Unsupported RSA key length: 1024

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
cadmus.3phi.site
I ran this command:
sudo certbot --nginx
It produced this output:
NEXT STEPS:

  • The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
    certbot install --cert-name ideal.3phi.site

Unsupported RSA key length: 1024
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
cadmus@vmi1812858:~/frappe-bench$ cd ../../../

My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu Server 22.04 lts
My hosting provider, if applicable, is:
Contabo
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.10.0

2

Can you please provide the entire log?

Because I believe Certbot has never supported RSA key lengths of smaller than 2048.

I'm also puzzled why Certbot would only complain about the key length AFTER it has gotten the certificate issued.

1 Like
3

2858:~/frappe-bench$ sudo certbot --nginx
[sudo] password for cadmus:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: cadmus.3phi.site
2: ideal.3phi.site
3: tcri.3phi.site

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Requesting a certificate for ideal.3phi.site

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ideal.3phi.site/fullchain.pem
Key is saved at: /etc/letsencrypt/live/ideal.3phi.site/privkey.pem
This certificate expires on 2024-09-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Could not install certificate

NEXT STEPS:

  • The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
    certbot install --cert-name ideal.3phi.site

Unsupported RSA key length: 1024
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

4

Please provide the log from /var/log/letsencrypt/letsencrypt.log, because this output is puzzeling and doesn't make much sense. Hopefully the log contains more debugging info.

5

2024-06-02 07:31:55,617:DEBUG:certbot._internal.main:certbot version: 2.10.0
2024-06-02 07:31:55,618:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-06-02 07:31:55,618:DEBUG:certbot._internal.main:Arguments: ['-q']
2024-06-02 07:31:55,618:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#>
2024-06-02 07:31:55,640:DEBUG:certbot._internal.log:Root logging level set at 40
2024-06-02 07:31:55,645:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/cadmus.3phi.site.conf
2024-06-02 07:31:55,647:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-06-02 07:31:55,710:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2024-06-02 07:31:55,877:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2024-06-02 07:31:55,879:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/cadmus.3phi.site/cert1.pem is signed by the certificate's issuer.
2024-06-02 07:31:55,884:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/cadmus.3phi.site/cert1.pem is: OCSPCertStatus.GOOD
2024-06-02 07:31:55,894:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2024-06-02 07:31:55,896:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer None
2024-06-02 07:31:55,896:DEBUG:certbot._internal.display.obj:Notifying user:

2024-06-02 07:31:55,896:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet:
2024-06-02 07:31:55,897:DEBUG:certbot._internal.display.obj:Notifying user: /etc/letsencrypt/live/cadmus.3phi.site/fullchain.pem expires on 2024-08-29 (skipped)
2024-06-02 07:31:55,897:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2024-06-02 07:31:55,897:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-06-02 07:31:55,897:DEBUG:certbot._internal.renewal:no renewal failures
2024-06-02 10:04:57,675:DEBUG:certbot._internal.main:certbot version: 2.10.0
2024-06-02 10:04:57,675:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2024-06-02 10:04:57,675:DEBUG:certbot._internal.main:Arguments: ['--nginx']
2024-06-02 10:04:57,675:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#>
2024-06-02 10:04:57,689:DEBUG:certbot._internal.log:Root logging level set at 30
2024-06-02 10:04:57,691:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2024-06-02 10:04:57,876:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: EntryPoint(name='nginx', value='certbot_nginx._internal.configurator:NginxConfigurator', group='certbot.plugins')
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f06e976b130>
Prep: True
2024-06-02 10:04:57,877:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f06e976b130> and installer <certbot_nginx._in>
2024-06-02 10:04:57,877:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2024-06-02 10:04:57,961:DEBUG:certbot.internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only>
2024-06-02 10:04:57,962:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-06-02 10:04:57,964:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2024-06-02 10:04:58,355:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 746
2024-06-02 10:04:58,355:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 02 Jun 2024 08:04:58 GMT
Content-Type: application/json
Content-Length: 746
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",

6

Hi @Osiris are you there?

7

Sometimes.

Can you upload the log file if you rename it to .txt? Because this is just a small part of it.

1 Like
8

I am

Screenshot from 2024-06-03 12-41-57
Screenshot from 2024-06-03 12-41-571384×952 206 KB

I am unable to copy the whole document and send. This is a screenshot of the very last part of the letsencrypt.log file.

