2

I have nginx server with StartSSL free certificate which will expire soon. I wanted to renew it.

openssl req -new -sha256 -nodes -days 365 -newkey rsa:2048 -keyout ssl.key -out ssl.csr

where I enter informations needed for certificate generation. I pasted this CSR into website and successfully got signed certificate for domain and 2 subdomain on main domain.

After I load the certificate server output this error:

feb 05 17:46:19 systemd[1]: Unit nginx.service entered failed state.
feb 05 17:47:13 nginx[4514]: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/nginx.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
feb 05 17:47:13 nginx[4514]: nginx: configuration file /etc/nginx/nginx.conf test failed
feb 05 17:47:13 systemd[1]: nginx.service: control process exited, code=exited status=1
feb 05 17:47:13 systemd[1]: Failed to start A high performance web server and a reverse proxy server.

I tested modulus with these commands:

openssl x509 -noout -modulus -in nginx.crt | openssl md5
openssl rsa -noout -modulus -in nginx.key | openssl md5
openssl req -noout -modulus -in ssl.csr | openssl md5

and they match.

StartSSL provide certificate bundle with intermediate certificate in it. I found that it can fail if they are not in correct order, so I tryed both of them as first certificate without success.

EDIT: I tried to key and certificate on another server with nginx 1.9.3 and it is working. So certificate is OK but server is not.

nou
  • 21
  • 3
  • You generated a new private key. This is the same private key installed into the server? – Richard Smith Feb 06 '16 at 16:51
  • Yes, private keys which was generated at first is installed. I wonder if it is problem that when I generated CSR only with main domain, but on startssl page i entered three. – nou Feb 07 '16 at 13:10
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306). – jww Feb 07 '16 at 20:03
  • Does this answer your question? [SSL: error:0B080074:x509 certificate routines:X509\_check\_private\_key:key values mismatch](https://stackoverflow.com/questions/26191463/ssl-error0b080074x509-certificate-routinesx509-check-private-keykey-values) – kenorb Jul 02 '20 at 22:26

1 Answers1

2

Please check the certificate sequence when you created the bundle. It should be in the following sequence:

  1. Server Certificate

  2. Intermediate certificate

  3. Root Certificate

This is probably the reason behind the error.

bfontaine
  • 18,169
  • 13
  • 73
  • 107
Nick Desai
  • 404
  • 2
  • 3
  • Also [1 - 3 - 2 order](https://itgala.xyz/nginx-ssl-error0b080074x509-certificate-routinesx509-key-values-mismatch/) works for nginx – Alex Langer Nov 28 '17 at 12:54