Are you trying to change the key type of the certificate named xxx.xxx.xxx from ECDSA to RSA?

Hello. Today I tried to update the certificate for the Zimbra mail server and received the following error:

ERROR:certbot._internal.log:Are you trying to change the key type of the certificate named mail.xxx.xxx from ECDSA to RSA? Please provide both --cert-name and --key-type on the command line to confirm the change you are trying to make.

How can I fix this?

Thank you

1 Like

Hi @denchik13, and welcome to the LE community forum :slight_smile:

Please show the full command you ran.

3 Likes

Hi @rg305 The command I'm trying to run is:
/usr/local/sbin/certbot certonly -d mail.xxx.xxx --standalone --preferred-chain "ISRG Root X1" --agree-tos --register-unsafely-without-email

I'm trying to update a certificate using this instruction:
Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center

What shows?:

certbot certificates

3 Likes

[root@mail ]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: mail.xxx.xxx
Serial Number: 3c46e92xxxxxxxxxxxxxxxxxxxxx
Key Type: ECDSA
Domains: mail.xxx.xxx
Expiry Date: 2024-04-11 16:51:20+00:00 (VALID: 63 days)
Certificate Path: /etc/letsencrypt/live/mail.xxx.xxx/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.xxx.xxx/privkey.pem


That shows you already have a valid cert for that name.
The command you ran was for when you don't have a cert [first time run].

Unless, you are trying to replace the ECDSA type with an RSA type cert.

IIRC, Zimbra doesn't work well with ECDSA certs.

3 Likes

@rg305 Thank you for your answers.
As I understand from your comment, the certificates were updated but were not delivered to Zimbra? because on the Zimbra web page I still have a non-updated certificate.

I also see the following error in the log file:

:INFO:certbot._internal.storage:Attempting to parse the version 2.8.0 renewal configuration file found at /etc/letsencrypt/renewal/mail.xxx.xxx.conf with version 1.23.0 of Certbot. This might not work.

could this be somehow related?

1 Like

No.

My best guess is that Zimbra doesn't like the ECDSA cert type.
You need to switch that to RSA type, by adding:
--key-type rsa --rsa-key-size 2048

3 Likes

@rg305 unfortunately your advice didn't help... I got the same error

Please show the complete command you ran.

3 Likes