Fixing certbot’s “parsefail” error during certificate renewal

Charles Stover
2 min readDec 26, 2019

Last week, I was unfortunately notified that my domains’ certificates were expiring and needed to be renewed immediately. This was troubling, because my certificates were set to automatically renew through Let’s Encrypt; and this meant that something was wrong. Only a handful of my domains were failing the automatic renewal process, while the others were successful.

I tried to manually renew these domains with certbot renew and met the following error:

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/ (parsefail)
Traceback (most recent call last):
File "/opt/certbot/src/certbot/certbot/_internal/", line 64, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/opt/certbot/src/certbot/certbot/_internal/", line 465, in __init__
File "/opt/certbot/src/certbot/certbot/_internal/", line 532, in _check_symlinks
"expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/ to be a symlinkRenewal configuration file /etc/letsencrypt/renewal/ is broken. Skipping.

This gave me a place to start, but no existing solutions could be found online. I spent a long time chasing the rabbit hole that was, “ is broken," thinking it was misconfigured. It was not. The real error was in “expected /etc/letsencrypt/live/ to be a symlink.”

I investigated the live files associated with my problematic domains and found they did not quite match their siblings’ directories. In a normal Let’s Encrypt directory, the files are symbolic links to /etc/letsencrypt/archive/{file}1.{ext}, where file.ext is each of cert.pem, chain.pem, fullchain.pem, and privkey.pem. In the problematic domains’ directories, these were static files.

I solved this by first verifying that the respective archive directory contained the pem files. Next, I removed the files from live. Finally, I created symbolic links from live to archive. The commands can be found below:

*@*:/etc/letsencrypt/live/ rm cert.pem chain.pem fullchain.pem privkey.pem*@*:/etc/letsencrypt/live/ ln -s /etc/letsencrypt/archive/ cert.pem*@*:/etc/letsencrypt/live/ ln -s /etc/letsencrypt/archive/ chain.pem*@*:/etc/letsencrypt/live/ ln -s /etc/letsencrypt/archive/ fullchain.pem*@*:/etc/letsencrypt/live/ ln -s /etc/letsencrypt/archive/ privkey.pem

Running certbot renew now works again, and my certificates are back to newing automatically.