Key and Cert do not match? WTH?


Hey everyone,

I’m using Let’sEncrypt together with ISPConfig 3. This morning, I came across some strange behaviour. First: All of a sudden, my services completely restarted. I thought “Well, might happen sometimes” and didn’t think any of it, continues writing my mails when suddenly my mail client reported “SMTP server unreachable”.
Long story short: After analysis, my Apache finally gave me a clue: “Private key and certificate do not match”. It revoked the old certificate and issued a new, using certbot-auto (the only “client” ISPConfig currently works with)

certbot-auto certonly --standalone -d

Now, the certificate got issued and everything LOOKED fine, but when I replaced the existing self-signed certs with the LE ones (using ln -s), I still got the message “[…] do not match”

What’s going on? Am I too dumb to correctly configure the server?

I have checked DNS settings, everything is fine, so DNS is pretty much ruled out.

Thank you very much in advance.

Kind Regards




It looks as if you have your server slightly misconfigured somewhere, and are using the certificate for

What is your OS ? you should find the apache config files in either /etc/https or /etc/apache2 where you can check them directly.


I don’t know, where…actually…

I mean, when I enter the command as I did, I’d expect that a cert is issued for the entered name, and that key and cert contain the same set of information.
Where should LE get these information from, anyway? As far as I understand, the keyfile is also generated by LE. So I’d expect them to match perfectly.

All I do is to relink the ISPConfig certificate AND key to /etc/letsencrypt/live/ And then it shouldn’t matter anymore, since LE handles key and cert. ANd if they don’t match, I don’t know why. Is there any way to check the contents, like, some online service that reads the contents of a copy and pasted cert and key?


I’d check your symlink, as I suspect it’s pointing to the wrong certificate.

To check the certificate yourself you can use;

openssl x509 -noout -text -in /etc/letsencrypt/live/


Interestingly, Let’s Encrypt created wrong Certs…I reissued them, now it works again. Thank you :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.