Unable to change the --elliptic-curve of this certificate

ki9 · April 28, 2025, 5:10pm

I took the recommendation from this thread of setting reuse-key = true to keep hashes the same for TLSA records.

I am trying to renew now and get this error:

Failed to renew certificate ki9.us with error: Unable to change the --elliptic-curve of this certificate because --reuse-key is set. To stop reusing the private key, specify --no-reuse-key. To change the private key this one time and then reuse it in future, add --new-key.

I want to renew my certs without breaking my TLSA records. Frankly I have no idea what this error means, since I am not trying to change the "elliptic curve", am I?

9peppe · April 28, 2025, 5:25pm

You shouldn't need to specify --elliptic-curve, why are you doing so?

I assume certbot is confused because specifying a curve and a preexisting key can produce an undecidable situation.

Osiris · April 28, 2025, 5:33pm

Looks like you indeed are using RSA.

By the way, is there a specific reason why you have 2 identical certificates issued with just one day in between? See crt.sh | 17806768757 and crt.sh | 17829220324.

With regard to the error: hard to tell, because you haven't followed the questionnaire which was presented to you. This could be a bug in Certbot that might also already have been fixed. But without knowing the Certbot version (which was a question of the questionnaire) I can't tell.

ki9 · April 28, 2025, 6:49pm

I have two certs, one using RSA and one using ECC. I use the ECC one on my website and the RSA one on the mailserver, same domain.

  Certificate Name: ki9.us-rsa
    Serial Number: 6f0ba81c751426788cc4af7c6aaf6acc9b6
    Key Type: RSA
    Domains: ki9.us *.ki9.us
    Expiry Date: 2025-07-12 21:01:25+00:00 (VALID: 75 days)
    Certificate Path: /etc/letsencrypt/live/ki9.us-rsa/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ki9.us-rsa/privkey.pem
  Certificate Name: ki9.us
    Serial Number: 3b1dce96aa6c48cb170b0095c034683823f
    Key Type: ECDSA
    Domains: ki9.us *.ki9.us
    Expiry Date: 2025-05-10 18:21:19+00:00 (VALID: 11 days)
    Certificate Path: /etc/letsencrypt/live/ki9.us/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ki9.us/privkey.pem

I got two certs because postfix or smtps itself only supports RSA. I followed ServerFault: ssl - How to get both ECC & RSA certificates from Let's Encrypt for Postfix

I'm getting this error renewing the ECC certs (the RSA certs are not up for renewal and probably renewed successfully during the last run).

One of the crt.sh links 404'd but if the certs are identical (and not RSA/ECC) then I probably double-tapped something.

I have never explicitly used this flag but elliptic-curve is set by default in cli.ini since LE defaults to ECC now, right?

I'm using the certbot/dns-rfc2136 docker container which is using certbot 4.0.0.

The command I'm running is:

# /usr/local/bin/certbot renew

Which calls this wrapper script for docker run ...:

#!/bin/bash
# /usr/local/bin/certbot

docker run -it --rm --name certbot \
        -v "/etc/letsencrypt:/etc/letsencrypt" \
        -v "/var/log/letsencrypt:/var/log/letsencrypt" \
        -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
        certbot/dns-rfc2136 ${@}

I can post some .ini files if necessary.

None of the other questions in the questionnaire are going to help but for completeness:

My domain is: ki9.us, but I'm seeing it with all the domains I set up with reuse-key.

It produced this output: Error pasted in #1

My web server is (include version): Not relevant because I am using RFC2136

The operating system my web server runs on is (include version): Seeing this on multiple linux-based machines, but certbot is in docker.

My hosting provider, if applicable, is: Both onsite and multiple VPSes

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

9peppe · April 28, 2025, 7:08pm

It shouldn't -- if I remember correctly cli.ini is supposed to be empty by default and only contain user overrides.

ki9 · April 28, 2025, 7:17pm

You're right, I created the cli.ini and set elliptic-curve based on that ServerFault answer.

# https://serverfault.com/a/1151326

# Use ECC for the private key
# (do not set this by default to allow overrides in renewal/*.conf)
#key-type = ecdsa
elliptic-curve = secp384r1
rsa-key-size = 4096

# https://community.letsencrypt.org/t/tlsa-record-changes-with-every-renewal-process-which-breaks-dane/144145/3
reuse-key = true

So maybe the rsa-key-size line is confusing certbot during ECC renewal?

