Private key and certificat doesn't match

Hello all .

My domain is : myds110j.ddns.net

I ran this command certbot --nginx

It produced this output :

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/myds110j.ddns.net/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/myds110j.ddns.net/privkey.pem
This certificate expires on 2024-04-02.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for myds110j.ddns.net to /etc/nginx/nginx.conf
Your existing certificate has been successfully renewed, and the new certificate has been installed.

My web server is (include version): nginx

The operating system my web server runs on is (include version): debian 12

My hosting provider, if applicable, is: no-ip

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

In fact, I have been using the let's encrypt service for some time now with success to activate HTTPS on my old Synology NAS server. In the past, I installed a certificate for the first time and then renewed it once.

To do this I installed an nginx server with certbot on my old PC and then I recovered cert.pem, privkey.pem and chain.pem to put them in my Synology NAS server. It had worked very well.

Today I have to renew my certificate again but since then I have changed my PC which allowed me to create my previous certificates.
On this new PC I installed nginx and certbot to create a new certificate and everything worked very well but when installing this new certificate in my Synology NAS I got the following error message:
Private key and certificate do not match

Thank you in advance for your help on this matter.

Sincerely,
Stephan

Hi @Staifan, and welcome to the LE community forum

Please show the timestamp and the size of the files you installed into Synology.
[not their contents]

Show:
ls -l /etc/letsencrypt/live/myds110j.ddns.net/

Hello RG305 and thank you for your help.
I'm not sure I can do this properly.
In fact, to install my certificate on my Synology I go through its management console:
control panel, advanced mode, security then certificate. Finally I click on “import certificate”.
In the window that opens I then select the files privkey.pem, cert.pem and chain.pem which I copied from my Debian PC in /etc/letsencrypt/archive/myds110j.ddns.net then I click on " OK" then the error message appears.

I can put the contents of my /etc/letsencrypt/archive/myds110j.ddns.net here:

root@debian:/etc/letsencrypt/archive/myds110j.ddns.net# ls -l
total 40
-rw-r--r-- 1 root root 1497  3 janv. 09:33 cert1.pem
-rw-r--r-- 1 root root 1497  3 janv. 09:35 cert2.pem
-rw-r--r-- 1 root root 3749  3 janv. 09:33 chain1.pem
-rw-r--r-- 1 root root 3749  3 janv. 09:35 chain2.pem
-rw-r--r-- 1 root root 5246  3 janv. 09:09 fullchain1.pem
-rw-r--r-- 1 root root 5246  3 janv. 09:35 fullchain2.pem
-rw------- 1 root root  241  3 janv. 09:33 privkey1.pem
-rw------- 1 root root  241  3 janv. 09:35 privkey2.pem

Stéphan

As you can see I did another test just after but the result is the same with version "2"

Any particular reason you don't get certificates with your Synology device directly? Or the device is that old?
Edit:

ds110j

It is that old…

OK, I think I see what went wrong.
When you installed certbot in the new PC, it came with a newer version which now defaults to ECDSA type certs. Your previous certs where RSA type.
Apparently, your Synology is not equipped to handle this newer type of cert.
You can get a replacement cert of type RSA by adding:
--key-type rsa --rsa-key-size 2048

Like:
certbot renew -d myds110j.ddns.net --key-type rsa --rsa-key-size 2048

Probably that.

The datasheet is from 2009.
The ds119j has a datasheet of 2019.
hmm... maybe they put out a model each year???
Nevertheless, the latest DSM is version 7 something, that one has version 2.

Oh right, carry on then.

Hello rg305,

I had to leave for work since our last message.
Here is the return of the order that you advised me to make:

root@debian:/# certbot renew -d myds110j.ddns.net --key-type rsa --rsa-key-size 2048
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

here is logfile

2024-01-04 08:16:40,531:DEBUG:certbot._internal.main:certbot version: 2.1.0
2024-01-04 08:16:40,532:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-01-04 08:16:40,532:DEBUG:certbot._internal.main:Arguments: ['-v', '-d', 'myds110j.ddns.net', '--key-type', 'rsa', '--rsa-key-size', '2048']
2024-01-04 08:16:40,532:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-01-04 08:16:40,538:DEBUG:certbot._internal.log:Root logging level set at 20
2024-01-04 08:16:40,538:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.1.0', 'console_scripts', 'certbot')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1736, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1629, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 468, in handle_renewal_request
    raise errors.Error("Currently, the renew verb is capable of either "
certbot.errors.Error: Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.
2024-01-04 08:16:40,539:ERROR:certbot._internal.log:Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.

So I tried with certonly:

root@debian:/# certbot certonly -v -d  myds110j.ddns.net --key-type rsa --rsa-key-size 2048
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): c
authenticator could not be determined or is not installed
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I preferred to cancel

I also tried that

root@debian:/# certbot --nginx --key-type rsa --rsa-key-size 2048
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.")

Yesterday before turning off my PC, it worked with the nginx plugin .

Thank you .

Stéphan

Hello Nekit,
you are right . I also have another more recent Synology which takes care of its certificates on its own and it's much more practical

@Staifan I am not clear from your latest post whether you still have a problem. But, if you do there was a typo in @rg305 command above. You may retry with this

certbot renew --cert-name myds110j.ddns.net --key-type rsa --rsa-key-size 2048

@MikeMcQ thank you for your help .
The renew command didn't work:

root@debian:/etc/letsencrypt/archive# certbot renew --cert-name myds110j.ddns.net --key-type rsa --rsa-key-size 2048
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/myds110j.ddns.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/myds110j.ddns.net/fullchain.pem expires on 2024-04-02 (skipped)
No renewals were attempted.

so I tried with the --force option:

certbot --force-renewal --cert-name myds110j.ddns.net --key-type rsa --rsa-key-size 2048
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

So finaly I used certonly and it works well:

certbot certonly --cert-name myds110j.ddns.net --key-type rsa --rsa-key-size 2048
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for myds110j.ddns.net

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/myds110j.ddns.net/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/myds110j.ddns.net/privkey.pem
This certificate expires on 2024-04-04.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

I was able to create my certificate with the recommendations of @rg305 regarding the key format and finaly imported them onto my DS110J succesfully .
This solved my problem from the beginning.

Just a clarification please:
in the return of the last order it is indicated:

Certbot has set up a scheduled task to automatically renew this certificate in the background

How will I know this was done? Would I receive a notification email?

THANKS
Staifan

Should HTTPS to your domain be working? Because I see it using an expired DigiCert cert for mabbox.bytel.fr and a connect failure

curl -i https://myds110j.ddns.net
curl: (35) error:0A00018A:SSL routines::dh key too small

You can check your cert in 61 days and make sure it updated. Or, review the Certbot logs. Or even your system logs. Let's Encrypt does not send emails every time it issues a cert.

You can test the renew command at any time with certbot renew --dry-run
That doesn't prove the systemd timer works just that the renew command will

This is because the default port leads to the internet modem administration web server.

my DS110J is on port 55551

stephan@debian:~$ curl -i https://myds110j.ddns.net:55551
HTTP/1.1 301 Moved Permanently
Date: Sat, 06 Jan 2024 07:24:05 GMT
Server: Apache
Cache-control: no-store
Location: https://myds110j.ddns.net:55551/webman/index.cgi
Content-Length: 0
Content-Type: text/plain

Concerning the certbot renew --dry-run command, it returned an error.
I will try to resolve the problem by myself otherwise I will open another topic on this subject.

Thank you again for your help .

Staiafn

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.