Fixing certbot’s “parsefail” error during certificate renewal

Charles Stover
2 min readDec 26, 2019

Last week, I was unfortunately notified that my domains’ certificates were expiring and needed to be renewed immediately. This was troubling, because my certificates were set to automatically renew through Let’s Encrypt; and this meant that something was wrong. Only a handful of my domains were failing the automatic renewal process, while the others were successful.

I tried to manually renew these domains with certbot renew and met the following error:

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/example.com.conf (parsefail)
Traceback (most recent call last):
File "/opt/certbot/src/certbot/certbot/_internal/renewal.py", line 64, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/opt/certbot/src/certbot/certbot/_internal/storage.py", line 465, in __init__
self._check_symlinks()
File "/opt/certbot/src/certbot/certbot/_internal/storage.py", line 532, in _check_symlinks
"expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/example.com/cert.pem to be a symlinkRenewal configuration file /etc/letsencrypt/renewal/example.com.conf is broken. Skipping.

This gave me a place to start, but no existing solutions could be found online. I spent a long time chasing the rabbit hole that was, “example.com.conf is broken," thinking it was misconfigured. It was not. The real error was in “expected /etc/letsencrypt/live/example.com/cert.pem to be a symlink.”

I investigated the live files associated with my problematic domains and found they did not quite match their siblings’ directories. In a normal Let’s Encrypt directory, the files are symbolic links to /etc/letsencrypt/archive/example.com/{file}1.{ext}, where file.ext is each of cert.pem, chain.pem, fullchain.pem, and privkey.pem. In the problematic domains’ directories, these were static files.

I solved this by first verifying that the respective archive directory contained the pem files. Next, I removed the files from live. Finally, I created symbolic links from live to archive. The commands can be found below:

*@*:/etc/letsencrypt/live/example.com# rm cert.pem chain.pem fullchain.pem privkey.pem*@*:/etc/letsencrypt/live/example.com# ln -s /etc/letsencrypt/archive/example.com/cert1.pem cert.pem*@*:/etc/letsencrypt/live/example.com# ln -s /etc/letsencrypt/archive/example.com/chain1.pem chain.pem*@*:/etc/letsencrypt/live/example.com# ln -s /etc/letsencrypt/archive/example.com/fullchain1.pem fullchain.pem*@*:/etc/letsencrypt/live/example.com# ln -s /etc/letsencrypt/archive/example.com/privkey1.pem privkey.pem

Running certbot renew now works again, and my certificates are back to newing automatically.

--

--