SSL error 0B080074 x509 certificate routines X509 check private key key values mismatch

Question

I m not able to setup SSL  I ve Googled and I found a few solutions but none of them worked for me  I need some help please     Here s the error I get when I attempt to restart nginx   root s17925268    service nginx restart Restarting nginx  nginx   emerg  SSL CTX use PrivateKey file   etc nginx conf d ssl ssl key   failed  SSL  error 0B080074 x509 certificate routines X509 check private key key values mismatch  nginx  configuration file  etc nginx nginx conf test failed   My certificate is from StartSSL and is valid for 1 year   Here s what I tested    The certificate and private key has no trailing spaces  I m not using the default server key file  I checked the nginx conf and the directives are pointing to the correct private key and certificate    I also checked the modulus  and I get a different modulus for both key and certificate   Thank you for your help

User · Accepted Answer

I got a MD5 hash with different results for both key and certificate.

This says it all. You have a mismatch between your key and certificate.

The modulus should match. Make sure you have correct key.

User · Answer

Once you have established that they don t match  you still have a problem -- what to do about it  Often  the certificate may merely be assembled incorrectly  When a CA signs your certificate  they send you a block that looks something like   -----BEGIN CERTIFICATE----- MIIAA-and-a-buncha-nonsense-that-is-your-certificate -and-a-buncha-nonsense-that-is-your-certificate-and- a-buncha-nonsense-that-is-your-certificate-and-a-bun cha-nonsense-that-is-your-certificate-and-a-buncha-n onsense-that-is-your-certificate-AA  -----END CERTIFICATE-----   they ll also send you a bundle  often two certificates  that represent their authority to grant you a certificate   this will look something like   -----BEGIN CERTIFICATE----- MIICC-this-is-the-certificate-that-signed-your-request -this-is-the-certificate-that-signed-your-request-this -is-the-certificate-that-signed-your-request-this-is-t he-certificate-that-signed-your-request-this-is-the-ce rtificate-that-signed-your-request-A -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICC-this-is-the-certificate-that-signed-for-that-one -this-is-the-certificate-that-signed-for-that-one-this -is-the-certificate-that-signed-for-that-one-this-is-t he-certificate-that-signed-for-that-one-this-is-the-ce rtificate-that-signed-for-that-one-this-is-the-certifi cate-that-signed-for-that-one-AA -----END CERTIFICATE-----   except that unfortunately  they won t be so clearly labeled    a common practice  then  is to bundle these all up into one file -- your certificate  then the signing certificates  But since they aren t easily distinguished  it sometimes happens that someone accidentally puts them in the other order -- signing certs  then the final cert -- without noticing  In that case  your cert will not match your key    You can test to see what the cert thinks it represents by running  openssl x509 -noout -text -in yourcert cert   Near the top  you should see  Subject   and then stuff that looks like your data   If instead it lookslike your CA  your bundle is probably in the wrong order  you might try making a backup  and then moving the last cert to the beginning  hoping that is the one that is your cert   If this doesn t work  you might just have to get the cert re-issued  When I make a CSR  I like to clearly label what server it s for  instead of just ssl key or server key  and make a copy of it with the date in the name  like mydomain 20150306 key etc  that way they private and public key pairs are unlikely to get mixed up with another set

User · Answer

This can also happen when your CA issues an intermediate cert  I ran into this issue  twice  with nginx and none of the solutions in this post explained the issue  The blog post here by a nice gentleman named Marco nailed it  and I am pasting it here for anyone who also runs into what I was seeing  https   medium com  mrkdsgn steps-to-install-a-go-daddy-ssl-certificate-on-nginx-on-ubuntu-14-04-ff942b9fd7ff  In my case  go-daddy was the CA and this is specific to how they issue the cert and the intermediate cert bundles   Here is the excerpt from Marco s blog post  With Nginx  if your CA included an intermediate certificate  you must create a single chained certificate file that contains your certificate and the CA   s intermediate certificates   You can use this command to create a combined file called example com chained crt   cat example com crt intermediate crt  gt  example com chained crt

