174

I'm not able to setup SSL. I've Googled and I found a few solutions but none of them worked for me. I need some help please...

Here's the error I get when I attempt to restart nginx:

root@s17925268:~# service nginx restart
Restarting nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/conf.d/ssl/ssl.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed

My certificate is from StartSSL and is valid for 1 year.

Here's what I tested:

  • The certificate and private key has no trailing spaces.
  • I'm not using the default server.key file.
  • I checked the nginx.conf and the directives are pointing to the correct private key and certificate.

I also checked the modulus, and I get a different modulus for both key and certificate.

Thank you for your help. :)

Galou
  • 1,739
  • 2
  • 12
  • 7

19 Answers19

240

Once you have established that they don't match, you still have a problem -- what to do about it. Often, the certificate may merely be assembled incorrectly. When a CA signs your certificate, they send you a block that looks something like 

-----BEGIN CERTIFICATE-----
MIIAA-and-a-buncha-nonsense-that-is-your-certificate
-and-a-buncha-nonsense-that-is-your-certificate-and-
a-buncha-nonsense-that-is-your-certificate-and-a-bun
cha-nonsense-that-is-your-certificate-and-a-buncha-n
onsense-that-is-your-certificate-AA+
-----END CERTIFICATE-----

they'll also send you a bundle (often two certificates) that represent their authority to grant you a certificate. this will look something like 

-----BEGIN CERTIFICATE-----
MIICC-this-is-the-certificate-that-signed-your-request
-this-is-the-certificate-that-signed-your-request-this
-is-the-certificate-that-signed-your-request-this-is-t
he-certificate-that-signed-your-request-this-is-the-ce
rtificate-that-signed-your-request-A
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICC-this-is-the-certificate-that-signed-for-that-one
-this-is-the-certificate-that-signed-for-that-one-this
-is-the-certificate-that-signed-for-that-one-this-is-t
he-certificate-that-signed-for-that-one-this-is-the-ce
rtificate-that-signed-for-that-one-this-is-the-certifi
cate-that-signed-for-that-one-AA
-----END CERTIFICATE-----

except that unfortunately, they won't be so clearly labeled.

a common practice, then, is to bundle these all up into one file -- your certificate, then the signing certificates. But since they aren't easily distinguished, it sometimes happens that someone accidentally puts them in the other order -- signing certs, then the final cert -- without noticing. In that case, your cert will not match your key.

You can test to see what the cert thinks it represents by running

openssl x509 -noout -text -in yourcert.cert

Near the top, you should see "Subject:" and then stuff that looks like your data. If instead it lookslike your CA, your bundle is probably in the wrong order; you might try making a backup, and then moving the last cert to the beginning, hoping that is the one that is your cert.

If this doesn't work, you might just have to get the cert re-issued. When I make a CSR, I like to clearly label what server it's for (instead of just ssl.key or server.key) and make a copy of it with the date in the name, like mydomain.20150306.key etc. that way they private and public key pairs are unlikely to get mixed up with another set.

Vynce
  • 2,947
  • 2
  • 15
  • 12
  • 1
    This fixed it for me on Nginx! – TTT Mar 26 '15 at 16:57
  • 41
    Huge +1 for showing how to see what's in the cert chain. – cbednarski Apr 04 '15 at 00:09
  • Definitely useful, I spend one hour trying to understand why nginx was refusing the certificate while I could see it contained the data – Jacopofar May 08 '15 at 13:45
  • Note that Namecheap provide a "bundle" that doesn't include the leaf certificate. – amoe Feb 06 '17 at 15:40
  • 3
    Ok, this also worked for me with a Comodo cert and Ngix. Just pushed the last cert block to the top. Thx for the detailed explanation and insight to this issue. – Andy D Feb 07 '17 at 15:59
  • I am facing the same problem in nodejs. I have 5 files one pem, one key, one srt and two, intermediate and root certificate. I am running server using pem and key file and its running but showing insecure connection error. And by using any other certificate files its not running as showing certificate and key missmacth error. Please guide if possible. Thanks in advance. – Amrendra Feb 11 '17 at 12:29
  • @Amrendra : sounds like maybe you need to bundle your pem, intermediate, and root? Try creating a single file with the contents of each in that order, e.g. cp pem bundle; cat intermediate >> bundle; cat root >> bundle. – Vynce Feb 13 '17 at 19:54
  • Thank you @Vynce! I bundled the three as you have mentioned and now it is not showing key mismatch error but the problem persists. It is still showing insecure connection error. After adding the exception to the browser it's working. Isn't there any way by which we can remove this exception. – Amrendra Feb 14 '17 at 08:55
  • From here, I don't know why your cert is being rejected -- from your description, I don't even know whether the server is complaining or the browser. I'd recommend starting a fresh question on an appropriate overflow community. – Vynce Feb 15 '17 at 19:18
  • 1
    It helps to me to! Very useful answer! Thank you so much! – Oleg Klimenko Apr 20 '17 at 15:50
  • Thanks, this solved my problem. I have extracted all certs in own file, checked subject for each, detected that the order is reversed, created new cert with correct certs order what solved the problem. – Robert Lujo Jun 03 '20 at 10:01
  • This is pure gold! Thank you so much! – Luka Mar 01 '21 at 15:46
  • In my case, the INTERMEDIATE certificate that came from the server was the culprit. To make it work, I had to create a new intermediate cert file which first contained the original cert PLUS right after, I added the contents of the original intermediate cert. I.e. there are now 2 certs in the new intermediate file. And then it worked! I wish the error message would have been more specific. – logixplayer May 08 '22 at 16:04
118
  1. Make sure your certificate and Key are PEM format. If not then convert them using openssl command

