1

Here is what happened:

I generate the CSR via the MediaTemple site (that is the only way to do it. since a GS is a share server). Send it over the namecheap.com (its signed by RapidSSL).

When I got back the certificate and CA. Tried to import it back the media temple. I get the

"Key do not match" error.

Contact both support. They just keep pushing the blame to the other. namecheap.com say there is an RSA key generate (which I do not have access to). And media temple just blame other people outright without even trying to explain what could have gone wrong.

My question is:

  1. Anyone has the same problem?

  2. What could be the cause of this error?

Thanks

Joel Chu
  • 193
  • 1
  • 1
  • 5

3 Answers3

6

Joel Chu, I don't know if this helps you but maybe, and I hope to help other MediaTemple users. I spent all day long trying to config a certbot-generated certificate on a MediaTemple GridServer shared host, but this should work with Acme PHP and other generators as well:

The solution, undocumented as far I can tell:
1. paste the fist certificate generated on fullchain.pem on the Certificate field.
2. paste the second certificate generated on fullchain.pem on the CA /Chain certificate field.
3. paste the key generated on privatekey.pen but with a detail on first and last lines.
They MUST have the RSA keyword:

Replace the existing -----BEGIN PRIVATE KEY----- (or whatever is in the file)

with:

-----BEGIN RSA PRIVATE KEY-----

You must do the same for the last line. It should read:

-----END RSA PRIVATE KEY-----

After that I was able to add a certificate to my domain, and it is accepted by MT.

Hope this helps

jmorganmartin
  • 105
  • 5
ramjamx
  • 61
  • 1
  • 3
  • 1
    This was the exact issue we were having. Added "RSA" in between as described and the key/certificate combo was accepted promptly. Just remember that you need to add "RSA" as well to the bottom line in the key. Incredible that Mediatemple does not clarify this somewhere... – mr-euro Oct 18 '17 at 18:31
  • @mr-euro Nice catch on the bottom line. I specifically wrote to MT to tell them this was missing from their documentation. I haven't looked, but if they haven't added it anywhere by now, I suspect they leave it out on purpose to sell more SSL certs. – jmorganmartin Nov 28 '18 at 22:47
  • THIS! This is what was causing the key to be invalid for us. Just had to add the "RSA" in the start and end tags. Thank you for posting this. I'd give you extra bounty if I could. – Joshua Pinter Sep 09 '20 at 16:51
  • I can't believe this worked! What a find, thanks. – CountKyle Jun 29 '22 at 16:06
2

I have similar issue pretty often but that is because I'm generating a lot of certificates manually and singing them with an internal CA.

The cause of the issue is pretty straightforward: the private key that your server has kept doesn't match the public key embedded within your certificate.

The most common cause of this error is, by far, an operator error, sometimes made worth by poorly designed software. Basically, what often happens is that you generate a key pair and a CSR (Certificate Signing Request), send the CSR and then re-generate a new key pair. If the software is too dumb to remember more than one key, then it will lose the previously generated private key.

The solution for these kind of issues, if you're unwilling to simply outsource the job to the server operator. is to generate everything locally (using OpenSSL is the best option) and be careful about the private key you generate (I use a local Mercurial repository for this, which allows me to keep track of what was generated when and, if necessary, go back in time). Once you have the signed certificate, you it, along with the private key, to the server.

DaveGauer
  • 105
  • 4
Stephane
  • 6,432
  • 3
  • 26
  • 47
  • The problem as I stated is the fact that I don't have access to the server (its a share) so everything must be done through Mediatemple website. Which I suspect is the cause of problem. I can only genearte one CSR at a time. But it doesn't really tell me which is what and which etc. Again Mediatemple is just pushing the ball to others. – Joel Chu Apr 18 '13 at 12:28
  • I'm afraid there is no magic bullet here. Open a support ticket, politely ask them what solution is available and if there is a supported way to use your own cert and private key. – Stephane Apr 18 '13 at 12:46
  • Its been 2 weeks. I open 4 tickets so far. Each time they just copy and paste me the same line "As the certificate is signed by a third party. We can not help." WT*! I am terminating the contract (But note here - they will not give me any refund! So I am the one who lose out. ) If they charge a reasonable amount for the SSL cert. I will go with them. But they asking for $80 a year – Joel Chu Apr 18 '13 at 14:34
  • Then maybe you should pick another hoster. But you have to know that you usually get what you are paying for: picking the cheapest provider is not always the best solution (or the cheapest in the end). – Stephane Apr 18 '13 at 14:44
  • Well, this is funny. MediaTemple is regard as the Apple of hosting (as well as the price). so I am not sure what you are implying. And do you really know what you are talking about here? I am asking a share host problem but you are telling me a manage host. Which BTW, I have no problem to configure a data centre if I want to. The question was is there anyone out there have the same problem with this particular hosting company - which is mediatemple.net – Joel Chu Apr 18 '13 at 14:56
  • I'm sorry Joel, if my answer doesn't satisfy you. I can't comment on that specific company. What I can comment on, however, is the fact that there are plenty of hosters to pick from. Apparently, price is an issue with your setup and apparently you're dissatisfied with this specific hoster. I answered about the technical aspect of things and how I tend to handle this very problem (not with the same company, but still) and make a suggestion about what I would do if I were in your shoes. Nothing more (or less) is to be implied from that. – Stephane Apr 19 '13 at 07:46
0

I had the same problem and solved it by re-issuing the certificate and being careful to not close the mediatemple tab that I had used to generate the CSR request. Once I received my new certificate, I used that same tab to navigate back and import the certificate.

The first time I did it (and got this error) I had closed the mediatemple CSR tab, (and possibly even reloaded it before doing so) which might have caused the mediatemple software to generate a new key causing the key mismatch.

floatingpoint
  • 101
  • 2