Are you trying to change the key type of the certificate named xxx.xxx.xxx from ECDSA to RSA?

denchik13 · February 8, 2024, 5:52am

Hello. Today I tried to update the certificate for the Zimbra mail server and received the following error:

ERROR:certbot._internal.log:Are you trying to change the key type of the certificate named mail.xxx.xxx from ECDSA to RSA? Please provide both --cert-name and --key-type on the command line to confirm the change you are trying to make.

How can I fix this?

Thank you

rg305 · February 8, 2024, 6:30am

Hi @denchik13, and welcome to the LE community forum

Please show the full command you ran.

denchik13 · February 8, 2024, 6:32am

Hi @rg305 The command I'm trying to run is:
/usr/local/sbin/certbot certonly -d mail.xxx.xxx --standalone --preferred-chain "ISRG Root X1" --agree-tos --register-unsafely-without-email

I'm trying to update a certificate using this instruction:
Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center

rg305 · February 8, 2024, 6:37am

What shows?:

`certbot certificates`

denchik13 · February 8, 2024, 6:40am

[root@mail ]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: mail.xxx.xxx
Serial Number: 3c46e92xxxxxxxxxxxxxxxxxxxxx
Key Type: ECDSA
Domains: mail.xxx.xxx
Expiry Date: 2024-04-11 16:51:20+00:00 (VALID: 63 days)
Certificate Path: /etc/letsencrypt/live/mail.xxx.xxx/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.xxx.xxx/privkey.pem

rg305 · February 8, 2024, 6:42am

That shows you already have a valid cert for that name.
The command you ran was for when you don't have a cert [first time run].

Unless, you are trying to replace the ECDSA type with an RSA type cert.

IIRC, Zimbra doesn't work well with ECDSA certs.

denchik13 · February 8, 2024, 6:53am

@rg305 Thank you for your answers.
As I understand from your comment, the certificates were updated but were not delivered to Zimbra? because on the Zimbra web page I still have a non-updated certificate.

I also see the following error in the log file:

:INFO:certbot._internal.storage:Attempting to parse the version 2.8.0 renewal configuration file found at /etc/letsencrypt/renewal/mail.xxx.xxx.conf with version 1.23.0 of Certbot. This might not work.

could this be somehow related?

rg305 · February 8, 2024, 4:07pm

No.

My best guess is that Zimbra doesn't like the ECDSA cert type.
You need to switch that to RSA type, by adding:
--key-type rsa --rsa-key-size 2048

denchik13 · February 9, 2024, 5:44am

@rg305 unfortunately your advice didn't help... I got the same error

rg305 · February 9, 2024, 2:01pm

Please show the complete command you ran.

system · March 10, 2024, 2:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate reinstallation problem on zimbra Help	16	2540	January 4, 2022
Can somebody help me to solve the issue with Letsencrypt certificate for Zimbra? Help	28	5894	February 24, 2022
Zimbra + "ISRG Root X1" Help	10	2048	November 11, 2021
Certificate renewal -- Nginx? Zimbra? Help	4	823	June 3, 2023
Zimbra renewal - Problems with R3 Help	55	15519	December 10, 2021

Are you trying to change the key type of the certificate named xxx.xxx.xxx from ECDSA to RSA?

certbot certificates

Related topics

`certbot certificates`