Renewal of Wildcard Certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: paulfarrant.com

I ran this command:

certbot certonly --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.paulfarrant.com" -d paulfarrant.com

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

Certificates are renewed OK but when I try and deploy them I get an error saying the certificate does not match the key
I have previously used the same command successfully but this time it's not working.

What gives that error? Is it possible you are copying just the cert.pem (or fullchain.pem) and not the matching privkey.pem?

It looks like you are using Varnish as your CDN and you have two public IP's associated with your domain name. Is this connection the one you are having trouble with?

Also:

You have gotten wildcards before but you are using a non-wildcard right now. It is the one created on Apr10 expiring Jul9. Both IP's respond with the same cert
https://www.ssllabs.com/ssltest/analyze.html?d=paulfarrant.com&hideResults=on

Here's your recent cert history

5 Likes

A cert was issued today:
image

Please show the error and whatever led up to it.

4 Likes

Have you recently upgraded from a much older version of Cerbot? I think the bug that renewed existing RSA keys as ECDSA keys was fixed by 2.6.0, but it might not hurt to check.

4 Likes

Thanks everybody for the replies.

I am trying to upload the certificate (fullchain.pem) and key (privkey.pem) to my Untangle server and I get the message "The Server Certificate does not match the Certificate Key"

1 Like

What is the size of the privkey.pem file?
What are the dates of both files [timestamp]?

2 Likes

The privkey file is showing as 241 bytes
The timestamps of the files are 30/05/2023 21:10

241 bytes implies an ECDSA key.

It seems Untangle is not prepared to handle such a key.

5 Likes

Thanks for the pointers. I regenerated the certificate with key type rsa and it's working. Looks like you were correct that my devices can't handle the ECDSA key type. I'll follow that up with the respective vendors.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.