0

I have a small test server at home and I registered with letsencrypt to get a valid certificate.

Certificate expired and wasn't automatically renewed (no harm done, this is strictly for testing purposes).

I don't remember exactly how I installed the certificate and "certbot" was not installed on my server (actually a LXD container, if relevant) running "Debian GNU/Linux 12 (bookworm)".

I installed certbot with standard:

sudo apt update && sudo apt install certbot python3-certbot-nginx

and then proceeded to use it:

sudo certbot --nginx -d blog.mydomain.it

but I got an unexpected error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for blog.mydomain.it

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/blog.mydomain.it/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/blog.mydomain.it/privkey.pem
This certificate expires on 2024-02-14.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for blog.mydomain.it to /etc/nginx/sites-enabled/blog.conf
We were unable to install your certificate, however, we successfully restored your server to its prior configuration.

NEXT STEPS:
- The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name blog.mydomain.it

nginx restart failed:
2023/11/16 23:31:55 [emerg] 561#561: SSL_CTX_use_PrivateKey("/etc/letsencrypt/blog.mydomain.it_ecc/private.key") failed (SSL: error:05800074:x509 certificate routines::key values mismatch)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I guess there's some mismatch between previous certificate install and what certbot is trying to do, but I am at a loss about how to proceed.

I have no problem in wiping the old certificate, if that's useful, but I would like to understand before I make a deeper mess.

I need to reinstall certificates without disturbing the server itself (reasonable downtime is perfectly OK).

UPDATE:

As requested (it doesn't seem to add any info, but...):

mcon@webserver:~$ sudo certbot install --cert-name blog.mydomain.it
[sudo] password for mcon: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Deploying certificate
Successfully deployed certificate for blog.mydomain.it to /etc/nginx/sites-enabled/blog.conf
We were unable to install your certificate, however, we successfully restored your server to its prior configuration.
nginx restart failed:
2023/11/17 09:08:38 [emerg] 3162#3162: SSL_CTX_use_PrivateKey("/etc/letsencrypt/blog.mydomain.it_ecc/private.key") failed (SSL: error:05800074:x509 certificate routines::key values mismatch)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
mcon@webserver:~$

UPDATE2:

my /etc/nginx/sites-enabled/blog.conf contained the following definition:

server {
    listen 443 ssl;
    server_name blog.mydomain.it;
    root /var/www/vitepress;
    ssl_certificate /etc/letsencrypt/blog.mydomain.it/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/blog.mydomain.it/privkey.pem;
    ssl_certificate /etc/letsencrypt/blog.mydomain.it/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/blog.mydomain.it_ecc/private.key;

    location / {
        index index.html;
        try_files $uri $uri/ /index.html;
    }
}

commenting out the second ssl_certificate/ssl_certificate_key pair actually solves the problem.

Now my my (working!) installation reads:

server {
    listen 443 ssl;
    server_name blog.mydomain.it;
    root /var/www/vitepress;
    ssl_certificate /etc/letsencrypt/live/blog.mydomain.it/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/blog.mydomain.it/privkey.pem; # managed by Certbot

    location / {
        index index.html;
        try_files $uri $uri/ /index.html;
    }
}
server {
    if ($host = blog.mydomain.it) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name blog.mydomain.it;
    return 404; # managed by Certbot
}

I am still curious about what was actually wrong and why those two lines were there (to avoid repeating the mistake, of course) but problem seems resolved.

Improve this question
3
  • You didn't show us output from when you tried following the certbot install --cert-name blog.mydomain.it advice. Commented Nov 17, 2023 at 1:38
  • @J_H: I added requested info, but it doesn't seem to add anything to the previous run. Commented Nov 17, 2023 at 8:23
  • Add relevant parts of /etc/nginx/sites-enabled/blog.conf and /var/log/letsencrypt/letsencrypt.log to the post, please. Commented Nov 17, 2023 at 8:44

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.