MikeMcQ · April 28, 2025, 7:24pm

No, that only applies to RSA. The elliptic curve is ECDSA. Probably below needs to be secp256r1

ki9 · April 28, 2025, 7:24pm

I tried removing this line from cli.ini because it's already in renewal/ki9.us-rsa.conf but am still getting the error.

Here is my renewal/ki9.us.conf:

# renew_before_expiry = 30 days
version = 3.1.0
archive_dir = /etc/letsencrypt/archive/ki9.us
cert = /etc/letsencrypt/live/ki9.us/cert.pem
privkey = /etc/letsencrypt/live/ki9.us/privkey.pem
chain = /etc/letsencrypt/live/ki9.us/chain.pem
fullchain = /etc/letsencrypt/live/ki9.us/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
authenticator = dns-rfc2136
dns_rfc2136_credentials = /etc/letsencrypt/rfc2136.ini
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

Here is my renewal/ki9.us-rsa.conf:

# renew_before_expiry = 30 days
version = 4.0.0
archive_dir = /etc/letsencrypt/archive/ki9.us-rsa
cert = /etc/letsencrypt/live/ki9.us-rsa/cert.pem
privkey = /etc/letsencrypt/live/ki9.us-rsa/privkey.pem
chain = /etc/letsencrypt/live/ki9.us-rsa/chain.pem
fullchain = /etc/letsencrypt/live/ki9.us-rsa/fullchain.pem

# Options used in the renewal process
[renewalparams]
reuse_key = True
account = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
rsa_key_size = 4096
key_type = rsa
elliptic_curve = secp384r1
authenticator = dns-rfc2136
dns_rfc2136_credentials = /etc/letsencrypt/rfc2136.ini
server = https://acme-v02.api.letsencrypt.org/directory

MikeMcQ · April 28, 2025, 7:25pm

We cross-posted. Try changing the elliptic curve back to the default as I suggested in previous post

ki9 · April 28, 2025, 7:29pm

I removed the elliptic-curve line from cli.ini and my certs renewed.

Do I need to update my TLSA records or was the key reused successfully?

MikeMcQ · April 28, 2025, 7:30pm

Probably fine. Was the private key file(s) updated?

Do NOT show contents of private key here

ki9 · April 28, 2025, 7:36pm

Looks the same!

ls -l /etc/letsencrypt/live/ki9.us/privkey.pem
lrwxrwxrwx 1 root root 33 Apr 28 13:26 /etc/letsencrypt/live/ki9.us/privkey.pem -> ../../archive/ki9.us/privkey8.pem

ls --color -l /etc/letsencrypt/archive/ki9.us/privkey{7,8}.pem
-rw------- 1 root root 227 Feb  9 12:19 /etc/letsencrypt/archive/ki9.us/privkey7.pem
-rw------- 1 root root 227 Apr 28 13:26 /etc/letsencrypt/archive/ki9.us/privkey8.pem

sha256sum /etc/letsencrypt/archive/ki9.us/privkey{7,8}.pem
ca0ef1865a508255f6ac29019d6356a5760dcd794417a7f13b5117a1a35769eb  /etc/letsencrypt/archive/ki9.us/privkey7.pem
ca0ef1865a508255f6ac29019d6356a5760dcd794417a7f13b5117a1a35769eb  /etc/letsencrypt/archive/ki9.us/privkey8.pem

This thread may be closed now, or allowed to die a natural death.

MikeMcQ · April 28, 2025, 7:42pm

You did that when you marked it Solved. It will close out to future posts in 30d per this forum's standard. Cheers

Topic		Replies	Views
--reuse-key should imply --reuse-key-type Help	9	1155	May 26, 2023
DANE TLSA and reuse-key Help	3	766	January 14, 2024
Unable to renew the certificate Help	3	1315	February 15, 2018
Configure renewal to use existing key without editing (fragile) systemd configuration file Help	3	1387	March 2, 2020
TLSA record changes with every renewal process which breaks DANE Help	9	5779	March 2, 2021

Unable to change the --elliptic-curve of this certificate

Related topics