Issues with Certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dashboard.master-solutions.com

I ran this command: sudo certbot certonly --webroot -w /usr/lib/ciscobusiness/dashboard/www/letsencrypt/ -d dashboard.master-solutions.com -d pnpserver.master-solutions.com --deploy-hook "cat /etc/letsencrypt/live/dashboard.master-solutions.com/fullchain.pem /etc/ssl/certs/ISRG_Root_X1.pem > /tmp/cbdchain.pem; /usr/bin/cisco-business-dashboard importcert -t pem -kc /etc/letsencrypt/live/dashboard.master-solutions.com/privkey.pem -c /tmp/cbdchain.pem"

It produced this output: The certificate installed, however it resulted in an error 1: "Key is Malformed"

My web server is (include version): not sure

The operating system my web server runs on is (include version): Ubuntu 22

My hosting provider, if applicable, is: cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): not sure

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):2.11.0

Here is the gist of the issue that I am having:
I setup a Cisco Business Dashboard for our organization for testing. We were able to get the certificate installed and running, however after a period of testing we decided to go ahead and switch this to our prod environment, however we had to nuke the old dashboard due to an OS update that was not compatible with the dashboard.

We are setting up a new dashboard, and went through the certificate process again, and even though I get a message that the certificate was saved, I also get an error saying that the key is Malformat.

I tried to go back to the old dashboard and nuke the old certificate off of it, uninstalled and re-installed certbot, and a few other methods, and eventually it locked me out for the next 3 days. I don't really have any way of troubleshooting this now because there is a lock on our account until the 31st from making more certs.

Any ideas on what may have gone wrong? I am worried that in 3 days I'll just get locked out again if I don't find a solution. :frowning: I am following the following guide: Using Let’s Encrypt Certificates with Cisco Business Dashboard - Cisco

I'm not familiar with "Cisco Business Dashboard", but that guide you link seems to say at the top that it isn't needed anymore if you're using the latest version of their product.

And anything that needs you to provide both the fullchain and the root together is a little… weird.

But, as a wild guess, most cases of weird messages about invalid keys are due to old systems that don't realize that the world has mostly moved on from RSA and many things expect ECDSA support to work now. So you can try adding --key-type RSA to your certbot command, to use the older RSA key type instead, to see if your system likes that better.

5 Likes

The suggestion from Peter about RSA is a good one. All your certs issued July 19 and earlier were RSA. All after that were ECDSA

Do you still have the July 19 cert around? You could run those "hook" commands manually against it if you do.

I think Certbot retains the most recent 6 certs in its /etc/letsencrypt/archive/... folder. If so you should have the July 16 cert there if you don't have some other backup of it.

5 Likes

Thank you for your responses Gents, I was able to get a resolution on this so the case can be closed.

I was unaware, but when making a backup of the dashboard, it copied the certificate information as well, so when I restored the database from backup, the certificate and all of its information loaded in with it so problem solved :slight_smile:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.