Skip to main content

Let’s Encrypt Free TLS/SSL Certificate Renewal Errors

Let's Encrypt renew certificate

When I launched this Web site in 2015, I was using a very cheap VPS which costs $10 per year. I obtained a free TLS/SSL certificate from Let’s Encrypt and configured Nginx to serve HTTPS traffic.

In March 2016, I migrated my Web site to a digital Ocean (without affiliate link) SSD cloud server which costs $5 per month (Get $10 free credit from my affiliate link). To continue to serve HTTPS traffic, I also need to transfer my TLS/SSL certificate to the new server.

Nginx requires two files to serve HTTPS traffic: a full chain certificate and your private key. In the case of Let’s Encrypt, These two files are located at



Correctly speaking, these two files are symbolic links that point to the following two files respectively.



So I thought I simply need to copy the above two files to my Digital Ocean SSD server and I did so.

The Problem of Certificate Renewal

As you may probably know, Let’s Encrypt certificates last 90 days. You have to renew your certificates every 3 months.

I had difficulties in renewing my certificates due to the fact that I only have fullchain1.pem and privkey1.pem on my server. All other files related to my Let’s encrypt files are gone. These two files enables Nginx to serve HTTPS traffic but they are not sufficient when you renew your certificates.

The command that I use to renew certificate is

sudo letsencrypt renew

But Let’s Encrypt client did not try to renew my certificate. This is because the client relies on a renewal configuration file in order to know how to renew your certificates, i.e, use what plugin and what options.

So I found a sample renewal configuration file and created one with the below command .

sudo nano /etc/letsencrypt/renewal/

And put the following lines in the file.

cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

# Options used in the renewal process
authenticator = webroot
installer = None
account = 7b3fa88c32887c234036234f6cc6358ab
webroot_path = /usr/share/nginx/,
[[webroot_map]] = /usr/share/nginx/

The above configuration tells Let’s Encrypt client to use Webroot plugin to renew certificate. Then run the renew command again.  The first error I encountered was:

renewal configuration file is broken

This is because of two reasons:

  1. I don’t have cert.pem and chain.pem file on my server.
  2. I use the real files instead of symbolic link.

cert.pem is your certificate issued by Let’s Encrypt, and chain.pem is the intermediate certificate of Let’s Encrypt which is issued by a root certificate authority. These two files are used to create the fullchain.pem file. You can find that cert.pem is above chain.pem in the fullchain.pem file.

So to get cert.pem and chain.pem, simply copy the upper half of fullchain.pem and save it to a file named cert.pem. Then copy the lower half of fullchain.pem and save it to a file named chain.pem.

Now I have cert.pem, chain.pem fullchain.pem and privkey.pem under /etc/letsencrypt/archive/ directory.

Then create symbolic links.

sudo ln -sf /etc/letsencrypt/archive/ /etc/letsencrypt/live/

sudo ln -sf /etc/letsencrypt/archive/ /etc/letsencrypt/live/

sudo ln -sf /etc/letsencrypt/archive/ /etc/letsencrypt/live/

sudo ln -sf /etc/letsencrypt/archive/ /etc/letsencrypt/live/

Run the certificate renew command again.

sudo letsencrypt renew

This time, I got this error:

max() arg is an empty sequence

This above message is a common error message in python. But it didn’t tell you what really happened. To solve this error, I simply need to rename the four pem files under /etc/letsencrypt/archive/

cd /etc/letsencrypt/archive/

mv cert.pem cert1.pem

mv chain.pem chain1.pem

mv fullchain.pem fullchain1.pem

mv privkey.pem privekey1.pem

Then create symbolic links again. Now I can renew my certificate without problems.

Rate this tutorial
[Total: 0 Average: 0]