Re: No Private Key found in '/etc/letsencrypt/live/www.mydomain.org/fullchain.pem.key

Wed, 01 Nov 2023 14:49:41 -0700 

On 11/1/23 05:20, Christoph Kukulies wrote:
'bind *:443' : No Private Key found in '/etc/letsencrypt/live/www.mydomain.org/fullchain.pem.key' <http://www.mydomain.org/fullchain.pem.key'>. 

I have the following in my
/etc/letsencrypt/live/www.mydomain.org <http://www.mydomain.org>:


lrwxrwxrwx 1 root root  41 Oct 23 17:22 cert.pem -> 
../../archive/www.mydomain.org/cert12.pem
lrwxrwxrwx 1 root root  42 Oct 23 17:22 chain.pem -> 
../../archive/www.mydomain.org/chain12.pem
lrwxrwxrwx 1 root root  46 Oct 23 17:22 fullchain.pem -> 
../../archive/www.mydomain.org/fullchain12.pem

lrwxrwxrwx 1 root root  13 Nov  1 12:12 fullchain.pem.key -> fullchain.pem

lrwxrwxrwx 1 root root  44 Oct 23 17:22 privkey.pem -> 
../../archive/www.mydomain.org/privkey12.pem

lrwxrwxrwx 1 root root  11 Nov  1 12:11 privkey.pem.key -> privkey.pem
-rw-r--r-- 1 root root 692 Nov 13  2021 README


This is what I have:


root@smeagol:/etc/letsencrypt/archive/elyograg.org-0022# ls -al 
/etc/letsencrypt/live/elyograg.org-0022

total 12
drwxr-xr-x  2 root root 4096 Nov  1 00:00 .
drwx------ 53 root root 4096 Nov  1 00:02 ..

lrwxrwxrwx  1 root root   41 Nov  1 00:00 cert.pem -> 
../../archive/elyograg.org-0022/cert1.pem
lrwxrwxrwx  1 root root   42 Nov  1 00:00 chain.pem -> 
../../archive/elyograg.org-0022/chain1.pem
lrwxrwxrwx  1 root root   46 Nov  1 00:00 fullchain.pem -> 
../../archive/elyograg.org-0022/fullchain1.pem
lrwxrwxrwx  1 root root   44 Nov  1 00:00 privkey.pem -> 
../../archive/elyograg.org-0022/privkey1.pem

-rw-r--r--  1 root root  692 Nov  1 00:00 README
root@smeagol:/etc/letsencrypt/archive/elyograg.org-0022# ls -al
total 28
drwxr-xr-x  2 root root 4096 Nov  1 00:00 .
drwx------ 53 root root 4096 Nov  1 00:02 ..
-rw-r--r--  1 root root 2329 Nov  1 00:00 cert1.pem
-rw-r--r--  1 root root 3749 Nov  1 00:00 chain1.pem
-rw-r--r--  1 root root 6078 Nov  1 00:00 fullchain1.pem
-rw-------  1 root root  241 Nov  1 00:00 privkey1.pem


The LE fullchain file does not contain the key.  It contains 3 
certificates. ... the server cert, the issuing cert, and the root cert 
... which is not what you want.  For letsencrypt, the file that you give 
to haproxy must contain the server cert, the issuing cert, and the 
private key.  You do not want to include the root certificate.  It will 
be ignored by the browser even if it is included, but it will probably 
slow down TLS negotiation by a small amount.  The presence of the root 
certificate in the TLS handshake should not actually break anything in 
most cases, but it could result in a lower score on the Qualys Labs SSL 
test.



When my renewal script finishes, I have a file containing four things: 
The server cert, the issuing cert, the private key, and a unique 4096 
bit DHPARAM.  This combination is ideal for haproxy.



The version of certbot that I am using generates 256-bit ECDSA keys by 
default.  You might be thinking that a 256 bit ECDSA key cannot be as 
secure as a 2048 bit RSA key, but that is incorrect:


https://www.baeldung.com/cs/encryption-asymmetric-algorithms#3-key-length


Some of the equipment I use will not work with ECDSA keys, so I have a 
second cert with a subset of names that I build using 4096 bit RSA.


Thanks,
Shawn
























					Reply via email to