Private Key error

Tijger-T · April 12, 2023, 1:14pm

My domains are: sabots-libres.eu, sabotslibres.eu, sabotslibres.fr

I ran this command:

sudo certbot certonly -–manual -–force-renewal -d *.sabots-libres.eu,sabots-libres.eu,*.sabotslibres.eu,sabotslibres.eu,*.sabotslibres.fr,sabotslibres.fr

It produced this output: standard creation of _acme-challenge entries for the three domains and three files for the _well-known/acme-challenge directory on the web server

My web server is (include version): (not applicable)

The operating system my web server runs on is (include version): not applicable

I am running a standalone openSUSE Tumbleweed server to generate keys since I do not have shell access to the provider's web server.

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes, on my certificate machine.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes, Direct Admin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.5.0

Previous generation of certificates have passed without incident. At the beginning of this year, I reinstalled the keyserver onto a Tumbleweed server after using Ubuntu for some while.
The generation of keys worked perfectly (two sites, four domains) in January.
Now I have attempted to regenerate for the second time for three of the four domains (which run on one single website).
Certbot generated the normal three-part fullchain.pem key but on opening the privkey.pem file, it was only 241 bytes whereas previously, it was 1704.
Similar to the problem mentioned in Issue SSL certificate successfully but found the content of privkey.pem is too short , the private key is a mere three lines long.
A second attempt to regenerate the keys resulted in exactly the same problem.
Any suggestions?

Osiris · April 12, 2023, 1:37pm

Since version 2.0.0 Certbot uses ECDSA keypairs by default. This should not affect existing certificates except for a bug where Certbot didn't register the RSA details in the renewal configuration file (Certbot before version 1.25.0).

So depending on your situation you might be able to continu using the ECDSA key(s) or revert back to RSA using the --key-type option for Certbot.

Also note that --force-renewal doesn't make much sense if you don't actually change anything from the existing certificate: you just get more and more of the same. Please don't use it unless absolutely necessary and you know what you're actually doing. Also note that it seems to be necessary to change the key type for an existing certificate which is not due for renewal yet. See User Guide — Certbot 2.5.0 documentation for more info.

Tijger-T · April 12, 2023, 1:54pm

Many thanks for the rapid reaction. It was indeed the RSA key. Strange because I believe the certificate issue I made in January was also post v2.0 and passed without problem.
--force-renewal was implemented simply because that was the documentation I had read - even now, it says in the certbot manual that it should be used for renewals ahead of the renewal date...

Osiris · April 12, 2023, 1:58pm

That's correct, but without --key-type, renewing ahead of the renewal date didn't do anything good as far as I can tell

Tijger-T · April 12, 2023, 2:11pm

Noted - thanks again. (Just done the second site without any hitch )

system · May 12, 2023, 2:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problems with my new perl ACME2 client Client dev	9	1464	April 20, 2020
Urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge Help	10	6813	February 19, 2017
Certificate Failed Help	3	452	February 28, 2024
Invalid response from acme-challenge Help	12	626	July 13, 2023
Certbot 1.26.0 Release Client dev	1	619	May 5, 2022

Private Key error

Related topics