Certificate Problems after Server died and was rebuilt

Jimbo · December 8, 2025, 8:00pm

I’m running Nethserver 7.9.2009 (final) on an Intel(R) Core™ i7-3630QM CPU @ 2.40GHz x 8

I’ve got Kernel Release 3.10.0-1160.119.1.el7.x86_64 Operating System.

I was thinking of moving to Nethserver 8, but I run 3 different websites off this and I was preparing when my server began to show signs of “illness”. No problem, I’m fully backed up, so I got the system I’m running on now, loaded Nethserver, updated it, and loaded the config that I’d taken off the old system. A little tinkering with the networking and I had a system that looked right, with no files on it. I took my data backup, loaded that and my mail works, and all three of my websites work. Excellent!

However, thats when it went a bit wrong. I did a “certbot renew” and got the following:

[root@bastion renewal]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.blake-online.net.conf

Cannot extract OCSP URI from /etc/letsencrypt/archive/www.blake-online.net/cert29.pem
Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/www.bluestarline.org-0001.conf

Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The requested apache plugin does not appear to be installed
Failed to renew certificate www.bluestarline.org-0001 with error: The requested apache plugin does not appear to be installed

Processing /etc/letsencrypt/renewal/www.netunity.co.uk-0001.conf

Cannot extract OCSP URI from /etc/letsencrypt/archive/www.netunity.co.uk-0001/cert23.pem
Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/www.netunity.co.uk.conf

Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The requested apache plugin does not appear to be installed
Failed to renew certificate www.netunity.co.uk with error: The requested apache plugin does not appear to be installed

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/www.blake-online.net/fullchain.pem expires on 2026-03-08 (skipped)
/etc/letsencrypt/live/www.netunity.co.uk-0001/fullchain.pem expires on 2026-03-08 (skipped)
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.bluestarline.org-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.netunity.co.uk/fullchain.pem (failure)

2 renew failure(s), 0 parse failure(s)

That all looks a bit sick, and my knowledge of certificates is not enough for me to feel confident to “try stuff”….can anyone shed any light on what is going on and what I need to do?

Thanks

Jim

Jimbo · December 8, 2025, 8:05pm

An additional bit of info, under “certificates” I have

That looks like I should know what to do with it, but I don’t

mrmarkuz · December 8, 2025, 9:43pm

I think the errors are just about the old certificates, the current default blake-online.net cert seems working. You could check the certificate by clicking the “Show” button. It should include all websites under “X509v3 Subject Alternative Name:”

Do you still get the errors when you remove the old certs that are not in use?

If this error still occurs after removing the old certs, you could try to install the following:

yum install python2-certbot-apache

Jimbo · December 9, 2025, 10:27am

I deleted the certificates, but then I got this:

[root@bastion ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.blake-online.net.conf

Cannot extract OCSP URI from /etc/letsencrypt/archive/www.blake-online.net/cert29.pem
Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/www.bluestarline.org-0001.conf

Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py”, line 71, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 470, in init
self._check_symlinks()
File “/usr/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 537, in _check_symlinks
“expected {0} to be a symlink”.format(link))
CertStorageError: expected /etc/letsencrypt/live/www.bluestarline.org-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/www.bluestarline.org-0001.conf is broken. Skipping.

Processing /etc/letsencrypt/renewal/www.netunity.co.uk-0001.conf

Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py”, line 71, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 470, in init
self._check_symlinks()
File “/usr/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 537, in _check_symlinks
“expected {0} to be a symlink”.format(link))
CertStorageError: expected /etc/letsencrypt/live/www.netunity.co.uk-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/www.netunity.co.uk-0001.conf is broken. Skipping.

Processing /etc/letsencrypt/renewal/www.netunity.co.uk.conf

Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py”, line 71, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 470, in init
self._check_symlinks()
File “/usr/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 537, in _check_symlinks
“expected {0} to be a symlink”.format(link))
CertStorageError: expected /etc/letsencrypt/live/www.netunity.co.uk/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/www.netunity.co.uk.conf is broken. Skipping.

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/www.blake-online.net/fullchain.pem expires on 2026-03-08 (skipped)
No renewals were attempted.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/www.bluestarline.org-0001.conf (parsefail)
/etc/letsencrypt/renewal/www.netunity.co.uk-0001.conf (parsefail)
/etc/letsencrypt/renewal/www.netunity.co.uk.conf (parsefail)

0 renew failure(s), 3 parse failure(s)
[root@bastion ~]#

mrmarkuz · December 9, 2025, 10:39am

This error can be ignored.

If the cert is deleted from the UI, the .conf file is still in /etc/letsencrypt/renewal and therefore the errors are thrown.

Please move away the old certificate conf files from /etc/letsencrypt/renewal/ and retry certbot. The errors shouldn’t occur anymore.

