After the upgrade of certbot from 1.25 to 2.1 some automatic renewals fail with
Failed to renew certificate xyz.example.com with error: Unable to change
the --key-type of this certificate because --reuse-key is set. To stop reusing
the private key, specify --no-reuse-key. To change the private key this one
time and then reuse it in future, add --new-key.
I didn't ask for changing the key type, so I wonder WTH? The release notes for 2.0 promised
The default key type for new certificates is now ECDSA. It was previously
RSA 2048-bit. Existing certificates are not affected.
There's was a bug in Certbot where certificates issued with Certbot before 1.25.0 were tried to renew with Certbot 2.x.x pre-2.5.0 and where the key type wasn't preserved. See certbot/CHANGELOG.md at master · certbot/certbot · GitHub for more about that bug.
Could you please update your Certbot to 2.5.0, the current latest version, and try again?
You may create a python virtual environment and use pip to install a new certbot inside the virtual environment (I use ubuntu but still use venv to install certbot)
The Certbot team advises to use snap to install Certbot for most systems, including Debian. Please see the appropriate instructions on https://certbot.eff.org/
@Osiris is right, this is fixed in a later release.
We asked the Debian package maintainer to backport the fix to the version of Certbot available in Debian Bookworm.
The patch is currently only available in Debian sid, but I am hoping that it will make its way to Bookworm soon. I have bumped the thread asking for a status update.
Not a debian maintainer, but the tracker says that migration to testing for certbot has to wait for another 10 days, since Bookworm is in hard freeze since 2023-03-12. The patch in question seems to have been superseded already, which has slowed things down.