Are you trying to change the key type of the certificate named xxx.xxx.xxx from ECDSA to RSA?

Hello. Today I tried to update the certificate for the Zimbra mail server and received the following error:

ERROR:certbot._internal.log:Are you trying to change the key type of the certificate named mail.xxx.xxx from ECDSA to RSA? Please provide both --cert-name and --key-type on the command line to confirm the change you are trying to make.

How can I fix this?

Thank you

Hi @denchik13, and welcome to the LE community forum :slight_smile:

Please show the full command you ran.

Hi @rg305 The command I'm trying to run is:
/usr/local/sbin/certbot certonly -d mail.xxx.xxx --standalone --preferred-chain "ISRG Root X1" --agree-tos --register-unsafely-without-email

I'm trying to update a certificate using this instruction:
Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center

What shows?:

certbot certificates

[root@mail ]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: mail.xxx.xxx
Serial Number: 3c46e92xxxxxxxxxxxxxxxxxxxxx
Key Type: ECDSA
Domains: mail.xxx.xxx
Expiry Date: 2024-04-11 16:51:20+00:00 (VALID: 63 days)
Certificate Path: /etc/letsencrypt/live/mail.xxx.xxx/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.xxx.xxx/privkey.pem


That shows you already have a valid cert for that name.
The command you ran was for when you don't have a cert [first time run].

Unless, you are trying to replace the ECDSA type with an RSA type cert.

IIRC, Zimbra doesn't work well with ECDSA certs.

@rg305 Thank you for your answers.
As I understand from your comment, the certificates were updated but were not delivered to Zimbra? because on the Zimbra web page I still have a non-updated certificate.

I also see the following error in the log file:

:INFO:certbot._internal.storage:Attempting to parse the version 2.8.0 renewal configuration file found at /etc/letsencrypt/renewal/mail.xxx.xxx.conf with version 1.23.0 of Certbot. This might not work.

could this be somehow related?

No.

My best guess is that Zimbra doesn't like the ECDSA cert type.
You need to switch that to RSA type, by adding:
--key-type rsa --rsa-key-size 2048

@rg305 unfortunately your advice didn't help... I got the same error

Please show the complete command you ran.