Validating configuration for domain.tld …
… no problems found
Requesting a certificate for domain.tld from Let's Encrypt ..
.. request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for domain.tld
Unable to change the --key-type of this certificate because --reuse-key is set. To stop reusing the private key, specify --no-reuse-key. To change the private key this one time and then reuse it in future, add --new-key.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for domain.tld
Unable to change the --key-type of this certificate because --reuse-key is set. To stop reusing the private key, specify --no-reuse-key. To change the private key this one time and then reuse it in future, add --new-key.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
I have no idea how to change that since it’s all automated in Virtualmin.
This is a first! A new reason for Let’s Encrypt to fail. I’ve been saying, “It’s always the same three things” for years…suddenly, an exciting new thing.
I’m guessing you’ve upgraded to a new version of certbot?
Let’s Encrypt now tries to use ECDSA instead of RSA, by default. This error means your private key is RSA, and now it’s trying to get ECDSA, but that’s not the type of key you have.
I don’t know what we need to do here, exactly, but I guess we need to specify --reuse-key-type, but I worry that option may not be available on older versions of certbot, which many people will have because most distros have quite old certbot versions in their repos, and we use the OS package for certbot in most cases.
@Ilia and @Jamie have been fighting with another Let’s Encrypt issue this week, so they may already have an awareness of this or have a better understanding of what we need to do to fix it. We have discussed forcing key type to rsa in the past, but I don’t think that’s the right solution (I want to keep moving forward with whatever the upstream devs think is the best default to use, but we have to prevent breakage like this).
I think, I have already fixed that, and Webmin will either add --no-reuse-key or --reuse-key upon the request as a parameter to certbot command. It has to work actually, I remember working on it, and making dozens of tests, and fixing the issue in particular that Steffan reported.
@Ilia made some change this last week and I installed the nightly but no change until I changed to that new method and it worked fine.
The thing that worries me is will I have to do this on all my virtualmin instances now? I only have one or two VMs using Oracle Linux 9. All others are 6,7 and 8. I assume those are ok?
