Auto renewing via cron job only issuing 2048 key size

When the cron job runs to renew, it renews as 2048 Key size rather than 4096, how can I make sure it renews as only 4096 with HSTS enabled?

@reboot /root/ensureBots.sh "Restarted after server reboot!" > /home/devops/res$
30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log

You can create or edit /etc/letsencrypt/cli.ini with rsa-key-size = 4096 to force 4096-bit keys for all domains.

Or, if you only want that keylength for certain domains, you can instead add that option to the renewal configuration file for the relevant domain in /etc/letsencrypt/renewal. (Or rerun the command you ran to issue the certificate in the first place with the --rsa-key-size=4096 option added and it should save that option to the renewal configuration file for you.)

1 Like

What if I wanted an RSA key size of… 3456 bits?
(useless fact: 3^3*2^7 = 3456)

No idea what I should add in that file. just the flags?

@JoyalV just add:

rsa-key-size = 4096

@rg305 I think it has to be a power of 2. :smirk:

1 Like

There may not be an easy/automated way to generate non-standard size key certs and the required CSR. But it is indeed possible and should be accepted by any CA. Given the key size is within the CA imposed limits: Generally 2048-4096

Here is just such an example:
An LE public cert for an RSA 3456 bit key :smile:
-----BEGIN CERTIFICATE-----
MIIFsTCCBJmgAwIBAgISA9uhyAfdG/n5jhCcO1qZylJqMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzEwMTkwMDExMDFaFw0x
ODAxMTcwMDExMDFaMBoxGDAWBgNVBAMTD2tleTM0NTYubDEwLm5ldDCCAdIwDQYJ
KoZIhvcNAQEBBQADggG/ADCCAboCggGxAOIZ4U8yLBxE3g+8DU3J9reTjFhxAkcT
5V9WinJZ4AWNP9wpM/eh7ftOJ+Rx3FgjIVAmnIEXvGWOCA5HS46+8IIDZP+aCQKu
zwhUj/tKp/HIMI+Adrj25sUcsY6aVZP0UY2c/DOfncOAIeC2nskILI0Veag9USWt
/Ka1+WW5lmUDlRCRerCDlZNj9XKT2uZJM//JZ83JiEHK38aYXUDHuqWPm4t94Qoo
3eHWQKRI7LMwH6deXvqvuY+1A2KZABwZ0H56ihyf7XbdFPVGSYxfdYNHNZ/Ty/Yy
bQbCl7UPvwYw9XIBBTijpmtHSWrsZBjmCLpNkwlVeQvMBpPsppybJGfTZ87BJhwR
7MAPgrw8CACpR3C/8ho2CmCflTVYKZAk1yuwaNKLbuXQqQE6hgr97MAT1FX8psLV
0QztuLf4WrmYvA31LDb/eP6RgAdohqkJ8LWuOzRQCz6YAQaBkJlOh/bXNaRVD+Gp
Qjcf3wHXQy61iIiO1YSj6k2WX85d3gGuZoxscphJXMvHjV9jgtXp33+XT0K/4fNb
4c281cDQqNl0D7yXejFG1ps1b1zW+TaaQwIDAQABo4ICDzCCAgswDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8E
AjAAMB0GA1UdDgQWBBTKGNz7zQN61gw6w7eZ6ZugxDMlQTAfBgNVHSMEGDAWgBSo
SmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGG
Imh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKG
I2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMBoGA1UdEQQTMBGC
D2tleTM0NTYubDEwLm5ldDCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYB
BAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQu
b3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkg
YmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFj
Y29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0
dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUA
A4IBAQA/HBJOUA1Wvx7fD98Cv/vmOB+UfnIF+H4zEg/zDmvWI4e6LKUMzssynKRz
PadFy/6MeXNWUir7cH5fkQ3YcseK6N+j9+O6e4ncRgG3kxtc69ETvijYghiiU6lT
5guRonK8+u0xvAxo0jskTSq7CsNQAzsuVPcraatndSVkLR5STd/slq/lc/CUfbnn
xEq14RtDybUy5IzsfRcYJ+g5oYIlPMMnJ0JJVtnUn/xzLYzhNBjivEnbH8SCG6us
kmMklrNGHItnsIQfyNIWUPlnQQ0VxlWvE6SJhLCwY+G5mkQwfi+NQkgNrDAhwE2p
FNs76LUiu683BYb/eUM/cOA6jB9F
-----END CERTIFICATE-----

This is all becoming exceptionally off-topic. The question was how to change this setting, not what values are valid key lengths. I would move this discussion of non-standard key lengths to a new topic if anyone’s interested in further discussion.

Not exactly off topic… But I can see how it could be its’ own topic of discussion.
The topic is "Auto renewing via cron job only issuing 2048 key size"
There was discussion on the valid key size choices available.
Generally considered to be only 2048 and 4096.
And those two choices may be built-in to certbot (question not yet answered).
I showed how there are more than just the binary exponential choices available to LE.
Now someone can continue the discussion on how to specify the required size via cron.

@JoyalV as @Patches mentioned simply add the the key-size into the .conf file for the domain in /etc/letsencrypt/renewal, as in example below just add the rsa_key_size parameter.

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
rsa_key_size = 4096
1 Like

That looks good.
But does anyone know if other sizes (between 2048 and 4096) can also be used?

Thanks. I will add that

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.