Issues setting up ssl - private key values mismatch

fuess · July 22, 2014, 9:02pm

So I’ve got Mailinabox running fine, with an unsigned certificate so far. Wanted to change that, so I purchased a certificate at Gandi.net. Downloaded both the intermediate and the certificate (a .crt file) itself. Then copied the contents of the certificate in a new file, in the same file copied the contents of the intermediate, directly below the certificate. Something like:

-----BEGIN CERTIFICATE-----
certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate
-----END CERTIFICATE-----

Following the instructions, I need to restart Nginx, but that fails. Running nginx -t results in:

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/home/user-data/ssl/ssl_private_key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed

And that is correct because this:

openssl rsa  -inform PEM  -noout -modulus -in /home/user-data/ssl/ssl_private_key.pem
openssl x509 -noout -modulus -in /home/user-data/ssl/ssl_certificate.pem

results in different outputs. But I have no idea how to fix it. Can someone please help?

JoshData · July 22, 2014, 9:20pm

It sounds like you did everything right. The next thing would be to check that the CSR that you gave to Gandi was right. Can you paste the CSR? (It’s safe to share.)

fuess · July 23, 2014, 7:07am

Thanks for helping. This it the csr:

JoshData · July 23, 2014, 12:12pm

openssl req -in request.csr -noout -text shows a modulus that starts 00:dc:01:3b:27:85:eb:34:54:60:fd:e3:f3:86:94.... Does that match either the private key or the certificate?

fuess · July 23, 2014, 12:29pm

Only the certificate matches that modulus. The private key does not.

I used these commands, don’t know if I checked correctly.

Checking modulus of private key:

openssl rsa -noout -text -in ssl_private_key.pem -modulus

Checking modulus of certificate:

openssl x509 -noout -text -in ssl_certificate.pem -modulus

I think the best option is to start with a clean slate regarding ssl. What would be the best way to do this?

JoshData · July 24, 2014, 2:40pm

Hmm. I think the only way this could have happened is if the private key changed. Maybe check the dates on the files?

Anyway, yeah, you can replace the files in /home/user-data/ssl with all new things. Or delete them and rerun start.sh to re-create the private key and CSR (but then check that they match! ).

fuess · July 25, 2014, 7:02am

Ok, fixed it now. The whats_next now says, among other things:

box.fuess.nl
✓  SSL certificate is signed & valid.

I would expect then that if I connect to https://box.fuess.nl in the browser it would show me the correct certificate, but I still get a warning about a self-signed certificate, in both Safari and Firefox. Browser-cache was already flushed. My mail-client doesn’t complain about it anymore.

The test on https://www.ssllabs.com/ssltest/analyze.html?d=box.fuess.nl&hideResults=on says NOT TRUSTED

Any ideas?

JoshData · July 25, 2014, 2:10pm

After you installed the certificate you need to run service nginx restart. That might be it.

(Ideally this will be taken care of in the future through some management service like a web-based control panel.)

fuess · July 26, 2014, 6:51am

I thought I did that, but seems like I didn’t because now it works. Great! Thanks

emptysands · September 1, 2015, 10:56am

I just had this error and noticed that /home/user-data/ssl/www.example.com/ssl_certificate.pem was not updated to match ssl_private_key.pem.

Probably the same for the other certificates.

Note I did a manual install.

Hike · June 26, 2016, 12:09pm

Hi. can you please share how did you fix it? I have the same problem