  2. Check an MD5 hash of the public key to ensure that it matches with what is in a private key

    openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
muru
  • 4,723
  • 1
  • 34
  • 78
dev0z
  • 2,275
  • 1
  • 15
  • 16
  • 10
    Good advice ! Well, still get the same error even if md5 hash are the same for me ^^ – Delphine Mar 04 '16 at 15:02
  • 5
    Thank you for including how to verify the hashes. I found out I had a copy paste error, and was missing a single dash from the beginning of my pem. You just saved me a lot of headaches. Cheers. – Justin Fortier May 25 '16 at 15:41
  • Thanks for this, also found nice cheatsheet for useful `openssl` commands https://gist.github.com/Hakky54/b30418b25215ad7d18f978bc0b448d81 – Michael May 16 '23 at 18:27
94

I had this problem because i was adding bundle and certificate in wrong order so maybe this could help someone else.

Before (which is wrong) :

cat ca_bundle.crt certificate.crt > bundle_chained.crt

After (which is right)

cat certificate.crt ca_bundle.crt > bundle_chained.crt

And Please don't forget to update the appropriate conf (ssl_certificate must now point to the chained crt) as

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     bundle_chained.crt;
    ssl_certificate_key www.example.com.key;
    ...
}

From the nginx manpage:

If the server certificate and the bundle have been concatenated in the wrong order, nginx will fail to start and will display the error message:

SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed
   (SSL: error:0B080074:x509 certificate routines:
    X509_check_private_key:key values mismatch)
muru
  • 4,723
  • 1
  • 34
  • 78
Mandeep Gill
  • 4,577
  • 1
  • 28
  • 34
52

I got a MD5 hash with different results for both key and certificate.

This says it all. You have a mismatch between your key and certificate.

The modulus should match. Make sure you have correct key.

dev0z
  • 2,275
  • 1
  • 15
  • 16
  • 1
    Unless I'm missing something, you absolutely WANT the public and private keys (the certificate file and the key file) to be different. – Mark Berry Oct 02 '19 at 23:21
  • 1
    The `modulus' and the `public exponent' portions in the key and the Certificate must match. No doubt the files are different. The key is generated for one particular cert. – dev0z Oct 04 '19 at 00:15
  • My bad. I thought he was referring to the MD5 of the files. I see now that certificates have a separate modulus function: [How to confirm that the modulus in your private key matches the modulus in your SSL/TLS certificate’s public key prior to installation?](https://knowledge.digicert.com/solution/SO20830.html). – Mark Berry Oct 05 '19 at 01:12
13

If this happens and you are using Let's Encrypt / certbot, the reason is most likely that you used chain.pem instead of fullchain.pem.

It should be something like this:

ssl_certificate /etc/certbot/live/example.com/fullchain.pem;
ssl_certificate_key /etc/certbot/live/example.com/privkey.pem;

See certbot docs “Where are my certificates?”

Marian
  • 5,817
  • 2
  • 18
  • 21
8

I had the same problem and finally resolved it by changing the order of pem blocks in certificate file.

The cert block should be put in the beginning of the file, then intermediate blocks, then root block.

I realized this problem by comparing a problematic certificate file with a working certificate file.

fuweichin
  • 1,398
  • 13
  • 14
4

I had the same issue on Nginx but below is helped me to fix it.

I have removed the bundle and updated it with crt file.

ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/key.key;

The bundle isn’t 100% necessary, but it improves compatibility.

Aditya Y
  • 651
  • 6
  • 12
2

In my case I've wanted to change the SSL certificate, because I've e changed my server so I had to create a new CSR with this command:

 openssl req -new -newkey rsa:2048 -nodes -keyout mysite.key -out mysite.csr

I have sent mysite.csr file to the company SSL provider and after I received the the certificate crt and then I've restarted nginx , and I have got this error 

 (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

After a lot of investigation, the error was that module from key file was not the same with the one from crt file

So, in order to make it work, I have created a new csr file but I have to change the name of the file with this command

 openssl req -new -newkey rsa:2048 -nodes -keyout mysite_new.key -out mysite_new.csr

Then I had received a new crt file from the company provider, restart nginx and it worked.

