Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output: Are you trying to change the key type of the certificate named ixxxxx.com from ECDSA to RSA? Please provide both --cert-name and --key-type on the command line to confirm the change you a>
That's quite a spectacular script you're using. Browsing the code its a wrapper for an old version of certbot (from 4yrs ago) and the issue you are encountering is that it thinks the key type is changing, and some versions of unifi only support RSA.
I would suggest contacting the script author for assistance but if you can avoid using such a complex script and just use certbot (or other acme tools) directly that would also be good.
The UniFi controller software wants a PKCS#12 file containing the certificate chain and private key. I use OpenSSL in a hook to take the chain and private key and convert them, something like this:
I'm using a slightly tweaked Acmebot for this certificate (the tweaks don't affect anything happening here) but anything that can run a post-renewal script should do the trick. The only mildly clever bits of the process are knowing that the PKCS#12 passphrase needs to be "aircontrolenterprise" and the certificate's name in P12 needs to be "unifi".
For a long time the controller did indeed only support RSA keys and I had assumed that was still the case, but I've just been pleasantly surprised to find that v9.5.21 supports ECDSA keys.