--reuse-key should imply --reuse-key-type

After the upgrade of certbot from 1.25 to 2.1 some automatic renewals fail with

Failed to renew certificate xyz.example.com with error: Unable to change 
the --key-type of this certificate because --reuse-key is set. To stop reusing 
the private key, specify --no-reuse-key. To change the private key this one 
time and then reuse it in future, add --new-key.

I didn't ask for changing the key type, so I wonder WTH? The release notes for 2.0 promised

The default key type for new certificates is now ECDSA. It was previously 
RSA 2048-bit. Existing certificates are not affected.

There's was a bug in Certbot where certificates issued with Certbot before 1.25.0 were tried to renew with Certbot 2.x.x pre-2.5.0 and where the key type wasn't preserved. See certbot/CHANGELOG.md at master · certbot/certbot · GitHub for more about that bug.

Could you please update your Certbot to 2.5.0, the current latest version, and try again?


Why would that be necessary?


Because certbot changed the config files for the domains in question. I have to go back to the old keys.

There is no certbot 2.5 package available for Debian, anyway ...

You may create a python virtual environment and use pip to install a new certbot inside the virtual environment (I use ubuntu but still use venv to install certbot)


The Certbot team advises to use snap to install Certbot for most systems, including Debian. Please see the appropriate instructions on https://certbot.eff.org/

Using pip in a venv is not actively supported.


snap is not an option.

Apparently it is possible to recover /etc/letsencrypt from backup to start over. The workaround was easy, too: I have appended

key_type rsa

to all conf files (as necessary). There was no problem on a renewal anymore. The old key and key_type were kept as expected.


@Osiris is right, this is fixed in a later release.

We asked the Debian package maintainer to backport the fix to the version of Certbot available in Debian Bookworm.

The patch is currently only available in Debian sid, but I am hoping that it will make its way to Bookworm soon. I have bumped the thread asking for a status update.


Not a debian maintainer, but the tracker says that migration to testing for certbot has to wait for another 10 days, since Bookworm is in hard freeze since 2023-03-12. The patch in question seems to have been superseded already, which has slowed things down.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.