Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0
Certificates are renewed OK but when I try and deploy them I get an error saying the certificate does not match the key
I have previously used the same command successfully but this time it's not working.
What gives that error? Is it possible you are copying just the cert.pem (or fullchain.pem) and not the matching privkey.pem?
It looks like you are using Varnish as your CDN and you have two public IP's associated with your domain name. Is this connection the one you are having trouble with?
Have you recently upgraded from a much older version of Cerbot? I think the bug that renewed existing RSA keys as ECDSA keys was fixed by 2.6.0, but it might not hurt to check.
I am trying to upload the certificate (fullchain.pem) and key (privkey.pem) to my Untangle server and I get the message "The Server Certificate does not match the Certificate Key"
Thanks for the pointers. I regenerated the certificate with key type rsa and it's working. Looks like you were correct that my devices can't handle the ECDSA key type. I'll follow that up with the respective vendors.