Renew using "certbot certonly" asks: update key type to ECDSA?

kj6245 · April 21, 2023, 8:10pm

I've been running "certbot certonly ..." manually, successfully, every 3 months to get a wildcard certificate for my domain.

My version of certbot changed from 1.x.x to 2.5.0 since the last time I used certbot.

Today, the first time running the new version of certbot, I received a prompt:
(K)eeping or (U)pgrading my certificate key type
After researching what this meant, it seemed like the normal thing to do was to upgrade my RSA cert to the newer ECDSA key type.

When I replied "u" to upgrade, it gave me the error below. So I ran it again and replied "k" and it worked as normal.

I guess I'm misunderstanding what (U)pgrade requires.
Thanks,
Keith

My domain is:

wuwusports.com

I ran this command:

$ sudo certbot certonly --manual -d wuwusports.com -d *.wuwusports.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

It produced this output:

[sudo] password for xxxxxx:
Use of --no-bootstrap is deprecated.
Use of --manual-public-ip-logging-ok is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Use of --no-bootstrap is deprecated.
Use of --manual-public-ip-logging-ok is deprecated.

An RSA certificate named wuwusports.com already exists. Do you want to update
its key type to ECDSA?

(U)pdate key type/(K)eep existing key type: u
Renewing an existing certificate for wuwusports.com and *.wuwusports.com
An unexpected error occurred:
No such authorization
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

$

My web server is:

Server version: Apache/2.4.41 (Ubuntu)
Server built: 2023-03-08T17:32:54

The operating system my web server runs on is:

Ubuntu 20.04 LTS

My hosting provider is:

Linode

I can login to a root shell on my machine:

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is:

$ certbot --version
certbot 2.5.0

The /var/log/letsencrypt/letsencrypt.log contained these lines:

...
2023-04-21 11:05:30,841:DEBUG:acme.client:Received response:
HTTP 404
Server: nginx
Date: Fri, 21 Apr 2023 18:05:30 GMT
Content-Type: application/problem+json
Content-Length: 106
Connection: keep-alive
Boulder-Requester: 41762220
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: A5FEbZyvz9tLdMXxqOmCyp7bVEA6sQyFW9MgmqLcQULom4w

{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "No such authorization",
"status": 404
}
2023-04-21 11:05:30,841:DEBUG:certbot._internal.log:Exiting abnormally:
...

rg305 · April 21, 2023, 8:48pm

Moved to "Issuance Tech"; As this seems more like an issue with how RSA/ECDSA authorizations are being handled.

That said, if you do want to obtain an ECDSA cert, you could try forcing a renewal.
[which might overlook the existing RSA authorization]

mcpherrinm · April 21, 2023, 9:00pm

Can you retry and see if this persists? There's currently a somewhat-rare boulder bug where 404s are sometimes incorrectly returned (due to writing the authorization to the database primary, and then the next query hitting a read replica before database replication finishes)

kj6245 · April 21, 2023, 10:21pm

Ok, I resubmitted the command and replied "U" to the keep/update prompt, it looks like it worked:

$ sudo certbot certonly --manual -d wuwusports.com -d *.wuwusports.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
[sudo] password for keith:
Use of --no-bootstrap is deprecated.
Use of --manual-public-ip-logging-ok is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Use of --no-bootstrap is deprecated.
Use of --manual-public-ip-logging-ok is deprecated.

An RSA certificate named wuwusports.com already exists. Do you want to update
its key type to ECDSA?

(U)pdate key type/(K)eep existing key type: u
Renewing an existing certificate for wuwusports.com and *.wuwusports.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/wuwusports.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/wuwusports.com/privkey.pem
This certificate expires on 2023-07-20.
These files will be updated when the certificate renews.

NEXT STEPS:

This certificate will not be renewed automatically. Autorenewal of --manual certificates ...
...
...

$

I bounced Apache to pick up the new certificate and it looks good. Displaying the certificate for my website using Firefox, it shows

Public Key Info --> Algorithm --> Elliptic Curve (where it used to say RSA)

So now I'm using the new key type and won't be prompted again.

Thanks,
Keith

system · May 21, 2023, 10:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to `renew` or `certonly` with wildcard domains Server	4	5701	April 27, 2018
Problem with renew wildcard certificate Help	2	2275	June 16, 2018
Existing RSA key/cert renewed as ECDSA on Certbot upgrade Client dev	11	4693	April 27, 2023
ECDSA Do I need to update the cert Help	6	436	May 26, 2024
Certbot auto renewal problem Help	2	1565	December 8, 2021