I'm not able to setup SSL. I've Googled and I found a few solutions but none of them worked for me. I need some help please...
Here's the error I get when I attempt to restart nginx:
root@s17925268:~# service nginx restart
Restarting nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/conf.d/ssl/ssl.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
My certificate is from StartSSL and is valid for 1 year.
Here's what I tested:
I also checked the modulus, and I get a different modulus for both key and certificate.
Thank you for your help. :)
This question is related to
ssl
nginx
openssl
certificate
key
I ran into this issue (twice) with nginx and none of the solutions in this post explained the issue. The blog post here by a nice gentleman named Marco nailed it, and I am pasting it here for anyone who also runs into what I was seeing. https://medium.com/@mrkdsgn/steps-to-install-a-go-daddy-ssl-certificate-on-nginx-on-ubuntu-14-04-ff942b9fd7ff
In my case, go-daddy was the CA and this is specific to how they issue the cert and the intermediate cert bundles.
With Nginx, if your CA included an intermediate certificate, you must create a single chained certificate file that contains your certificate and the CA’s intermediate certificates.
You can use this command to create a combined file called example.com.chained.crt:
cat example.com.crt intermediate.crt > example.com.chained.crt
SL_CTX_use_PrivateKey("/etc/nginx/ssl/file") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
This error can happen, when the certificate private key (ssl_certificate_key
, e.g. .key
or .pem
file) does not match the public certificate file (ssl_certificate
) in your Nginx configuration (check nginx.conf
or in sites-enabled/
). Make sure both files are matching.
Check Nginx error logs for further details (e.g. /var/log/nginx/error.log
).
Check an MD5 hash of the public key to ensure that it matches with what is in a private key
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
For Nginx:
openssl req -newkey rsa:2048 -nodes -keyout domain.com.key -out domain.com.csr
SSL file domain_com.crt
and domain_com.ca-bundle
files, then copy new file in paste domain.com.chained.crt
.
3: Add nginx files:
ssl_certificate /home/user/domain_ssl/domain.com.chained.crt;
ssl_certificate_key /home/user/domain_ssl/domain.com.key;
Lates restart Nginx.
Im my case the problem was that I cretead sertificates without entering any data in cli interface. When I regenerated cretificates and enetered all fields: City, State, etc all became fine.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
If this happens and you are using Let's Encrypt / certbot, the reason is most likely that you used chain.pem
instead of fullchain.pem
.
It should be something like this:
ssl_certificate /etc/certbot/live/example.com/fullchain.pem;
ssl_certificate_key /etc/certbot/live/example.com/privkey.pem;
I had the same problem and finally resolved it by changing the order of pem blocks in certificate file.
The cert block should be put in the beginning of the file, then intermediate blocks, then root block.
I realized this problem by comparing a problematic certificate file with a working certificate file.
In my case I have to concatenate the certs of my domain.
cat myDomain.crt EntityCertCA.crt TrustedRoot.crt > bundle.crt
And in the config file /etc/nginx/nginx.conf
ssl_certificate "/etc/pki/nginx/bundle.crt";
Restart the service and all ok.
systemctl restart nginx.service
Once you have established that they don't match, you still have a problem -- what to do about it. Often, the certificate may merely be assembled incorrectly. When a CA signs your certificate, they send you a block that looks something like
-----BEGIN CERTIFICATE-----
MIIAA-and-a-buncha-nonsense-that-is-your-certificate
-and-a-buncha-nonsense-that-is-your-certificate-and-
a-buncha-nonsense-that-is-your-certificate-and-a-bun
cha-nonsense-that-is-your-certificate-and-a-buncha-n
onsense-that-is-your-certificate-AA+
-----END CERTIFICATE-----
they'll also send you a bundle (often two certificates) that represent their authority to grant you a certificate. this will look something like
-----BEGIN CERTIFICATE-----
MIICC-this-is-the-certificate-that-signed-your-request
-this-is-the-certificate-that-signed-your-request-this
-is-the-certificate-that-signed-your-request-this-is-t
he-certificate-that-signed-your-request-this-is-the-ce
rtificate-that-signed-your-request-A
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICC-this-is-the-certificate-that-signed-for-that-one
-this-is-the-certificate-that-signed-for-that-one-this
-is-the-certificate-that-signed-for-that-one-this-is-t
he-certificate-that-signed-for-that-one-this-is-the-ce
rtificate-that-signed-for-that-one-this-is-the-certifi
cate-that-signed-for-that-one-AA
-----END CERTIFICATE-----
except that unfortunately, they won't be so clearly labeled.
a common practice, then, is to bundle these all up into one file -- your certificate, then the signing certificates. But since they aren't easily distinguished, it sometimes happens that someone accidentally puts them in the other order -- signing certs, then the final cert -- without noticing. In that case, your cert will not match your key.
You can test to see what the cert thinks it represents by running
openssl x509 -noout -text -in yourcert.cert
Near the top, you should see "Subject:" and then stuff that looks like your data. If instead it lookslike your CA, your bundle is probably in the wrong order; you might try making a backup, and then moving the last cert to the beginning, hoping that is the one that is your cert.
If this doesn't work, you might just have to get the cert re-issued. When I make a CSR, I like to clearly label what server it's for (instead of just ssl.key or server.key) and make a copy of it with the date in the name, like mydomain.20150306.key etc. that way they private and public key pairs are unlikely to get mixed up with another set.
In my case I've wanted to change the SSL certificate, because I've e changed my server so I had to create a new CSR with this command:
openssl req -new -newkey rsa:2048 -nodes -keyout mysite.key -out mysite.csr
I have sent mysite.csr file to the company SSL provider and after I received the the certificate crt and then I've restarted nginx , and I have got this error
(SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
After a lot of investigation, the error was that module from key file was not the same with the one from crt file
So, in order to make it work, I have created a new csr file but I have to change the name of the file with this command
openssl req -new -newkey rsa:2048 -nodes -keyout mysite_new.key -out mysite_new.csr
Then I had received a new crt file from the company provider, restart nginx and it worked.
It happened to me when I combined the bundle.crt and main cert. The reason was I copied the main cert below the bundle.crt. It should be the other way around
1/ main cert 2/ bundle.crt
I had this problem because i was adding bundle and certificate in wrong order so maybe this could help someone else.
Before (which is wrong) :
cat ca_bundle.crt certificate.crt > bundle_chained.crt
After (which is right)
cat certificate.crt ca_bundle.crt > bundle_chained.crt
And Please don't forget to update the appropriate conf (ssl_certificate must now point to the chained crt) as
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate bundle_chained.crt;
ssl_certificate_key www.example.com.key;
...
}
From the nginx manpage:
If the server certificate and the bundle have been concatenated in the wrong order, nginx will fail to start and will display the error message:
SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed (SSL: error:0B080074:x509 certificate routines: X509_check_private_key:key values mismatch)
My 5 cents on the issue:
I had same problem. After about 1 hour looking after it, I found I pasted the certificate incorrectly.
Source: Stackoverflow.com