Renewing certificates manually macOS and HostEurope

I have problem with renewing. After running the command below and copying DNS values to Server i tried to upload fullchain.txt and privkey.txt but get the error message that key not belongs to certificate.
Thanks a lot for help.

My domain is:

I ran this command for renewing (certificate expires 6. June) : sudo certbot -d ",*" --manual-public-ip-logging-ok --manual --preferred-challenges dns certonly

It produced this output: 2 DNS values which i copied to HostEurope DNS Name services and showing with DNS lookup

The operating system my web server runs on is (include version): I did run certbot commands on local macOS

My hosting provider, if applicable, is: Host Europe

I can login to a root shell on my machine (yes or no, or I don't know): NOT KNOW , can work with SSH

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Try using:

--key-type rsa

It sounds like your hosting control panel doesn't support ECDSA certificates, which Certbot generates by default now.


Sorry not a real expert, you mean after logging in with SSH at Host Europe - I then get "command not found"

This "ECDSA" certificate is only recently ? As I was successful with certificates on other site just a few days ago.

Is it possible i should not have deleted the old DNS values with "_acme-challenge" ?

Any help appreciated

Sure, my bad. What i mean is, add that bit of text to the certbot command that you ran originally (the one in your original post) and run it again.

It will give you a new certificate, RSA instead of ECDSA, which should work with your web host.

Not so recent, no - since December last year. But if you only upgraded Certbot recently, it's possible.


Thanks for you valued help. When I do the manual create command with extra "--key.." I get following message and I do not want to run into rae limit problems as I have no idea of it. I run Certbot 1.18.0 and I did for other domain creation on 25. May without problem. This is actually first time I do renewal which is now due for "reise-partner" ...
thank you

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)

1 Like

Ah. If you are using Certbot 1.18.0, then I'm afraid that my advice would be incorrect and would not help you.

I don't know why you would get the "key not belongs to certificate" error from your host, unless you truly uploaded the wrong files.


Thank you very much for your help - i luckily was able to help myself and want to share with other people maybe running into same issue.

Locally the following files will be produced when doing the ceritficate new :
/etc/letsencrypt/live/ and privkey.pem
I do copy both to another place locally with ending ".txt" and chmod +r afterwards
These files did not work

But also when doing the process files will be placed into
with names like fullchain1.pem , fullchain2.pem .... as well as for privkey files

If I do use the latest from this archive folder and copy / chmod as above Host Europe accepts ...

1 Like

I would not recommend setting chmod +r for everything in the Let's Encrypt archive, as that probably would also give world read access to the private keys. Which is bad.


Misunderstanding - I do copy the files from archive to other local folder renaming from ".pem" to ".txt". Afterwards I run "chmod +r" on the ".txt" files. These files i can upload to Host Europe. HE does not accept ".pem" endings and only after "chmod +r" ... hope this clarifies


Do you delete those txt files once uploaded?

  • copy
  • modify
  • upload
  • delete

I keep them only on my local machine as I run certbot locally, once I renew I delete old, but of course I could delete as well as I still have the ".pem" files

1 Like

I would delete them after the upload [works].


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.