site in 2015, I was using a very cheap VPS which costs $10 per year. I obtained a free TLS/SSL certificate from Let’s Encrypt and configured Nginx to serve HTTPS traffic.
In March 2016, I migrated my Web site to a digital Ocean (without affiliate link) SSD cloud server which costs $5 per month (Get $10 free credit from my affiliate link). To continue to serve HTTPS traffic, I also need to transfer my TLS/SSL certificate to the new server.
Nginx requires two files to serve HTTPS traffic: a full chain certificate and your private key. In the case of Let’s Encrypt, These two files are located at
Correctly speaking, these two files are symbolic links that point to the following two files respectively.
So I thought I simply need to copy the above two files to my Digital Ocean SSD server and I did so.
The Problem of Certificate Renewal
As you may probably know, Let’s Encrypt certificates last 90 days. You have to renew your certificates every 3 months.
I had difficulties in renewing my certificates due to the fact that I only have
privkey1.pem on my server. All other files related to my Let’s encrypt files are gone. These two files enables Nginx to serve HTTPS traffic but they are not sufficient when you renew your certificates.
The command that I use to renew certificate is
sudo letsencrypt renew
But Let’s Encrypt client did not try to renew my certificate. This is because the client relies on a renewal configuration file in order to know how to renew your certificates, i.e, use what plugin and what options.
So I found a sample renewal configuration file and created one with the below command .
sudo nano /etc/letsencrypt/renewal/linuxbabe.com.conf
And put the following lines in the file.
cert = /etc/letsencrypt/live/linuxbabe.com/cert.pem privkey = /etc/letsencrypt/live/linuxbabe.com/privkey.pem chain = /etc/letsencrypt/live/linuxbabe.com/chain.pem fullchain = /etc/letsencrypt/live/linuxbabe.com/fullchain.pem # Options used in the renewal process [renewalparams] authenticator = webroot installer = None account = 7b3fa88c32887c234036234f6cc6358ab webroot_path = /usr/share/nginx/linuxbabe.com, [[webroot_map]] linuxbabe.com = /usr/share/nginx/linuxbabe.com
The above configuration tells Let’s Encrypt client to use Webroot plugin to renew certificate. Then run the renew command again. The first error I encountered was:
renewal configuration file is broken
This is because of two reasons:
- I don’t have cert.pem and chain.pem file on my server.
- I use the real files instead of symbolic link.
cert.pem is your certificate issued by Let’s Encrypt, and chain.pem is the intermediate certificate of Let’s Encrypt which is issued by a root certificate authority. These two files are used to create the fullchain.pem file. You can find that cert.pem is above chain.pem in the fullchain.pem file.
So to get cert.pem and chain.pem, simply copy the upper half of fullchain.pem and save it to a file named cert.pem. Then copy the lower half of fullchain.pem and save it to a file named chain.pem.
Now I have cert.pem, chain.pem fullchain.pem and privkey.pem under /etc/letsencrypt/archive/linuxbabe.com directory.
Then create symbolic links.
sudo ln -sf /etc/letsencrypt/archive/linuxbabe.com/cert.pem /etc/letsencrypt/live/linuxbabe.com/cert.pem sudo ln -sf /etc/letsencrypt/archive/linuxbabe.com/chain.pem /etc/letsencrypt/live/linuxbabe.com/chain.pem sudo ln -sf /etc/letsencrypt/archive/linuxbabe.com/fullchain.pem /etc/letsencrypt/live/linuxbabe.com/fullchain.pem sudo ln -sf /etc/letsencrypt/archive/linuxbabe.com/privkey.pem /etc/letsencrypt/live/linuxbabe.com/privkey.pem
Run the certificate renew command again.
sudo letsencrypt renew
This time, I got this error:
max() arg is an empty sequence
This above message is a common error message in python. But it didn’t tell you what really happened. To solve this error, I simply need to rename the four pem files under /etc/letsencrypt/archive/linuxbabe.com/.
cd /etc/letsencrypt/archive/linuxbabe.com mv cert.pem cert1.pem mv chain.pem chain1.pem mv fullchain.pem fullchain1.pem mv privkey.pem privekey1.pem
Then create symbolic links again. Now I can renew my certificate without problems.