Sample Header Ad - 728x90

certbot letsencrypt certificate installation failed

0 votes
0 answers
394 views
debian nginx letsencrypt certbot
I have a small test server at home and I registered with letsencrypt to get a valid certificate. Certificate expired and wasn't automatically renewed (no harm done, this is strictly for testing purposes). I don't remember exactly how I installed the certificate and "certbot" was not installed on my server (actually a LXD container, if relevant) running "Debian GNU/Linux 12 (bookworm)". I installed certbot with standard: 
sudo apt update && sudo apt install certbot python3-certbot-nginx
and then proceeded to use it: 
sudo certbot --nginx -d blog.mydomain.it
but I got an unexpected error: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for blog.mydomain.it

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/blog.mydomain.it/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/blog.mydomain.it/privkey.pem
This certificate expires on 2024-02-14.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for blog.mydomain.it to /etc/nginx/sites-enabled/blog.conf
We were unable to install your certificate, however, we successfully restored your server to its prior configuration.

NEXT STEPS:
- The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name blog.mydomain.it

nginx restart failed:
2023/11/16 23:31:55 [emerg] 561#561: SSL_CTX_use_PrivateKey("/etc/letsencrypt/blog.mydomain.it_ecc/private.key") failed (SSL: error:05800074:x509 certificate routines::key values mismatch)

Ask for help or search for solutions at https://community.letsencrypt.org . See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
I guess there's some mismatch between previous certificate install and what certbot is trying to do, but I am at a loss about how to proceed. I have no problem in wiping the old certificate, if that's useful, but I would like to understand before I make a deeper mess. I need to reinstall certificates without disturbing the server itself (reasonable downtime is perfectly OK). UPDATE: - As requested (it doesn't seem to add any info, but...): 
mcon@webserver:~$ sudo certbot install --cert-name blog.mydomain.it
[sudo] password for mcon: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Deploying certificate
Successfully deployed certificate for blog.mydomain.it to /etc/nginx/sites-enabled/blog.conf
We were unable to install your certificate, however, we successfully restored your server to its prior configuration.
nginx restart failed:
2023/11/17 09:08:38 [emerg] 3162#3162: SSL_CTX_use_PrivateKey("/etc/letsencrypt/blog.mydomain.it_ecc/private.key") failed (SSL: error:05800074:x509 certificate routines::key values mismatch)

Ask for help or search for solutions at https://community.letsencrypt.org . See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
mcon@webserver:~$
UPDATE2: - my /etc/nginx/sites-enabled/blog.conf contained the following definition: 
server {
    listen 443 ssl;
    server_name blog.mydomain.it;
    root /var/www/vitepress;
    ssl_certificate /etc/letsencrypt/blog.mydomain.it/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/blog.mydomain.it/privkey.pem;
    ssl_certificate /etc/letsencrypt/blog.mydomain.it/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/blog.mydomain.it_ecc/private.key;

    location / {
        index index.html;
        try_files $uri $uri/ /index.html;
    }
}
commenting out the second ssl_certificate/ssl_certificate_key pair actually solves the problem. Now my my (working!) installation reads: 
server {
    listen 443 ssl;
    server_name blog.mydomain.it;
    root /var/www/vitepress;
    ssl_certificate /etc/letsencrypt/live/blog.mydomain.it/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/blog.mydomain.it/privkey.pem; # managed by Certbot

    location / {
        index index.html;
        try_files $uri $uri/ /index.html;
    }
}
server {
    if ($host = blog.mydomain.it) {
        return 301 https://$host$request_uri ;
    } # managed by Certbot

    listen 80;
    server_name blog.mydomain.it;
    return 404; # managed by Certbot
}
I am still curious about what was actually wrong and why those two lines were there (to avoid repeating the mistake, of course) but problem seems resolved.
Asked by ZioByte (910 rep)
Nov 16, 2023, 11:05 PM
Last activity: Nov 17, 2023, 11:55 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "debian"
More questions tagged "nginx"
More questions tagged "letsencrypt"
Footer Ad - 728x90