Renewing LetsEncrypt SSL certificates. Cannot decrypt the private key file

Server Version

I've been using LetsEncrypt to provide SSL certificates. Today as I ran the renewal process I got the error "Cannot decrypt the private key file XXXXX with the password. Please make sure the key file and password are correct.
Error: 20408 (File read error)"

This is odd as the certbot command ran successfully, generating a fullchain.pem and privkey.pem files. The privkey.pem should not be encrypted, and I haven't needed to decrypt them before.

Has anyone else bumped into problems like this?


Normally the process is run via launchd, and it has root privileges.

Running the command from the command line manually, it needs elevated privileges. In other words:

sudo fmsadmin certificate import "fullchain" --keyfile "privkey" -y