nginx cannot load certificate fullchain.pem – Certbot Fix

The error nginx cannot load certificate path/fullchain.pem appears when we test the NGINX service after deleting certificates Let’s Encrypt generated with Certbot.

In the server, the error appears like this:

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/example.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Background nginx error

In a previous article I showed how you can delete from Certbot the domains that were hosted on the server in the past but which are currently no longer active. Delete old domains Certbot certificates (Let's Encrypt Certificate).

When you delete certificates SSL for active domains, which are still hosted on the server, by command: sudo certbot delete, the certificate is deleted automatically, but it remains active in sessions until the service is restarted nginx. With the nginx -t command (testing the service) you may be surprised that the test fails with the above error. However, the solution is very simple.

Fixed nginx: [emerg] cannot load certificate fullchain.pem

When you install a certificate SSL Let’s Encrypt by Certbot, in the configuration file of nginx for the domain, a few lines are added indicating the existence of the certificate. When the certificate is deleted, the lines remain in nginx config and must be deleted manually. That is, the lines below:

.....    

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name example.com www.example.com;
    listen 80;
    return 404; # managed by Certbot

After deleting these lines from the nginx confg file of the domain for which you removed the certificate SSL, execute the command nginx -t to check if everything is ok.

• Delete old domains Certbot certificates (Let's Encrypt Certificate)
• How to manually install certificate SSL for website without cPanel / VestaCP [NGINX]
• Certificate TLS / SSL - A new validity limit imposed from September 2020
• WP Super Cache vs. W3 Total Cache (WordPress Page Load Speed)
• How to move a blog or website WordPress from HTTP on HTTPS (Nginx)

[root@server]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@server]# 

Now you can safely restart the service nginx.