Certbot error on renewal "Unsupported RSA key length: 1024"

Troubleshooting
1

I try to renew my let’s encrypt certificate for the first time because i got an email to do so, but when running certbot i get this error message:

“Unsupported RSA key length: 1024”

This is where it fails:

Deploying certificate
Could not install certificate

NEXT STEPS:

  • The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
    certbot install --cert-name mydomain.duckdns.org

Unsupported RSA key length: 1024
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[FAILED] DietPi-LetsEncrypt | Certbot failed, please check its above terminal output. Aborting…

Running with -v does not give any more infos.

Unfortunately my knowledge here is limited to me successfully installing it the first time around, but 1024 is not even an option in dietpi-letsencrypt? It is set to 2048.

Can anyone help?
Thanks!

2

Can you share log file /var/log/letsencrypt/letsencrypt.log

3

Yes, thanks!

2024-05-09 09:29:13,759:DEBUG:certbot._internal.storage:Writing new private key to /etc/letsencrypt/archive/xyz.duckdns.org/privkey6.pem.
2024-05-09 09:29:13,760:DEBUG:certbot._internal.storage:Writing certificate to /etc/letsencrypt/archive/xyz.duckdns.org/cert6.pem.
2024-05-09 09:29:13,760:DEBUG:certbot._internal.storage:Writing chain to /etc/letsencrypt/archive/xyz.duckdns.org/chain6.pem.
2024-05-09 09:29:13,761:DEBUG:certbot._internal.storage:Writing full chain to /etc/letsencrypt/archive/xyz.duckdns.org/fullchain6.pem.
2024-05-09 09:29:13,777:DEBUG:certbot.configuration:Var account=xyz (set by user).
2024-05-09 09:29:13,778:DEBUG:certbot.configuration:Var rsa_key_size=2048 (set by user).
2024-05-09 09:29:13,779:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2024-05-09 09:29:13,779:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2024-05-09 09:29:13,781:DEBUG:certbot._internal.storage:Writing new config /etc/letsencrypt/renewal/xyz.duckdns.org.conf.new.
2024-05-09 09:29:13,790:DEBUG:certbot._internal.display.obj:Notifying user: 
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/xyz.duckdns.org/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/xyz.duckdns.org/privkey.pem
This certificate expires on 2024-08-07.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

2024-05-09 09:29:13,791:DEBUG:certbot._internal.display.obj:Notifying user: Deploying certificate
2024-05-09 09:29:13,827:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/client.py", line 657, in deploy_certificate
    self.installer.deploy_cert(
  File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 240, in deploy_cert
    vhosts = self.choose_vhosts(domain, create_if_no_match=True)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 364, in choose_vhosts
    self._make_server_ssl(vhost)
  File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 747, in _make_server_ssl
    snakeoil_cert, snakeoil_key = self._get_snakeoil_paths()
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 693, in _get_snakeoil_paths
    le_key = crypto_util.generate_key(
             ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/crypto_util.py", line 81, in generate_key
    key_pem = make_key(
              ^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/crypto_util.py", line 225, in make_key
    raise errors.Error("Unsupported RSA key length: {}".format(bits))
certbot.errors.Error: Unsupported RSA key length: 1024

2024-05-09 09:29:13,828:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-05-09 09:29:14,424:DEBUG:certbot._internal.display.obj:Notifying user: Could not install certificate
2024-05-09 09:29:14,425:DEBUG:certbot._internal.display.obj:Notifying user: NEXT STEPS:
2024-05-09 09:29:14,426:DEBUG:certbot._internal.display.obj:Notifying user: - The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name xyz.duckdns.org
2024-05-09 09:29:14,427:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/main.py", line 1480, in run
    raise installer_err
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/main.py", line 1464, in run
    _install_cert(config, le_client, domains, new_lineage)
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/main.py", line 1058, in _install_cert
    le_client.deploy_certificate(domains, path_provider.key_path, path_provider.cert_path,
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/client.py", line 657, in deploy_certificate
    self.installer.deploy_cert(
  File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 240, in deploy_cert
    vhosts = self.choose_vhosts(domain, create_if_no_match=True)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 364, in choose_vhosts
    self._make_server_ssl(vhost)
  File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 747, in _make_server_ssl
    snakeoil_cert, snakeoil_key = self._get_snakeoil_paths()
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 693, in _get_snakeoil_paths
    le_key = crypto_util.generate_key(
             ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/crypto_util.py", line 81, in generate_key
    key_pem = make_key(
              ^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/crypto_util.py", line 225, in make_key
    raise errors.Error("Unsupported RSA key length: {}".format(bits))
certbot.errors.Error: Unsupported RSA key length: 1024
2024-05-09 09:29:14,434:ERROR:certbot._internal.log:Unsupported RSA key length: 1024
4

seems similar to this old topic from Letsencrypt forum. Unfortunately, no real solution.

