PEM_read_bio_PrivateKey() failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
Starting NGINX service or using test:

sudo nginx -t

It produced this output:

2024/01/18 01:59:30 [emerg] 65466#65466: cannot load certificate key "/etc/letsencrypt/live/": PEM_read_bio_PrivateKey() failed

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 22.04LTS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

The actual certificate file is in /etc/letsencrypt/archive and the permissions are fine. The symlink to the actual fullchain.pem is also fine and I can read the file without problems and there are no obvious issues.

This system has been working for some time, it stopped when adding some additional sites to NGINX config.

The other sites which also use Letsencrypt certificates are working. It's only this one (which is a wildcard certificate, BTW, in case this matters) that is not able to be loaded by NGINX.

I have gone through everything. Does anyone know how to get more detailed debug info from NGINX or some OpenSSL command that would help get to the bottom of the issue?

Thanks in advance from down under!

1 Like

Hi @leogaggl, and welcome to the LE community forum :slight_smile:

What show?:

  • certbot certificates
  • ls -l /etc/letsencrypt/live/
  • ls -l /etc/letsencrypt/archive/

Cheers from Miami! :beer:


You should replace that old version of certbot with the latest version.
See how to here: Certbot Instructions | Certbot (


Thanks for the very quick response! Much appreciated.

The output is all clear. No errors. Relevant bit below:

  Certificate Name:
    Key Type: RSA
    Domains: *
    Expiry Date: 2024-04-16 01:59:40+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/
1 Like

The system is headless managed by Ansible

    - name: Install LetsEncrypt and Linode DNS plugin and Pritunl client
          - certbot
          - python3-certbot-nginx
          - python3-certbot-dns-linode
          - pritunl-client
          - python3-pip
        state: latest
        update_cache: true

The weird thing everything has been working fine for quite some time until adding some other redirect sites.

Can you check the private key:

openssl rsa -in /etc/letsencrypt/live/ -check

If that's ok then the most likely thing is the nginx configuration file is literally pointing to fullchain.pem for the actual private key instead of privkey.pem


DOH - I have gone over everything so many times, but literally did not see the fullchain.pem instead of privkey.pem for that config file. :man_facepalming:

The issue came from a mod on the Jinja template that creates the NGINX config files ....

The OpenSSL command is handy and exactly what I was looking for. Thank you!!!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.