Yesterday, after a regular renewal of my subscriber certificates, Apache and Postfix suddenly stopped working. Either service offers both EC and RSA certificates for maximum compatibility with the public Internet and after yesterday's renewal the RSA certificates also became EC certificates such that Apache and Postfix suddenly had two certificates of the same type. As a result, the OpenSSL library was not able to handle incoming TLS requests.
I was able to revert to the previous state, but the question is whether this sudden conversion of RSA certificates to EC certificates was a temporary hiccup or does it point to a major change in the Letsencrypt client which I am unaware of? The incident happened yesterday around 20:02 CEST and last week I upgraded to Certbot 2.10.0.
Postfix configuration details
For example, my Postfix configuration looks like
smtpd_tls_chain_files =
/etc/letsencrypt/live/server.my-domain.tld:smtps-ec/privkey.pem,
/etc/letsencrypt/live/server.my-domain.tld:smtps-ec/fullchain.pem,
/etc/letsencrypt/live/server.my-domain.tld:smtps-rsa/privkey.pem,
/etc/letsencrypt/live/server.my-domain.tld:smtps-rsa/fullchain.pem
The EC certificate was originally requested with
certbot certonly \
-a webroot -i None \
--cert-name 'server.my-domain.tld:smtps-ec' \
-w /var/www/my-domain.tld/server -d server.my-domain.tld \
--key-type ecdsa --elliptic-curve secp384r1 \
--deploy-hook 'systemctl reload postfix'
and the corresponding configuration file looks like
$ cat server.my-domain.tld\:smtps-ec.conf
[renewalparams]
account = XXXXXX
key_type = ecdsa
elliptic_curve = secp384r1
renew_hook = systemctl reload postfix
authenticator = webroot
webroot_path = /var/www/my-domain.tld/server,
server = https://acme-v02.api.letsencrypt.org/directory
The RSA certificate was originally requested with
certbot certonly \
-a webroot -i None \
--cert-name 'server.my-domain.tld:smtps-rsa' \
-w /var/www/my-domain.tld/server -d server.my-domain.tld \
--key-type rsa --rsa-key-size 2048 \
--deploy-hook 'systemctl reload postfix'
and the corresponding configuration file looks like
$ cat server.my-domain.tld\:smtps-rsa.conf
[renewalparams]
account = XXXXXX
key_type = rsa
rsa_key_size = 2048
renew_hook = systemctl reload postfix
authenticator = webroot
webroot_path = /var/www/my-domain.tld/server,
server = https://acme-v02.api.letsencrypt.org/directory
The Apache configuration is similar, but I believe you get the gist. The problem with "double" EC certificates was that OpenSSL was not able to match the private key and the corresponding certificate based on key type and I got a lot of "TLS error: secret key does not match certificate ".
After all RSA certificates suddenly had turned into EC certificates, too, a second, forced renewal also created EC certificates only. The only solution was to revoke all certificates, clean out Certbot configuration directory and start from scratch. Now, everything is fine again.
But the nagging question remains whether I will run into the same issue again in 90 days.