[BUG] certbot can not renew certificate

[Maxim4711]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

my docker-compose.yml

services:
  swag:
    image: lscr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - URL=<mydomain>
      - SUBDOMAINS=wildcard
      - VALIDATION=dns
      - DNSPLUGIN=namecheap
    volumes:
      - /<path_to>/docker/swag/data/nginx/config:/config
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped

Expected Behavior

No response

Steps To Reproduce

If i start from scratch with new container - errors are:

swag  | Using Let's Encrypt as the cert provider
swag  | SUBDOMAINS entered, processing
swag  | Wildcard cert for <mydomain> will be requested
swag  | No e-mail address entered or address invalid
swag  | dns validation via namecheap plugin is selected
swag  | Generating new certificate
swag  | Saving debug log to /config/log/letsencrypt/letsencrypt.log
swag  | Account registered.
swag  | Requesting a certificate for <mydomain> and *.<mydomain>
swag  | Unsafe permissions on credentials configuration file: /config/dns-conf/namecheap.ini
swag  | Unable to determine zone identifier for <mydomain> using zone names: ['<mydomain>', '<mysubdomain>']
swag  | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /config/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
swag  | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/namecheap.ini file.

Environment

- OS:
- How docker service was installed:

CPU architecture

x86-64

Docker creation

docker compose up -d

Container logs

swag  | [migrations] started
swag  | [migrations] 01-nginx-site-confs-default: skipped
swag  | [migrations] 02-swag-old-certbot-paths: executing...
swag  | [migrations] 02-swag-old-certbot-paths: succeeded
swag  | [migrations] done
swag  | ───────────────────────────────────────
swag  |
swag  |       ██╗     ███████╗██╗ ██████╗
swag  |       ██║     ██╔════╝██║██╔═══██╗
swag  |       ██║     ███████╗██║██║   ██║
swag  |       ██║     ╚════██║██║██║   ██║
swag  |       ███████╗███████║██║╚██████╔╝
swag  |       ╚══════╝╚══════╝╚═╝ ╚═════╝
swag  |
swag  |    Brought to you by linuxserver.io
swag  | ───────────────────────────────────────
swag  |
swag  | To support the app dev(s) visit:
swag  | Certbot: https://supporters.eff.org/donate/support-work-on-certbot
swag  |
swag  | To support LSIO projects visit:
swag  | https://www.linuxserver.io/donate/
swag  |
swag  | ───────────────────────────────────────
swag  | GID/UID
swag  | ───────────────────────────────────────
swag  |
swag  | User UID:    1000
swag  | User GID:    1000
swag  | ───────────────────────────────────────
swag  | Linuxserver.io version: 3.1.0-ls359
swag  | Build-date: 2025-01-23T07:47:54+00:00
swag  | ───────────────────────────────────────
swag  |
swag  | using keys found in /config/keys
swag  | **** The following active confs have different version dates than the samples that are shipped. ****
swag  | **** This may be due to user customization or an update to the samples. ****
swag  | **** You should compare the following files to the samples in the same folder and update them. ****
swag  | **** Use the link at the top of the file to view the changelog. ****
swag  | ┌────────────┬────────────┬────────────────────────────────────────────────────────────────────────┐
swag  | │  old date  │  new date  │ path                                                                   │
swag  | ├────────────┼────────────┼────────────────────────────────────────────────────────────────────────┤
swag  | │ 2023-04-13 │ 2024-12-17 │ /config/nginx/nginx.conf                                               │
swag  | │ 2023-04-27 │ 2024-03-16 │ /config/nginx/authelia-server.conf                                     │
swag  | │ 2023-04-27 │ 2024-03-14 │ /config/nginx/authelia-location.conf                                   │
swag  | │ 2023-08-13 │ 2024-12-06 │ /config/nginx/ssl.conf                                                 │
swag  | │ 2023-06-05 │ 2024-12-17 │ /config/nginx/site-confs/default.conf                                  │
swag  | └────────────┴────────────┴────────────────────────────────────────────────────────────────────────┘
swag  | Variables set:
swag  | PUID=1000
swag  | PGID=1000
swag  | TZ=Europe/Berlin
swag  | URL=<mydomain>
swag  | SUBDOMAINS=wildcard
swag  | EXTRA_DOMAINS=
swag  | ONLY_SUBDOMAINS=false
swag  | VALIDATION=dns
swag  | CERTPROVIDER=
swag  | DNSPLUGIN=namecheap
swag  | EMAIL=
swag  | STAGING=
swag  |
swag  | Using Let's Encrypt as the cert provider
swag  | SUBDOMAINS entered, processing
swag  | Wildcard cert for <mydomain> will be requested
swag  | No e-mail address entered or address invalid
swag  | dns validation via namecheap plugin is selected
swag  | Certificate exists; parameters unchanged; starting nginx
swag  | The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes.
swag  | <------------------------------------------------->
swag  |
swag  | <------------------------------------------------->
swag  | cronjob running on Fri Jan 24 08:41:47 CET 2025
swag  | Running certbot renew
swag  | Saving debug log to /config/log/letsencrypt/letsencrypt.log
swag  |
swag  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
swag  | Processing /config/etc/letsencrypt/renewal/<mydomain>.conf
swag  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
swag  | Renewal configuration file /config/etc/letsencrypt/renewal/<mydomain>.conf is broken.
swag  | The error was: expected /config/etc/letsencrypt/live/<mydomain>/cert.pem to be a symlink
swag  | Skipping.
swag  |
swag  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
swag  | No renewals were attempted.
swag  |
swag  | Additionally, the following renewal configurations were invalid:
swag  |   /config/etc/letsencrypt/renewal/<mydomain>.conf (parsefail)
swag  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
swag  | 0 renew failure(s), 1 parse failure(s)
swag  | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /config/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
swag  |     The following nginx confs are using certificates from the obsolete location
swag  |     /etc/letsencrypt and should be updated to point to /config/etc/letsencrypt
swag  |
swag  |     /config/nginx/proxy-confs/outline.subdomain.conf.1
swag  | /config/nginx/proxy-confs/outline.subdomain.conf
swag  | [custom-init] No custom files found, skipping...
swag  | [ls.io-init] done.
swag  | 2025/01/24 08:41:50 [warn] 785#785: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /config/nginx/site-confs/default.conf:15
swag  | 2025/01/24 08:41:50 [warn] 785#785: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /config/nginx/site-confs/default.conf:16
swag  | Server ready

[thespad]

swag  | Renewal configuration file /config/etc/letsencrypt/renewal/<mydomain>.conf is broken.
swag  | The error was: expected /config/etc/letsencrypt/live/<mydomain>/cert.pem to be a symlink
swag  | Skipping.

You have likely moved or restored from backup your swag data and the symlinks have broken. The certs in that directory should be symlinks to /config/etc/letsencrypt/archive/<mydomain>/

[Maxim4711]

No, though that is true, that i restored my swag data from backup, but even with a new container from scratch (without any data) certbot fails. The issue was - i missed to provide dns plugin credentials, so, in any case it was my fault.

Regards

Maxim