Lost private key


i have accidently deleted my /privkey.pem file.

how can i start over?

Hi @der_tom,

You can make an empty file to replace it (with touch or something), but if your web server was already configured to use it, the web server probably won’t be able to start up without a real key there. However, if this doesn’t prevent your web server from working in various ways (which depends on your configuration), you could then run certbot renew --force-renewal and get a new certificate with the same setup, which will then replace the old one with the missing private key.

If this isn’t an option, you should run certbot certificates to get the certificate name of the certificate with the missing private key, and certbot delete --cert-name yourcertname.example.org to delete it from your system. Also be sure that there are no references to it in your web server configuration. Then you can start the process from scratch.

Be aware of the rate limits:

But if you’ve only issued one certificate, you’d be in no danger of hitting the rate limits by re-issuing it once.

Actually, it occurs to me that there may be a better solution. Certbot makes backups of your private keys. In order to know how to use one to fix things, can you tell me the exact directory path of what you deleted?

hi seth,

you are right - it seems the folder “archive” contains all the files. one
directory per domain with various timestamps. thing is: until today i used
one certbot command to renew all 4 domains - today i have learned that it
should be better to go a single route - one certbot for each
domain…whats my best route?

how can i start from scratch and give each certbot its own webrootpath &
yet have nginx pick only one private key ? if thats possibe…


Hi @der_tom,

If you want to recover your current configuration, you could recreate the symlink from live to archive — I can tell you how to do that if you’d like.

If you want to delete this, you can still use the certbot delete command that I mentioned.

There is no requirement to issue certificates with individual names separately. There are advantages and disadvantages to both styles. As you may have learned, each time you run Certbot it tries to get a new certificate, so if you do want four separate certificates, you would run it four times, while if you want a single certificate covering all of the domains, you would just run it once and specify all of the domains with -d. Again, both forms have advantages and disadvantages, which we can discuss in more detail if you’re interested.

Certbot doesn’t have convenient support for using a single private key for separate certificates (there are ways to do this with Certbot but they won’t work with automated renewal, because they require explicitly creating a Certificate Signing Request (CSR) file, and the resulting certificate won’t be stored in /etc/letsencrypt and renewed automatically the way that Certbot normally does). I’m not sure what the technical advantage in using the same private key for four different certificates would be; can you describe why you would want to do that?

just dlchecked the folder archive - but the file i want is not there -

so next thign i did was i used certbot delete and went tru all domains.

now, doing a dry run works fine on the first domain - without redirecting
the server to https. in order to do so i need to specify ssl_certificate
& ssl_certificate_key.

how do i go about now?


There would have been another backup of the private key that you could have used, but that’s OK!

The ssl_certificate should be /etc/letsencrypt/example.com/live/fullchain.pem, and the ssl_certificate_key should be /etc/letsencrypt/example.com/live/privkey.pem, after you’ve obtained the new certificate without --dry-run.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.