Unable to verify privkey.pem file

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.jewettfarm.com

I ran this command: certbot renew

It produced this output:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mail.jewettfarm.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mail.jewettfarm.com/privkey.pem
This certificate expires on 2023-07-26.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

My web server is (include version): Nginx 1.18/Zimbra 9.0

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Cloudflare for DNS-001

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.5

My email server was giving an error that the private key does not match the certificate. So I ran:
openssl rsa -noout -check -in privkey.pem

Here is the output:
139929089717568:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:../crypto/evp/p_lib.c:469:

The cert and the chain checkout fine, it just doesn't like the private key.

The initial certificate included this for the preferred chain: --preferred-chain "ISRG Root X1"

Thank you!

3 Likes

Your most recently issued cert is an ECDSA cert instead of RSA, so openssl rsa on the ECDSA private key won't work.

5 Likes

Thanks Osiris. Did something change? The email application validation process is looking for an rsa key. Is there a way to specify the key type, since I can't convert ecdsa to rsa?

1 Like

Did you upgrade Certbot from pre v2.x?

1 Like

See ECDSA certificates by default and other upcoming changes in Certbot 2.0

4 Likes

Yes, and I see that it changed the default key type after 2.x apparently.

I will try it with the --key-type rsa - assuming this is valid.

5 Likes

Hi @dj423 since we are dealing with the PRIVATE KEY you cannot share its contents!
However you, yourself, can look at the file /etc/letsencrypt/live/mail.jewettfarm.com/privkey.pem
and see if it begins with -----BEGIN PRIVATE KEY-----
and end with -----END PRIVATE KEY-----
However there is more than one valid format available .

1 Like

Well that Post was delayed to by the system to make sure it was safe.

1 Like

Thanks Bruce. The key is valid, no issue there. My problem is my email system (Zimbra) only accepts rsa key types - as there is no switch to define the key type. Was hoping to just roll with the ecdsa type.

4 Likes

You are welcom @dj423 ( Derek )!
Have a pleasant day.:slight_smile:

3 Likes

That should work.

4 Likes

I ended up needing to revoke the certificate, then it let me request one with the key type: RSA.

Thanks for the help!

2 Likes

Unless the key has been compromised, you do not need to revoke a certificate. I got caught by this same bug when I made a similar upgrade to certbot. As indicated in the certbot documentation, this is one of the few situations where the use of --force-renewal is appropriate.

That's all academic now, but figure you deserve to know, just in case you are ever in a similar situation again.

6 Likes

How old is that software?

2 Likes

This one is Zimbra 9, was released back in 2020, but I think many of the cli utilities are much much older than that. Cypher type is not even an option, so they need to update I would think.

You might do better by putting that behind an nginx proxy.

4 Likes

Funny you say that because it is behind another nginx instance with a different cert. I encrypt all points of the stack pretty much. Can't be too secure!

2 Likes

I will have to recheck how Zimbra handles EC certs.

4 Likes

In that version... it doesn't - LOL

5 Likes

Yeah, and I am guessing requesting an enhancement to the zmcertmgr utility will be ignored since they (Synacor) want to stop supporting their open source projects. For the TLS proxy it however does support more secure cipher suites, just not while doing the cert verification.

2 Likes