Jimbo · December 9, 2025, 4:30pm

Hi Markus, as always, thanks for your help! I did as you suggested an things are looking better but I’m still not there. I deleted the files you suggested, and now I get the following when I run certbot:

“[root@bastion renewal]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.blake-online.net.conf

Cannot extract OCSP URI from /etc/letsencrypt/archive/www.blake-online.net/cert29.pem
Cert not yet due for renewal

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/www.blake-online.net/fullchain.pem expires on 2026-03-08 (skipped)
No renewals were attempted."

The system only seems to knowe about www.blake-online.net but not www.netunity.co.uk or www.bluestarline.org…..how can I tell it to include those?

Thanks

Jim

mrmarkuz · December 9, 2025, 4:34pm

As it is working I assume that they’re already included.

In NS7 there’s just one certificate including all other sites as SANs.

Jimbo · December 9, 2025, 4:47pm

I just had a look: when I inspect the certificate that is used whenever I go to any of the three sites, I get:

It looks like its using the same cert for all sites, as you say, and the “not before” date of late yesterday fits in with what I was doing yesterday trying to run certbot renew, so I think I might be OK now. I also hit the “show” button and got this

” X509v3 Subject Alternative Name: DNS:www.blake-online.net, DNS:www.bluestarline.org, DNS:www.netunity.co.uk" so they are all there

I believe you may have fixed it for me….time will tell

Thanks

Jim

LayLow · December 10, 2025, 1:28am

It seems that without the www part some of the domain do (not) work and are not listed on the certificate? Maybe (DNS) redirects or no correct FQDN?

Thinking out loud…

mrmarkuz · December 10, 2025, 7:16am

I don’t think the that redirection without www was an issue in this case.

But to solve it, the names without www could just be added to a new certificate request and to the webserver settings and it should work.

Jimbo · December 10, 2025, 2:38pm

You wrote “the names without www could just be added to a new certificate request and to the webserver settings and it should work.”…can you tell me the commands to do that? Sorry for the newbie question.

Also,I issued the command “Certbot certificates” and got the following: [root@bastion ~]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/www.netunity.co.uk-0001.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/www.netunity.co.uk.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
Cannot extract OCSP URI from /etc/letsencrypt/live/www.blake-online.net/cert.pem
Cannot extract OCSP URI from /etc/letsencrypt/live/www.netunity.co.uk-0002/cert.pem

Found the following certs:
Certificate Name: www.blake-online.net
Serial Number: 6d9a76419a5f34900e13cd7acb01dcc14e6
Key Type: RSA
Domains: www.bluestarline.org www.blake-online.net www.netunity.co.uk
Expiry Date: 2026-03-08 18:38:22+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/www.blake-online.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.blake-online.net/privkey.pem
Certificate Name: www.netunity.co.uk-0002
Serial Number: 5b19035bf83c91e7a2659876f5717b643b8
Key Type: RSA
Domains: www.netunity.co.uk
Expiry Date: 2026-03-09 18:36:54+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.netunity.co.uk-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.netunity.co.uk-0002/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/www.netunity.co.uk-0001.conf
/etc/letsencrypt/renewal/www.netunity.co.uk.conf

I also tried “Certbot renew” and got this:

[root@bastion ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.blake-online.net.conf

Cannot extract OCSP URI from /etc/letsencrypt/archive/www.blake-online.net/cert29.pem
Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/www.netunity.co.uk-0001.conf

Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py”, line 71, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 451, in init
“file reference”.format(self.configfile))
CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/www.netunity.co.uk-0001.conf is broken. Skipping.

Processing /etc/letsencrypt/renewal/www.netunity.co.uk-0002.conf

Cannot extract OCSP URI from /etc/letsencrypt/archive/www.netunity.co.uk-0002/cert1.pem
Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/www.netunity.co.uk.conf

Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py”, line 71, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 451, in init
“file reference”.format(self.configfile))
CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/www.netunity.co.uk.conf is broken. Skipping.

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/www.blake-online.net/fullchain.pem expires on 2026-03-08 (skipped)
/etc/letsencrypt/live/www.netunity.co.uk-0002/fullchain.pem expires on 2026-03-09 (skipped)
No renewals were attempted.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/www.netunity.co.uk-0001.conf (parsefail)
/etc/letsencrypt/renewal/www.netunity.co.uk.conf (parsefail)

0 renew failure(s), 2 parse failure(s)

I’ve still got a problem, though it does not appear to be affecting the operation of the websites. I’m just concerned that when the existing certificates expire, it will break the site

As ever, thanks for your help and patience!

Jim

mrmarkuz · December 10, 2025, 3:00pm

It was just an answer to the question of @LayLow
As the sites are already working you don’t need it.

I think the old certs are still saved somewhere but you can ignore the errors.
You could check if the old certs are in the /etc/letsencrypt/live directory and move them away.

Important is this one (as it contains the domains of your sites) and it should be renewed automatically before it expires:

Jimbo · December 12, 2025, 8:20am

Just a thought….thr problem I have is related only to certificates. I used to run without certificates. Is it possible to simply delete the certificates/certbot system and re-install? That might get it to run clean: everything else runs perfectly.

Thanks

Jim