Renewed certificates are not working

I have expiry of my certs tomorrow, I had renewed the certificates successfully

but giving below error:

I believe the pem files which are generating are not proper ,previously I used to get the privkey.pem files with length of 28 but now which got generated is of 5 lines sue to which jks and p12 files are getting generated using openssl.
is there any change from letscrypt to generate the pem files?
I use certbot/dns-google image and server
command I'm using is:
docker run -it --rm --name certbot
-v "/etc/letsencrypt:/etc/letsencrypt"
-v "$(pwd)":"/google"
-v "/var/lib/letsencrypt:/var/lib/letsencrypt"
certbot/dns-google certonly
--dns-google-credentials /google/(gcp service account private key json file)
-d *
I am reaching the rate limit to prod url so I am checking with staging.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command:

It produced this output:
This site can’t provide a secure connection uses an unsupported protocol.


My web server is (include version):nginx/1.11.8

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

Where exactly did you see this error message? The screenshot you posted shows a successful certificate update. This error means a client and server tried to communicate, but don't support a common TLS version, for example an old program that only supports TLS 1.0 and a newer program that only supports TLS 1.2 and newer. Your webserver appears to only support TLS 1.2: SSL Server Test: (Powered by Qualys SSL Labs)

Your nginx version 1.11.8 is many years old, and has critical vulnerabilities. It is not safe to leave on the internet.

You stated your webserver is nginx, which supports PEM files, so I am not sure what the jks and p12 conversions are for.


There is no need to continue to trying to get a valid cert, when you've shown to have a cert that expires May 7th.

You need to focus on why the server continues to use the older cert and not this newer one.


so are the pem files which are generated are fine? because I never got a privkey.pem with 5 lines

Probably ECDSA now instead of RSA.


after updating the pem files in vm I received this error ERR_SSL_VERSION_OR_CIPHER_MISMATCH in browser for
I would need jks and p12 for spring boot application.
I wanted to know is the staging url used to check the successful generation of pem files or they can also be used for I tried placing the pem files which are generated via the staging url as well but no luck still same error I'm getting in browser.

They are only for testing.
They are NOT signed by a trusted CA.


its renewed successfully when I generated pem files using certbot/dns-google:v1.32.0 but not with certbot/dns-google

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.