Best IT Recipes

SSL: error: 0B080074: x509 verification procedures: X509_check_private_key: key value mismatch

I can not configure SSL. I have Googled, and I found several solutions, but none of them worked for me. I need help, please ...

Here is the error I get when I try to restart nginx:

root@s17925268:~# service nginx restart Restarting nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/conf.d/ssl/ssl.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) nginx: configuration file /etc/nginx/nginx.conf test failed

My certificate is from StartSSL and is valid for 1 year.

Here is what I tested:

  • The certificate and private key do not have trailing spaces.
  • I do not use the server.key file by default.
  • I checked nginx.conf and the directives point to the correct private key and certificate.

I also checked the module, and I got another module for both the key and the certificate.

Thank you for your help. :)

+77
certificate ssl nginx openssl key
04 Oct '14 at 9:30 a.m.
source share
12 answers

I got an MD5 hash with different results for both key and certificate.

That says it all. You have a mismatch between your key and certificate.

The module must match. Make sure you have the correct key.

+30
Oct 07 '14 at 0:17
source share

Once you have determined that they do not match, you still have a problem - what to do about it. Often a certificate can simply be assembled incorrectly. When the CPU signs your certificate, they send you a block that looks something like this:

 -----BEGIN CERTIFICATE----- MIIAA-and-a-buncha-nonsense-that-is-your-certificate -and-a-buncha-nonsense-that-is-your-certificate-and- a-buncha-nonsense-that-is-your-certificate-and-a-bun cha-nonsense-that-is-your-certificate-and-a-buncha-n onsense-that-is-your-certificate-AA+ -----END CERTIFICATE-----

they will also send you a package (often two certificates) that represent their authority to provide you with a certificate. it will look something like

 -----BEGIN CERTIFICATE----- MIICC-this-is-the-certificate-that-signed-your-request -this-is-the-certificate-that-signed-your-request-this -is-the-certificate-that-signed-your-request-this-is-t he-certificate-that-signed-your-request-this-is-the-ce rtificate-that-signed-your-request-A -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICC-this-is-the-certificate-that-signed-for-that-one -this-is-the-certificate-that-signed-for-that-one-this -is-the-certificate-that-signed-for-that-one-this-is-t he-certificate-that-signed-for-that-one-this-is-the-ce rtificate-that-signed-for-that-one-this-is-the-certifi cate-that-signed-for-that-one-AA -----END CERTIFICATE-----

except that, unfortunately, they will not be so clearly marked.

Thus, the general practice is to combine all this into one file - your certificate, and then the signed certificates. But since they are not easy to distinguish, sometimes it happens that someone accidentally puts them in a different order - signs the certificates, and then the final certificate - without noticing. In this case, your certificate will not match your key.

You can check what, according to the servast, it represents by running

 openssl x509 -noout -text -in yourcert.cert

Next to the top you should see “Subject:” and then stuff similar to your data. If instead it looks like your CA, your kit is probably out of order; you can try to backup and then transfer the last certificate to the beginning, hoping that this is the one that is your certificate.

If this does not work, you will just need to return the certificate. When I do CSR, I like to clearly indicate which server it is on (and not just ssl.key or server.key), and make a copy of it with the date of the name, for example mydomain.20150306.key, etc. their private and public key pairs are unlikely to be mixed up with another set.

+146
Mar 06 '15 at 7:43
source share
  1. Make sure your certificate and key are in PEM format. If not, convert them using the openssl command

  2. Check the MD5 hash of the public key to make sure that it matches the one in the private key.

     openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in privateKey.key | openssl md5
+59
04 Oct '14 at 19:06
source share

I had this problem because I added the package and certificate in the wrong order, so maybe this could help someone else.

