CertBot produces a blank privatekey.pem

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://files.sinclairprinting.com

  1. I ran this command: /usr/bin/ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)” and

  2. It produced this output: ==> Installation successful!

  3. I ran this command: brew install certbot

  4. It produced this output: ==> Summary
    :beer: /usr/local/Cellar/python/3.7.4_1: 3,958 files, 60.5MB
    ==> Installing certbot
    ==> Downloading https://homebrew.bintray.com/bottles/certbot-0.37.1_2.high_sierr
    ==> Downloading from https://akamai.bintray.com/6f/6f10447ba63bbd5b0d5e28f15975d
    ######################################################################## 100.0%
    ==> Pouring certbot-0.37.1_2.high_sierra.bottle.tar.gz
    :beer: /usr/local/Cellar/certbot/0.37.1_2: 2,563 files, 17.9MB
    ==> Caveats
    ==> readline
    readline is keg-only, which means it was not symlinked into /usr/local,
    because macOS provides the BSD libedit library, which shadows libreadline.
    In order to prevent conflicts when programs look for libreadline we are
    defaulting this GNU Readline installation to keg-only.

For compilers to find readline you may need to set:
export LDFLAGS="-L/usr/local/opt/readline/lib"
export CPPFLAGS="-I/usr/local/opt/readline/include"

==> augeas
Lenses have been installed to:
==> openssl@1.1
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in

and run

openssl@1.1 is keg-only, which means it was not symlinked into /usr/local,
because openssl/libressl is provided by macOS so don’t link an incompatible version.

If you need to have openssl@1.1 first in your PATH run:
echo ‘export PATH="/usr/local/opt/openssl@1.1/bin:$PATH"’ >> ~/.bash_profile

For compilers to find openssl@1.1 you may need to set:
export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib"
export CPPFLAGS="-I/usr/local/opt/openssl@1.1/include"

==> sqlite
sqlite is keg-only, which means it was not symlinked into /usr/local,
because macOS provides an older sqlite3.

If you need to have sqlite first in your PATH run:
echo ‘export PATH="/usr/local/opt/sqlite/bin:$PATH"’ >> ~/.bash_profile

For compilers to find sqlite you may need to set:
export LDFLAGS="-L/usr/local/opt/sqlite/lib"
export CPPFLAGS="-I/usr/local/opt/sqlite/include"

==> python
Python has been installed as

Unversioned symlinks python, python-config, pip etc. pointing to
python3, python3-config, pip3 etc., respectively, have been installed into

If you need Homebrew’s Python 2.7 run
brew install python@2

You can install Python packages with
pip3 install
They will install into the site-package directory

See: https://docs.brew.sh/Homebrew-and-Python

  1. I ran this command: certbot certonly

  2. It produced this output: mac-mini:~ spc$ sudo certbot certonly
    Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): files.sinclairprinting.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for files.sinclairprinting.com
Input the webroot for files.sinclairprinting.com: (Enter ‘c’ to cancel): /usr/local/Rumpus/
Waiting for verification…
Cleaning up challenges


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2020-01-21. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version): Rumpus FTP server (trying to enable HTTPS)

The operating system my web server runs on is (include version): OSX 10.13.6

My hosting provider, if applicable, is: Mac server is on site and locally accessible.

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes? i am using the Rumpus FTP interface.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Certbot .37.1.2

So the issue i am having is that the privatekey.pem comes up blank when i attempt to load it into the private key area of Rumpus. Not sure if i am supposed to load this or keep using the “Generate a Certificate” where i generated a CSR for purchase of a trusted certificate. Thank you for your help.

1 Like

Hi @spclocal

do it as sudo / root. There is a check of your domain, 90 minutes old - https://check-your-website.server-daten.de/?q=files.sinclairprinting.com#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-10-23 2020-01-21 files.sinclairprinting.com - 1 entries duplicate nr. 5 next Letsencrypt certificate: 2019-10-30 04:46:02
Let's Encrypt Authority X3 2019-10-23 2020-01-21 files.sinclairprinting.com - 1 entries duplicate nr. 4
Let's Encrypt Authority X3 2019-10-23 2020-01-21 files.sinclairprinting.com - 1 entries duplicate nr. 3
Let's Encrypt Authority X3 2019-10-23 2020-01-21 files.sinclairprinting.com - 1 entries duplicate nr. 2
Let's Encrypt Authority X3 2019-10-23 2020-01-21 files.sinclairprinting.com - 1 entries duplicate nr. 1

You have hitted the limit, don't create certificates again. Certificate creation works, it's an installation problem.

1 Like

This is the second topic about blank key pem file in the past few hours:
See: Certbot generating blank PrivKey.pem


Hello all, i enabled the root user and am using sudo to create the cert in the terminal window but i keep getting a blank privkey.
I tried ftp.sinclairprinting.com instead of files.bangprinting.com because i am out of tries and i get a congratulations but a blank privkey.
i have tried this twice resulting in 2 blank privkeys. The cert, chain, and fullchain.pem appear to work just fine, its the privkey that states it has 51bytes of data but is blank. i cannot view the privkey file in a text editor either.
Is this a Mac osx issue?
thank you for your help and suggestions.

1 Like

I read through the other post and i indeed do not have permission to read the privkey file.
I had to go into the archive folder and modify the privkey file there in order to read the contents.
I copied the contents into rumpus an i no longer get an error.
Thank you very much for your support and helping me understand the issue.


Yes, the private key file is created based on the assumption of a multiuser Unix system and so it's only readable to the root user. I don't know how this interacts with the macOS graphical file display (although you would need to do something in order to access the file with administrative permissions); on the command line, you would normally use sudo with every command you enter that needs to read the contents of this file.

1 Like

Ah, thanks for reporting back. :+1:

So it was really a permission problem.

PS: And there is a new check, now the main things are ok. With a new certificate:

expires in 90 days	
files.sinclairprinting.com, ftp.sinclairprinting.com - 2 entries

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.