Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: mail.jewettfarm.com
I ran this command: certbot renew
It produced this output:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mail.jewettfarm.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mail.jewettfarm.com/privkey.pem
This certificate expires on 2023-07-26.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
My web server is (include version): Nginx 1.18/Zimbra 9.0
The operating system my web server runs on is (include version): Ubuntu 20.04
My hosting provider, if applicable, is: Cloudflare for DNS-001
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): Certbot 2.5
My email server was giving an error that the private key does not match the certificate. So I ran:
openssl rsa -noout -check -in privkey.pem
Here is the output:
139929089717568:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:../crypto/evp/p_lib.c:469:
The cert and the chain checkout fine, it just doesn't like the private key.
The initial certificate included this for the preferred chain: --preferred-chain "ISRG Root X1"