Hello,
I have been using Lets Encrypted for several years for my various domains in connection with Nginx.
Normally I generate the certificates in the following way:
certbot -d --force-renewal --rsa-key-size 4096
This has also worked well for years. Since about 2 months, a certificate is generated, but it only has a bit length of 256.
Does anyone have any idea what is going wrong with me?
Regards
Matthias
Certbot changed its default key type to ECDSA in version 2.0.
You need to use --key-type rsa if you want to keep using RSA.
It's an ECC key (Elliptic Curve Cryptography, here using curve P-256), not an RSA key.
256-bit ECC is about as strong as 3072-bits RSA.
I hadn't noticed that. With the --key-type rsa it worked.
Thanks for your help!
Is there a specific reason to go back to RSA?
No, it was just my lack of knowledge.
or better 
Please don't use the force for simple renewals.
Use:
certbot renew
It could be necessary when actively changing the certificate contents (e.g. the subject key). However, this configuration option can also be changed without immediately issuing a new certificate with the reconfigure command in newer versions of Certbot.
https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-v2-3-0-and-newer
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