9

GNU nano 6.2 letsencrypt.log
2024-06-03 11:13:50,042:DEBUG:certbot._internal.storage:Writing private key to /etc/letsencrypt/live/ideal.3phi.site/privkey.pem.
2024-06-03 11:13:50,042:DEBUG:certbot._internal.storage:Writing chain to /etc/letsencrypt/live/ideal.3phi.site/chain.pem.
2024-06-03 11:13:50,042:DEBUG:certbot._internal.storage:Writing full chain to /etc/letsencrypt/live/ideal.3phi.site/fullchain.pem.
2024-06-03 11:13:50,043:DEBUG:certbot._internal.storage:Writing README to /etc/letsencrypt/live/ideal.3phi.site/README.
2024-06-03 11:13:50,054:DEBUG:certbot.configuration:Var account=9df5fe2b3260a26a2b70be16dd45fe66 (set by user).
2024-06-03 11:13:50,055:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2024-06-03 11:13:50,055:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2024-06-03 11:13:50,056:DEBUG:certbot._internal.storage:Writing new config /etc/letsencrypt/renewal/ideal.3phi.site.conf.
2024-06-03 11:13:50,060:DEBUG:certbot._internal.display.obj:Notifying user:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ideal.3phi.site/fullchain.pem
Key is saved at: /etc/letsencrypt/live/ideal.3phi.site/privkey.pem
This certificate expires on 2024-09-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

2024-06-03 11:13:50,061:DEBUG:certbot._internal.display.obj:Notifying user: Deploying certificate
2024-06-03 11:13:50,080:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/client.py", line 657, in deploy_certificate
self.installer.deploy_cert(
File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 232, in deploy_cert
vhosts = self.choose_vhosts(domain, create_if_no_match=True)
File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 352, in choose_vhosts
self._make_server_ssl(vhost)
File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 732, in _make_server_ssl
snakeoil_cert, snakeoil_key = self._get_snakeoil_paths()
File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 678, in _get_snakeoil_paths
le_key = crypto_util.generate_key(
File "/usr/local/lib/python3.10/dist-packages/certbot/crypto_util.py", line 81, in generate_key
key_pem = make_key(
File "/usr/local/lib/python3.10/dist-packages/certbot/crypto_util.py", line 225, in make_key
raise errors.Error("Unsupported RSA key length: {}".format(bits))
certbot.errors.Error: Unsupported RSA key length: 1024

2024-06-03 11:13:50,080:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-06-03 11:13:50,244:DEBUG:certbot._internal.display.obj:Notifying user: Could not install certificate
2024-06-03 11:13:50,245:DEBUG:certbot._internal.display.obj:Notifying user: NEXT STEPS:
2024-06-03 11:13:50,245:DEBUG:certbot._internal.display.obj:Notifying user: - The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
certbot install --cert-name ideal.3phi.site
2024-06-03 11:13:50,245:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 8, in
sys.exit(main())
File "/usr/local/lib/python3.10/dist-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/main.py", line 1894, in main
return config.func(config, plugins)
File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/main.py", line 1480, in run
raise installer_err
File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/main.py", line 1464, in run
_install_cert(config, le_client, domains, new_lineage)
File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/main.py", line 1058, in _install_cert
le_client.deploy_certificate(domains, path_provider.key_path, path_provider.cert_path,
File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/client.py", line 657, in deploy_certificate
self.installer.deploy_cert(
File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 232, in deploy_cert
vhosts = self.choose_vhosts(domain, create_if_no_match=True)
File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 352, in choose_vhosts
self._make_server_ssl(vhost)
File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 732, in _make_server_ssl
snakeoil_cert, snakeoil_key = self._get_snakeoil_paths()
File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 678, in _get_snakeoil_paths
le_key = crypto_util.generate_key(
File "/usr/local/lib/python3.10/dist-packages/certbot/crypto_util.py", line 81, in generate_key
key_pem = make_key(
File "/usr/local/lib/python3.10/dist-packages/certbot/crypto_util.py", line 225, in make_key
raise errors.Error("Unsupported RSA key length: {}".format(bits))
certbot.errors.Error: Unsupported RSA key length: 1024
2024-06-03 11:13:50,249:ERROR:certbot._internal.log:Unsupported RSA key length: 1024

10

you have different mismatched version of main certbot and certbot-nginx plugin: not sure how you have that: remove apt version of python3-certbot-nginx and get snap one

3 Likes
11

Looks like the two packages are installed differently. Probably python3-certbot-nginx was installed using apt:

And Certbot itself looks like it's installed using pip globally:

Which is always a bad idea and indeed leads to these kinds of version incompatibilities.

Don't forget to uninstall the pip Certbot!

1 Like
12

Thank you very much for your help. It worked out wonderfully.

3 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.