Before (what's wrong):

 cat ca_bundle.crt certificate.crt > bundle_chained.crt

After (which is correct)

 cat certificate.crt ca_bundle.crt > bundle_chained.crt

And please remember to update the corresponding conf file (ssl_certificate should now point to the crt chain) as

 server { listen 443 ssl; server_name www.example.com; ssl_certificate bundle_chained.crt; ssl_certificate_key www.example.com.key; ... }

From the nginx man page :

If the server certificate and the package were combined in the wrong order, nginx will not start and will display an error message:

 SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed (SSL: error:0B080074:x509 certificate routines: X509_check_private_key:key values mismatch)
+21
Sep 10 '18 at 15:41
source share

If this happens and you are using Let Encrypt / certbot, the reason is most likely that you used chain.pem instead of fullchain.pem .

It should be something like this:

 ssl_certificate /etc/certbot/live/example.com/fullchain.pem; ssl_certificate_key /etc/certbot/live/example.com/privkey.pem;

See certbot docs "Where are my certificates?

+8
Dec 15 '16 at 0:35
source share

I had the same problem and finally solved it by changing the order of the pem blocks in the certificate file.

The certificate block should be placed at the beginning of the file, then in the intermediate blocks, then in the root block.

I realized this problem by comparing the problematic certificate file with the working certificate file.

+3
Jan 23 '18 at 11:57
source share

In my case, I wanted to change the ssl certificate because I changed my server, so I had to create a new csr using this command:

$ openssl req -new -newkey rsa: 2048 -nodes -keyout mysite.key -out mysite.csr

I sent the mysite.csr file to the ssl provider of the company and after receiving the crt certificate, then restarted nginx and I have this error.

(SSL: error: 0B080074: x509 verification procedures: X509_check_private_key: key value mismatch)

After much research, the error was that the module from the key file was not the same as the crt file

So, to do this, I created a new csr file, but I changed the file name with this command

$ openssl req -new -newkey rsa: 2048 -nodes -keyout mysite_new.key -out mysite_new.csr

Then I received a new crt file from the company’s supplier, restarted nginx and it worked.

+1
Feb 08 '17 at 11:32 on
source share

My 5 cents to the question:

I had the same problem. About 1 hour after that, I found that I had inserted the certificate incorrectly.

If you have such an error, check your certificate.

+1
Oct 19 '17 at 10:26 on
source share

This can also happen when your CA issues an intermediate certificate.

I ran into this problem (twice) using nginx and none of the solutions in this post explained the problem. A blog post here from a good gentleman named Marco nailed it, and I put it in here for anyone who also comes across what I saw. https://medium.com/@mrkdsgn/steps-to-install-a-go-daddy-ssl-certificate-on-nginx-on-ubuntu-14-04-ff942b9fd7ff

In my case, the go-dad was CA, and it depends on how they issue the certificate and intermediate certificate packages.

Here is an excerpt from Marco's blog post

With Nginx, if your CA included an intermediate certificate, you must create a single certificate file in a chain that contains your certificate and intermediate CA certificates.

You can use this command to create a combo file called example.com.chained.crt:

cat example.com.crt intermediate.crt > example.com.chained.crt

0
Mar 15 '18 at 23:52
source share

For Nginx;

1- openssl req -newkey rsa: 2048 -nodes -keyout domain.com.key -out domain.com.csr

2- SSL file domain_com.crt and domain_com.ca-bundle files copy the new file into paste domain.com.chained.crt

3- Add nginx files: a. ssl_certificate / home / user / domain_ssl / domain.com.chained.crt; b. ssl_certificate_key / home / user / domain_ssl / domain.com.key;

Late restart of Nginx

0
Sep 09 '18 at 22:19
source share

In my case, the problem was that I was creating certificates without entering any data into the cli interface. When I restored the certificates and entered all the fields: city, state, etc., Everything became good.

  sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
0
Nov 14 '18 at 9:35
source share

This happened to me when I combined bundle.crt and the main certificate. The reason was because I copied the main certificate below bundle.crt. Should be the other way around

1 / main certificate 2 / bundle.crt

0
Mar 19 '19 at 15:29
source share


More articles:


All Articles