root@certbot-20230406:/etc/letsencrypt/live/welooop.com# openssl ec -in privkey.pem -pubout
read EC key
writing EC key
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjdqaz7d1VoZxyq1KJjMtTvwytlcJ
UVAxzGUG2J8eo4qqilFtBubHUFo5ktT41bTyNQ3fK0iZWDztBdiW3T1YVQ==
-----END PUBLIC KEY-----
1 Like
Looks like a match to me.
3 Likes
Is "Not a DSA key" an issue?
Do we have option to re-generate the keys? Will key re-generation solve the issue?
It looks like to me you are serving HTTP (not HTTPS) on Port 443
$ curl -k -Ii http://welooop.com:443
HTTP/1.1 400 Bad Request
Date: Sat, 08 Apr 2023 23:33:42 GMT
Content-Type: text/html
Content-Length: 243
Connection: close
$ curl -k -Ii https://welooop.com
curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure
$ nmap -Pn welooop.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-08 23:32 UTC
Nmap scan report for welooop.com (129.80.187.95)
Host is up (0.077s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 7.98 seconds
My listener for the load balancer is listening on port 443:
Because the SSL certificate doesn't work, so it is serving HTTP on port 443?
Maybe the load balancer doesn't like EC type certs:
2 Likes
See:
https://eff-certbot.readthedocs.io/en/stable/using.html#changing-a-certificate-s-key-type
User Guide — Certbot 2.5.0 documentation (eff-certbot.readthedocs.io)
2 Likes
Yahooooo! Correct, load balancer doesn't like ECDSA, it has to be RSA! It is working now.
When I first got the certificate 2.5 months ago, it worked on my site. 3 days ago, when I renewed the certificate, somehow it changed ECDSA? how? why? when? I have absolutely no clue.
This morning, I issued this cmd:
certbot certonly --manual --preferred-challenges=dns
--email welooop@welooop.com
--server https://acme-v02.api.letsencrypt.org/directory
--key-type rsa
--agree-tos
-d welooop.com
--force-renewal
Then it worked!
rg305, thanks a million! everybody who helped me, thank you! thank you!! thank you!!!
Sincerely appreciate your time and effort!
4 Likes
Thank you for the info! So stating 2022-11-21, " The default key type for new certificates is now ECDSA secp256r1 (P-256). It was previously RSA 2048-bit.", I got first certificate on 2023-01-24, so it was ECDSA, so when I renewed it, still ECDSA, and Oracle cloud doesn't like ECDSA.
But the question is ECDSA is older, RSA is newer, why would Let's Encrypt change from RSA to ECDSA?
very confusing...
1 Like
Kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to explain.
1 Like
The other way around.
5 Likes
Sorry I misread, thank you for the great info!
So it was Oracle Cloud's fault 
1 Like
Not supporting ECDSA is well, kinda old fashioned..
5 Likes
It should support, maybe I did something wrong
Thank you ALL! very much.
2 Likes
I think you might have confused DSA with ECDSA here. That might also be why @WeLooop said "ECDSA is older, RSA is newer".
Both of these are kind of old technology in a chronological sense, and both of them have been criticized (especially as challenging for programmers to implement correctly, as they have pitfalls that can trip up programmers). But ECDSA is, relatively speaking, much newer than DSA—and also newer than RSA.
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.