MAMP won't recognize Private Key

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot certonly --webroot -w /Users/administrator/Documents/demowebsite/ -d -d ## Not this exact wording, this is from a tutorial

It produced this output: I got my certificates, problem is MAMP doesn’t recognize the private key

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): MacOS X 15.5

My hosting provider, if applicable, is: myself on Mac mini using MAMP to run Apache

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): MAMP 5 x latest version just got it

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): dont know

I was able to create certificates for my domains using this command, everything went fine, the first site in MAMP that I applied them to went fine, the site started to work immediately, perfectly, but when I applied certificates in the same way, within MAMP, to a 2nd and 3rd site (host) it showed a red arrow next to the Private key basically indicating “not OK”… in some way… I’m not sure what exactly that means… I’m reaching out here because LetsEncrypt is half the equation, though I trust it, MAMP is in question, I was hoping someone here has heard of this and knows what to do. Red arrows next to private keys in MAMP latest Mac OS on latest MAMP just did the install of home-brew and Certbot… all new…

By the way StevenZhu I think it is your posted tutorial on how to do Lets Encrypt with MAMP really helped me… I mean it wasn’t your tutorial but you posted the link for me appreciated.

It might help to take some screenshots of you trying to configure the certificate and private key in MAMP - showing which files you’ve selected, and what the error interface looks like.

That is a screenshot of the MAMP SSL tab where you pick your file with the dark little icon that looks like a car battery say, the one next to the red circled arrow, basically indicating that the file you picked has something wrong with it, it won’t save the setting and reverts to the previous state. The top file is accepted, that’s the full chain cert. Note that the top listed host everything went fine and you can visit that site just fine… but every domain I tried after that first one would not accept the private key. That’s all I know… I haven’t changed anything in apache or in MAMP… real default standard installation. Does this POSSIBLY have to do with permissions on the folders either at the time the certificates are issued or at runtime… because I had to ease the permissions on the folders that contain the issued certs so that I could get to them to select them in MAMP… this is covered in the tutorial I followed from the web.

OK great, that screenshot is perfect, and it reveals what mistake you’re making.

When you choose the private key and certificate file, you need to select them from the /etc/letsencrypt/live/ directory.

The /etc/letsencrypt/archive/ directory is the internal state of Certbot, and is not supposed to be used by end-users! It’s very easy to end up with a private key and certificate mismatch that way.

Perhaps it is easy to miss that detail if the tutorial did not mention it, and you did not look at the official Certbot instructions.

1 Like

I try to select from live, but it goes to archive… I note that in live are only alias’s, which point to the files in archive… the site that worked is pointing to archive, and its working… I was wondering about this… I didn’t make any changes to the files or folders, only selected them in dialogs, and I select from live… it then goes to archive… what gives?

Uhh, that sounds like a problem with how MAMP or macOS finder follows symlinks.

The reason that the live and archive directories exist is that when a certificate is renewed, the links inside the live directory are updated to point to different files inside the archive directory. The files inside the archive directory are suffixed with a number like privkey1.pem, and that number changes as renewals happen.

Short story is, it’s not safe to refrence the archive files directly. It might work, but it will break. Always use live.

I would try find a way to get MAMP to reference the live files directly, without “translating” them to the archive version. If necessary, do this by modifying the configuration files rather than using the MAMP UI.

I’ll try that, if I remember right it is an option to have links resolved or not…

OK I unchecked resolve alias’s and reselected from live and it worked… it stayed on the alias in live as you can see in the name or path… but it didn’t resolve the red arrow… unfortunately. Any more ideas? I appreciate the help.

In that screenshot, you’re still using archive for the certificate chain.

That doesn’t change the outcome, its a valid selection though a bad idea I get it… just an oversight in this case, wouldn’t change a thing to switch it however… wish I could find WHY it’s turning that one red…

You can check whether the certificate and private key match by trying to start an OpenSSL webserver with them. You can stop Apache, and then run something like:

sudo openssl s_server -cert /etc/letsencrypt/live/ \
-cert_chain /etc/letsencrypt/live/ \
-key /etc/letsencrypt/live/ \
-port 443 -www -status_verbose

If it errors, then something has messed with Certbot’s symlinks and you’ll have to fix them.

If it works (and you can access the resulting website on, then something is wrong with the MAMP UI.

But it seems like you got it to work in the end anyway?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.