TLS Certificate Provisioning Failure

My AWS EC2 Ubuntu 22.04 box is generating the following errors when trying to renew the certificate for the mail hosting domain: office.sucofa.com All other certificates e.g. autoconfig.sucofa.com are renewing without problem. The following message is generated:
Traceback (most recent call last):
File “/root/mailinabox/management/ssl_certificates.py”, line 683, in
provision_certificates_cmdline()
File “/root/mailinabox/management/ssl_certificates.py”, line 395, in provision_certificates_cmdline
status = provision_certificates(env, limit_domains=domains)
File “/root/mailinabox/management/ssl_certificates.py”, line 371, in provision_certificates
ret.extend(post_install_func(env))
File “/root/mailinabox/management/ssl_certificates.py”, line 481, in post_install_func
if cert and os.readlink(system_ssl_certificate) != cert[‘certificate’]:
OSError: [Errno 22] Invalid argument: ‘/home/user-data/ssl/ssl_certificate.pem’

Before restoring the server when I moved to v60, I deleted /home/user-data/ssl/.
DNS hosting is with Cloudflare. The website for this domain (sucofa.com and www.sucofa.com) are on another machine.

Any ideas would be appreciated.

Thanks,
Dana

Hi @dfowlkes

Please show the output of sudo ls /home/user-data/

sudo ls -la /home/user-data/
total 60
drwxr-xr-x 10 user-data user-data 4096 Nov 14 19:03 .
drwxr-xr-x 4 root root 4096 Oct 20 10:52 …
-rw-r–r-- 1 user-data user-data 220 Apr 5 2018 .bash_logout
-rw-r–r-- 1 user-data user-data 3771 Apr 5 2018 .bashrc
-rw-r–r-- 1 user-data user-data 807 Apr 5 2018 .profile
drwxr-xr-x 4 root root 4096 Oct 20 16:04 backup
drwxr-xr-x 3 root root 4096 Dec 26 2020 dns
drwxrwxr-x 8 root www-data 4096 Nov 14 22:35 mail
-rw-r–r-- 1 user-data user-data 3 Dec 10 2021 mailinabox.version
drwxrwx— 9 www-data www-data 4096 Nov 15 15:37 owncloud
drwxr-xr-x 8 root root 4096 Nov 1 00:06 owncloud-backup
-rw-r–r-- 1 root root 15 Jan 2 2021 settings.yaml
drwx–x— 3 ubuntu ubuntu 4096 Nov 14 18:14 ssl
drwxr-xr-x 3 root root 4096 Oct 16 03:02 ssl_old
drwxr-xr-x 3 user-data root 4096 Dec 26 2020 www

chown root:root /home/user-data/ssl/
chmod 755 /home/user-data/ssl/

should fix you up. You need to run these as root.

Thanks again for you help!
I tried these and have the same result. As root user, I even tried chown -R root:root /home/user-data/ssl/ which made all the contents of the directory root:root (some files were ubuntu:ubuntu).
Something seems wrong with Letsencrypt. The directory /etc/letsencrypt/live is empty. Perhaps Letsencrypt is setup differently in MIAB compared to an Apache website? I would normally expect to see the domain and sub-domains that have issued certificates there.
If I run ‘sudo certbot certificates’ the response is “No certificates found”. Strange?

Any other suggestions would be appreciated.

Yes it is set up differently.

Rerun sudo mailinabox which should reinstall LE. But first, delete the contents of the /home/user-data/ssl/ directory … at the point you are at the directory should be empty, so I am not sure what contents you are referring to when you mention that the ownership of the files is root:root.

Hi,
The directory was not empty. I deleted its contents and re-ran ‘sudo mailinabox’.
Now when I try to provision the certificates I get:

office.sucofa.com, mta-sts.office.sucofa.com, autoconfig.sucofa.com, autodiscover.sucofa.com, mta-sts.sucofa.com, mta-sts.mta-sts.sucofa.com

Log:

Saving debug log to /var/log/letsencrypt/letsencrypt.log You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.Processing: letsencrypt_log.txt…

Is there a convenient way for me to upload the letsencrypt log file for you to see?

I think I have it sorted out now. My instance of Ubuntu had Certbot installed. I have purged that and deleted the ssl directory and re-ran Mailinbox. The certificates have provisioned correctly now.

Hopefully this is a one off situation.

Thanks for your help.

It should be. Glad that you have it sorted now.

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.