After the upgrade of certbot from 1.25 to 2.1 some automatic renewals fail with
Failed to renew certificate xyz.example.com with error: Unable to change
the --key-type of this certificate because --reuse-key is set. To stop reusing
the private key, specify --no-reuse-key. To change the private key this one
time and then reuse it in future, add --new-key.
I didn't ask for changing the key type, so I wonder WTH? The release notes for 2.0 promised
The default key type for new certificates is now ECDSA. It was previously
RSA 2048-bit. Existing certificates are not affected.
Not a debian maintainer, but the tracker says that migration to testing for certbot has to wait for another 10 days, since Bookworm is in hard freeze since 2023-03-12. The patch in question seems to have been superseded already, which has slowed things down.