5

I somehow remember that there was some issue with the Nginx module and the Python version. Can you please check:

dpkg -l | grep python3

And are there any APT updates available?

apt update
apt upgrade
6

Hey, thanks for your time!
I updated/upgraded everything and tried again, no go :frowning:

Here is the result of
dpkg -l | grep python3

ii  libpython3-dev:arm64                                        3.11.2-1+b1                         arm64        header files and a static library for Python (default)
ii  libpython3-stdlib:arm64                                     3.11.2-1+b1                         arm64        interactive high-level object-oriented language (default python3 version)
ii  libpython3.11:arm64                                         3.11.2-6                            arm64        Shared Python runtime library (version 3.11)
ii  libpython3.11-dev:arm64                                     3.11.2-6                            arm64        Header files and a static library for Python (v3.11)
ii  libpython3.11-minimal:arm64                                 3.11.2-6                            arm64        Minimal subset of the Python language (version 3.11)
ii  libpython3.11-stdlib:arm64                                  3.11.2-6                            arm64        Interactive high-level object-oriented language (standard library, version 3.11)
ii  python3                                                     3.11.2-1+b1                         arm64        interactive high-level object-oriented language (default python3 version)
ii  python3-acme                                                2.1.0-1                             all          ACME protocol library for Python 3
ii  python3-certbot                                             2.1.0-4                             all          main library for certbot
ii  python3-certbot-nginx                                       2.1.0-2                             all          Nginx plugin for Certbot
ii  python3-certifi                                             2022.9.24-1                         all          root certificates for validating SSL certs and verifying TLS hosts (python3)
ii  python3-cffi-backend:arm64                                  1.15.1-5+b1                         arm64        Foreign Function Interface for Python 3 calling C code - runtime
ii  python3-chardet                                             5.1.0+dfsg-2                        all          Universal Character Encoding Detector (Python3)
ii  python3-charset-normalizer                                  3.0.1-2                             all          charset, encoding and language detection (Python 3)
ii  python3-configargparse                                      1.5.3-1                             all          replacement for argparse with config files and environment variables (Python 3)
ii  python3-configobj                                           5.0.8-1                             all          simple but powerful config file reader and writer for Python 3
ii  python3-cryptography                                        38.0.4-3                            arm64        Python library exposing cryptographic recipes and primitives (Python 3)
ii  python3-dev                                                 3.11.2-1+b1                         arm64        header files and a static library for Python (default)
ii  python3-distro                                              1.8.0-1                             all          Linux OS platform information API
ii  python3-distutils                                           3.11.2-3                            all          distutils package for Python 3.x
ii  python3-dnspython                                           2.3.0-1                             all          DNS toolkit for Python 3
ii  python3-idna                                                3.3-1                               all          Python IDNA2008 (RFC 5891) handling (Python 3)
ii  python3-josepy                                              1.13.0-1                            all          JOSE implementation for Python 3.x
ii  python3-ldb                                                 2:2.6.2+samba4.17.12+dfsg-0+deb12u1 arm64        Python 3 bindings for LDB
ii  python3-lib2to3                                             3.11.2-3                            all          Interactive high-level object-oriented language (lib2to3)
ii  python3-minimal                                             3.11.2-1+b1                         arm64        minimal subset of the Python language (default python3 version)
ii  python3-openssl                                             23.0.0-1                            all          Python 3 wrapper around the OpenSSL library
ii  python3-parsedatetime                                       2.6-3                               all          Python 3 module to parse human-readable date/time expressions
ii  python3-pkg-resources                                       66.1.1-1                            all          Package Discovery and Resource Access using pkg_resources
ii  python3-pycryptodome                                        3.11.0+dfsg1-4                      arm64        cryptographic Python library (Python 3)
ii  python3-pyparsing                                           3.0.9-1                             all          alternative to creating and executing simple grammars - Python 3.x
ii  python3-requests                                            2.28.1+dfsg-1                       all          elegant and simple HTTP library for Python3, built for human beings
ii  python3-rfc3339                                             1.1-4                               all          parser and generator of RFC 3339-compliant timestamps (Python 3)
ii  python3-samba                                               2:4.17.12+dfsg-0+deb12u1            arm64        Python 3 bindings for Samba
ii  python3-six                                                 1.16.0-4                            all          Python 2 and 3 compatibility library
ii  python3-talloc:arm64                                        2.4.0-f2                            arm64        hierarchical pool based memory allocator - Python3 bindings
ii  python3-tdb                                                 1.4.8-2                             arm64        Python3 bindings for TDB
ii  python3-tz                                                  2022.7.1-4                          all          Python3 version of the Olson timezone database
ii  python3-urllib3                                             1.26.12-1                           all          HTTP library with thread-safe connection pooling for Python3
ii  python3.11                                                  3.11.2-6                            arm64        Interactive high-level object-oriented language (version 3.11)
ii  python3.11-dev                                              3.11.2-6                            arm64        Header files and a static library for Python (v3.11)
ii  python3.11-minimal                                          3.11.2-6                            arm64        Minimal subset of the Python language (version 3.11)
7

Sorry for the late reply. See a very recent similar report here, indicating as well a mismatch between used Certbot and Nginx plugin: Unsupported RSA key length: 1024 - Help - Let's Encrypt Community Support

And now I also see it in our logs:

/usr/local/lib/python3.11/dist-packages/certbot/crypto_util.py

This is a version installed via pip or manually compiled. Both need to be installed the same way. Finally, a first case where break-system-packages=true did actually “break” (override) a system package :slightly_smiling_face:. Since Debian Bookworm, it is not possible anymore to install any module via pip outside of a venv/virtualenv, unless applying above flag. Since many of our software options however require exactly that, and since potential issues are rare and can be easily fixed, we apply this flag OOTB. As long as there is no reason to use the newer version from PyPI, I’d suggest to keep using the APT-provided versions only:

pip3 uninstall $(pip3 freeze --path /usr/local/lib/python3*/dist-packages/ | mawk -F== '/certbot/{print $1}')

This should uninstall all Certbot-related modules installed via pip or other non-APT ways. Then reinstall the APT packages, as a failsafe step:

apt install --reinstall certbot python3-certbot-nginx
8

This topic was automatically closed 178 days after the last reply. New replies are no longer allowed.