User · Answer

In my case I ve wanted to change the SSL certificate  because I ve e changed my server so I had to create a new CSR with this command    openssl req -new -newkey rsa 2048 -nodes -keyout mysite key -out mysite csr   I have sent mysite csr file to the company SSL provider and after I received the the certificate crt and then I ve restarted nginx   and I have got this error     SSL  error 0B080074 x509 certificate routines X509 check private key key values mismatch    After a lot of investigation  the error was that module from key file was not the same with the one from crt file  So  in order to make it work  I have created a new csr file but I have to change the name of the file with this command   openssl req -new -newkey rsa 2048 -nodes -keyout mysite new key -out mysite new csr   Then I had received a new crt file from the company provider  restart nginx and it worked

User · Answer

In my case I have to concatenate the certs of my domain  cat myDomain crt EntityCertCA crt TrustedRoot crt  gt  bundle crt  And in the config file  etc nginx nginx conf  ssl certificate  quot  etc pki nginx bundle crt quot    Restart the service and all ok  systemctl restart nginx service  Source step 2  https   www namecheap com support knowledgebase article aspx 9781 2238 nginx-ssl-error0b080074x509-certificate-routines-x509checkprivatekeykey-values-mismatch

User · Answer

SL CTX use PrivateKey  quot  etc nginx ssl file quot   failed  SSL  error 0B080074 x509 certificate routines X509 check private key key values mismatch   This error can happen  when the certificate private key  ssl certificate key  e g   key or  pem file  does not match the public certificate file  ssl certificate  in your Nginx configuration  check nginx conf or in sites-enabled    Make sure both files are matching  Check Nginx error logs for further details  e g   var log nginx error log

User · Answer

It happened to me when I combined the bundle crt and main cert  The reason was I copied the main cert below the bundle crt  It should be the other way around  1  main cert 2  bundle crt

User · Answer

I had the same problem and finally resolved it by changing the order of pem blocks in certificate file   The cert block should be put in the beginning of the file  then intermediate blocks  then root block   I realized this problem by comparing a problematic certificate file with a working certificate file

User · Answer

For Nginx   openssl req -newkey rsa 2048 -nodes -keyout domain com key -out domain com csr  SSL file domain com crt and domain com ca-bundle files  then copy new file in paste domain com chained crt    3  Add nginx files   ssl certificate  home user domain ssl domain com chained crt  ssl certificate key  home user domain ssl domain com key   Lates restart Nginx

User · Answer

Make sure your certificate and Key are PEM format  If not then convert them using openssl command Check an MD5 hash of the public key to ensure that it matches with what is in a private key  openssl x509 -noout -modulus -in certificate crt   openssl md5 openssl rsa -noout -modulus -in privateKey key   openssl md5

User · Answer

My 5 cents on the issue  I had same problem  After about 1 hour looking after it  I found I pasted the certificate incorrectly  If you have error like this  please check your certificate

User · Answer

If this happens and you are using Let s Encrypt   certbot  the reason is most likely that you used chain pem instead of fullchain pem   It should be something like this   ssl certificate  etc certbot live example com fullchain pem  ssl certificate key  etc certbot live example com privkey pem    See certbot docs    Where are my certificates

User · Answer

Im my case the problem was that I cretead sertificates without entering any data in cli interface  When I regenerated cretificates and enetered all fields  City  State  etc all became fine    sudo openssl req -x509 -nodes -days 365 -newkey rsa 2048 -keyout  etc ssl private nginx-selfsigned key -out  etc ssl certs nginx-selfsigned crt

User · Answer

I had this problem because i was adding bundle and certificate in wrong order so maybe this could help someone else   Before  which is wrong     cat ca bundle crt certificate crt  gt  bundle chained crt   After  which is right   cat certificate crt ca bundle crt  gt  bundle chained crt   And Please don t forget to update the appropriate conf  ssl certificate must now point to the chained crt  as  server       listen              443 ssl      server name         www example com      ssl certificate     bundle chained crt      ssl certificate key www example com key              From the nginx manpage      If the server certificate and the bundle have been concatenated in the wrong order    nginx will fail to start and will display the error message   SSL CTX use PrivateKey file        www example com key   failed     SSL  error 0B080074 x509 certificate routines      X509 check private key key values mismatch

[ssl] SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Examples related to ssl

Examples related to nginx

Examples related to openssl

Examples related to certificate

Examples related to key