CertBot produces a blank privatekey.pem

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://files.sinclairprinting.com

1. I ran this command: /usr/bin/ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)” and

2. It produced this output: ==> Installation successful!

3. I ran this command: brew install certbot

4. It produced this output: ==> Summary
   /usr/local/Cellar/python/3.7.4_1: 3,958 files, 60.5MB
   ==> Installing certbot
   ==> Downloading https://homebrew.bintray.com/bottles/certbot-0.37.1_2.high_sierr
   ==> Downloading from https://akamai.bintray.com/6f/6f10447ba63bbd5b0d5e28f15975d
   ######################################################################## 100.0%
   ==> Pouring certbot-0.37.1_2.high_sierra.bottle.tar.gz
   /usr/local/Cellar/certbot/0.37.1_2: 2,563 files, 17.9MB
   ==> Caveats
   ==> readline
   readline is keg-only, which means it was not symlinked into /usr/local,
   because macOS provides the BSD libedit library, which shadows libreadline.
   In order to prevent conflicts when programs look for libreadline we are
   defaulting this GNU Readline installation to keg-only.

For compilers to find readline you may need to set:
export LDFLAGS="-L/usr/local/opt/readline/lib"
export CPPFLAGS="-I/usr/local/opt/readline/include"

==> augeas
Lenses have been installed to:
/usr/local/share/augeas/lenses/dist
==> openssl@1.1
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
/usr/local/etc/openssl@1.1/certs

and run
/usr/local/opt/openssl@1.1/bin/c_rehash

openssl@1.1 is keg-only, which means it was not symlinked into /usr/local,
because openssl/libressl is provided by macOS so don’t link an incompatible version.

If you need to have openssl@1.1 first in your PATH run:
echo ‘export PATH="/usr/local/opt/openssl@1.1/bin:$PATH"’ >> ~/.bash_profile

For compilers to find openssl@1.1 you may need to set:
export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib"
export CPPFLAGS="-I/usr/local/opt/openssl@1.1/include"

==> sqlite
sqlite is keg-only, which means it was not symlinked into /usr/local,
because macOS provides an older sqlite3.

If you need to have sqlite first in your PATH run:
echo ‘export PATH="/usr/local/opt/sqlite/bin:$PATH"’ >> ~/.bash_profile

For compilers to find sqlite you may need to set:
export LDFLAGS="-L/usr/local/opt/sqlite/lib"
export CPPFLAGS="-I/usr/local/opt/sqlite/include"

==> python
Python has been installed as
/usr/local/bin/python3

Unversioned symlinks python, python-config, pip etc. pointing to
python3, python3-config, pip3 etc., respectively, have been installed into
/usr/local/opt/python/libexec/bin

If you need Homebrew’s Python 2.7 run
brew install python@2

You can install Python packages with
pip3 install
They will install into the site-package directory
/usr/local/lib/python3.7/site-packages

See: https://docs.brew.sh/Homebrew-and-Python

3. I ran this command: certbot certonly

4. It produced this output: mac-mini:~ spc$ sudo certbot certonly
   Password:
   Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): files.sinclairprinting.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for files.sinclairprinting.com
Input the webroot for files.sinclairprinting.com: (Enter ‘c’ to cancel): /usr/local/Rumpus/
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/files.sinclairprinting.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/files.sinclairprinting.com/privkey.pem
  Your cert will expire on 2020-01-21. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew all of your certificates, run
  “certbot renew”

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

My web server is (include version): Rumpus FTP server (trying to enable HTTPS)

The operating system my web server runs on is (include version): OSX 10.13.6

My hosting provider, if applicable, is: Mac server is on site and locally accessible.

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes? i am using the Rumpus FTP interface.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Certbot .37.1.2

So the issue i am having is that the privatekey.pem comes up blank when i attempt to load it into the private key area of Rumpus. Not sure if i am supposed to load this or keep using the “Generate a Certificate” where i generated a CSR for purchase of a trusted certificate. Thank you for your help.
-joeg

Hi @spclocal

do it as sudo / root. There is a check of your domain, 90 minutes old - https://check-your-website.server-daten.de/?q=files.sinclairprinting.com#ct-logs

You have hitted the limit, don't create certificates again. Certificate creation works, it's an installation problem.

This is the second topic about blank key pem file in the past few hours:
See: Certbot generating blank PrivKey.pem

Hello all, i enabled the root user and am using sudo to create the cert in the terminal window but i keep getting a blank privkey.
I tried ftp.sinclairprinting.com instead of files.bangprinting.com because i am out of tries and i get a congratulations but a blank privkey.
i have tried this twice resulting in 2 blank privkeys. The cert, chain, and fullchain.pem appear to work just fine, its the privkey that states it has 51bytes of data but is blank. i cannot view the privkey file in a text editor either.
Is this a Mac osx issue?
thank you for your help and suggestions.
-joeg

I read through the other post and i indeed do not have permission to read the privkey file.
I had to go into the archive folder and modify the privkey file there in order to read the contents.
I copied the contents into rumpus an i no longer get an error.
Thank you very much for your support and helping me understand the issue.
-joeg

Yes, the private key file is created based on the assumption of a multiuser Unix system and so it's only readable to the root user. I don't know how this interacts with the macOS graphical file display (although you would need to do something in order to access the file with administrative permissions); on the command line, you would normally use sudo with every command you enter that needs to read the contents of this file.

Ah, thanks for reporting back.

So it was really a permission problem.

PS: And there is a new check, now the main things are ok. With a new certificate:

CN=ftp.sinclairprinting.com
	24.10.2019
	22.01.2020
expires in 90 days	
files.sinclairprinting.com, ftp.sinclairprinting.com - 2 entries