13

I am trying to install an SSL certificate on my Ubuntu server. I have purchased the certificate from my CA and have downloaded the certificate itself and an intermediate certificate. As so:

my certificate: mydomain.crt
intermediate certificate: GandiStandardSSLCA.pem

I also have (made using openssl)

my private key (?): mydomain.key
and signing request: mydomain.csr

I have uploaded all these files to my server and followed a guide to combine my certificate with the intermediate:

cat mydomain.crt GandiStandardSSLCA.pem > mydomain-bundle.crt

I then add the following to my vhost's config:

listen   443 ssl;
ssl_certificate       /etc/nginx/ssl/mydomain-bundle.crt;
ssl_certificate_key   /etc/nginx/ssl/mydomain.key;

But when I go to restart nginx I get this error:

* Restarting nginx
* Stopping nginx nginx [ OK ]
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mydomain.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) nginx: configuration file /etc/nginx/nginx.conf test failed

Any ideas why and how to solve?

harryg
  • 901
  • 2
  • 10
  • 19

1 Answers1

22

Does your key list ok:

openssl rsa -in /etc/nginx/ssl/mydomain.key

Do the modulus of the key and the cert match:

openssl x509  -in mydomain.crt -modulus 

openssl rsa  -in qa.server.key  -modulus

These numbers must match.

gm3dmo
  • 10,057
  • 1
  • 42
  • 36
  • yes, the key lists ok and the modulae match. I could only list in as root though. Could it be an ownership issue – harryg Jan 30 '14 at 22:42
  • assuming `qa.server.key` is my private key – harryg Jan 30 '14 at 23:02
  • Note that the order of concatenation of the certificates (SLL cert and Intermediate) is crucial. @davey answer helped me figure out that I had a wrong aggregated crt. – jeromes Oct 13 '16 at 16:27
  • Excellent. I was using the wrong file for ssl_certificate. The modulas commands helped me figure out that was the issue. Genius! – Ralph Oct 08 '17 at 12:34
  • If they don't match? then what... – Zach Smith Aug 05 '19 at 15:03
  • If they don't match, then key you have can't be used with that cert. This usually happens when something has been mixed up. – gm3dmo Aug 14 '19 at 15:12