"Error checking key quality" 500 error

crt.sh | neeron.me for what it's worth, but I'm not sure how useful that is since it's not renewing. I can't renew my certificate (Failed to renew certificate neeron.me with error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: error checking key quality). Found some information on the urn:ietf:params:acme:error:serverInternal error, but I have no idea what the 'key quality' issue is. (The renewals have been working for months, so I'm not sure if I need to make a new original key?)

My domain is: neeron.me

I ran this command: certbot renew -v / cat /var/log/letsencrypt/letsencrypt.log

It produced this output:

HTTP 500
Server: nginx
Date: Fri, 28 Jul 2023 00:11:29 GMT
Content-Type: application/problem+json
Content-Length: 116
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 88B8dT9PMQfMeutMWN1mws6ThNOVfR7rXmbKmglOPYJ1G6M

  "type": "urn:ietf:params:acme:error:serverInternal",
  "detail": "error checking key quality",
  "status": 500

(server response in log)

The operating system my web server runs on is (include version): Ubuntu 22.04.2 LTS

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

Same here. Tried 2x. Hopefully they get it sorted soon!

Hi @MrRoyce, and welcome to the LE community forum :slight_smile:

It might have something to do with the trouble message that was being displayed earlier:
Always check:
Let's Encrypt Status


Hi @NeuronButter, and welcome to the LE community forum :slight_smile:

These two things don't add up:

  • certbot renew -v
  • https://acme-staging-v02.api.letsencrypt.org/directory

[unless you are only using staging cert(s)]


Staging was briefly unhappy due to a hardware failure (we don’t have a lot of redundancy in staging, as it’s only a test environment).

These errors occurred because it failed to check the database to see if they were known-bad keys.

This should have resolved once we repaired the server.


I assumed they would've been production, and since they've been working for ages, I assumed it was like that from the beginning. The issue only occurred at the original post, but the renewals have worked today. I'm wondering if something in my configuration isn't set correctly to use the production server?

Your output clearly shows staging:

Link: <https://acme-staging-v02.api.…

If you’re using the —dry-run flag for certbot, I think it defaults to using staging for that.


Another possibility ... could you have created a cli.ini file for testing and forgot about it?



Thanks everyone for your replies. I think the confusion came out of the —dry-run flag, the log I grabbed was when I tried that one. It works as expected without the flag. Thanks again!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.