Muhammad Dyas Yaskur
  • 6,914
  • 10
  • 48
  • 73
lemon fish
  • 19
  • 1
2

My 5 cents on the issue:

I had same problem. After about 1 hour looking after it, I found I pasted the certificate incorrectly.

If you have error like this, please check your certificate.

Community
  • 1
  • 1
Nick
  • 9,962
  • 4
  • 42
  • 80
2

In my case I have to concatenate the certs of my domain.

cat myDomain.crt EntityCertCA.crt TrustedRoot.crt > bundle.crt

And in the config file /etc/nginx/nginx.conf

 ssl_certificate "/etc/pki/nginx/bundle.crt";

Restart the service and all ok.

systemctl restart nginx.service

Source: Nginx SSL: error:0B080074:x509 certificate routines: X509_check_private_key:key values mismatch

Abdullah Khawer
  • 4,461
  • 4
  • 29
  • 66
mariofertc
  • 383
  • 2
  • 7
2

In my case, the private key file had a next-line character in the end.

Incorrect format:

-----END PRIVATE KEY-----

Correct format:

-----END PRIVATE KEY-----

And yes, the order should be cat certificate.crt ca_bundle.crt > bundle_chained.crt and the first line of ca_bundle.crt should not be on the last line of certificate.crt.

Incorrect format:

-----END CERTIFICATE----------BEGIN CERTIFICATE-----

Correct format:

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Abdullah Khawer
  • 4,461
  • 4
  • 29
  • 66
1

This can also happen when your CA issues an intermediate cert

I ran into this issue (twice) with nginx and none of the solutions in this post explained the issue. The blog post here by a nice gentleman named Marco nailed it, and I am pasting it here for anyone who also runs into what I was seeing. Steps to install a Go Daddy SSL Certificate with NGINX on Ubuntu 14.04

In my case, go-daddy was the CA and this is specific to how they issue the cert and the intermediate cert bundles.

Here is the excerpt from Marco's blog post

With Nginx, if your CA included an intermediate certificate, you must create a single chained certificate file that contains your certificate and the CA’s intermediate certificates.

You can use this command to create a combined file called example.com.chained.crt:

cat example.com.crt intermediate.crt > example.com.chained.crt

Abdullah Khawer
  • 4,461
  • 4
  • 29
  • 66
Shyam Habarakada
  • 15,367
  • 3
  • 36
  • 47
1

For Nginx:

  1. openssl req -newkey rsa:2048 -nodes -keyout domain.com.key -out domain.com.csr

  2. SSL file domain_com.crt and domain_com.ca-bundle files, then copy new file in paste domain.com.chained.crt.

3: Add nginx files:

  1. ssl_certificate /home/user/domain_ssl/domain.com.chained.crt;
  2. ssl_certificate_key /home/user/domain_ssl/domain.com.key;

Lates restart Nginx.

kenorb
  • 155,785
  • 88
  • 678
  • 743
electrocoder
  • 31
  • 6
1

Im my case the problem was that I cretead sertificates without entering any data in cli interface. When I regenerated cretificates and enetered all fields: City, State, etc all became fine.

 sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
Viktor Kruglikov
  • 519
  • 6
  • 16
1

It happened to me when I combined the bundle.crt and main cert. The reason was I copied the main cert below the bundle.crt. It should be the other way around

1/ main cert 2/ bundle.crt

Krishna
  • 11
  • 3
1

SL_CTX_use_PrivateKey("/etc/nginx/ssl/file") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

This error can happen, when the certificate private key (ssl_certificate_key, e.g. .key or .pem file) does not match the public certificate file (ssl_certificate) in your Nginx configuration (check nginx.conf or in sites-enabled/). Make sure both files are matching.

Check Nginx error logs for further details (e.g. /var/log/nginx/error.log).

kenorb
  • 155,785
  • 88
  • 678
  • 743
1

In my case the order which I pasted the certs in the fullchain.pem generated above error. So, I changed the order - 1st is cert, 2nd is CA bundle:

cat cloud.crt cloud.ca-bundle > fullchain.pem
Telinov Dmitri
  • 411
  • 4
  • 12
1

Adding my 50 cent here.

I faced the same error specifically when I renewed my certificate. Despite the fact that I generated a new csr\key pair and submit the csr to the SSL Provider - then provider sent me a crt file that was working with the OLD key file only.

lavrik
  • 1,456
  • 14
  • 25
0

For AWS s3 or using aws s3 sync or aws s3 cp

Sometimes s3 corrupts small files (like certificates). Learned the hard way

zip your certificate before uploading them

sudo apt install zip   # Installs the zip package
sudo apt install unzip # Installs the unzip package

zip certificates.zip default.key default.crt

then unzip

sudo unzip -o /var/app/s3/certificates.zip
Fractal Mind
  • 405
  • 4
  • 10