Odd Invalid Private Key

midniteca · September 13, 2024, 4:38am

My domain is: evilcorp.xyz

I ran this command:

certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/cf-api-token.cfg -d evilcorp.xyz

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for evilcorp.xyz
Waiting 10 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/evilcorp.xyz-0001/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/evilcorp.xyz-0001/privkey.pem
This certificate expires on 2024-12-12.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version): Na, only obtaining the cert

The operating system my web server runs on is (include version): DietPi/Debian 12

My hosting provider, if applicable, is: na

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

The issue I'm having:

Certbot seems to be running without any errors and I don't see anything unusal in the debug log. However looking closer at the generated files, the private key is only 5 lines and doesn't look valid while the other cert files, cert1.pem chain1.pem fullchain1.pem, are fine:

root@DietPi:/etc/letsencrypt/archive/evilcorp.xyz-0001# wc -l privkey1.pem
5 privkey1.pem

Comparing that with the private key from an older cert:

root@DietPi:/etc/letsencrypt/archive/pi.evilcorp.xyz# wc -l privkey1.pem
52 privkey1.pem

My understanding is that the private key is generated locally and therefore I'm guessing something is broken somewhere with my install. Does anyone have any suggestions on where I should start looking at troubleshooting this issue and fixing it?

Thanks for your time.

webprofusion · September 13, 2024, 4:51am

wc is not a valid way to test a private key. Just cat the private key file and look at it, you'll probably find your old key was RSA and the new key is EC (shorter).

[ I can confirm there are 5 lines and 11 words in my own valid EC private key! ]

webprofusion · September 13, 2024, 4:53am

Your post suggests that you are seeing a problem (other than the results of wc ?) but you haven't described anything about that actual problem. Did your website stop working or is everything working normally?

midniteca · September 13, 2024, 5:40am

Thanks webprofusion. You're correct. Looking at it more the old key was indeed RSA while the new one is EC. I'm use to looking at RSA keys and never seen an EC key before and that's why it looked odd to me.

I was originally having a problem with using the EC key within Adguard Home. It was complaining the key was invalid. Trying it again tonight and now it's saying it's fine so likely I just a mistake somewhere at the time.

Thanks again for your help.

system · October 13, 2024, 5:41am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cerbot creates invalid certificates Help	7	769	October 5, 2021
Net::err_cert_date_invalid Help	4	453	February 6, 2023
Certificate invalid Help	14	2913	April 13, 2019
Erro Key is Invalid Help	29	558	June 2, 2024
Certificates Obtained but Not Installed Help	3	2261	May 1, 2017

Odd Invalid Private Key

Related topics