So I’ve got Mailinabox running fine, with an unsigned certificate so far. Wanted to change that, so I purchased a certificate at Gandi.net. Downloaded both the intermediate and the certificate (a .crt file) itself. Then copied the contents of the certificate in a new file, in the same file copied the contents of the intermediate, directly below the certificate. Something like:
Following the instructions, I need to restart Nginx, but that fails. Running
nginx -t results in:
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/home/user-data/ssl/ssl_private_key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
And that is correct because this:
openssl rsa -inform PEM -noout -modulus -in /home/user-data/ssl/ssl_private_key.pem
openssl x509 -noout -modulus -in /home/user-data/ssl/ssl_certificate.pem
results in different outputs. But I have no idea how to fix it. Can someone please help?
It sounds like you did everything right. The next thing would be to check that the CSR that you gave to Gandi was right. Can you paste the CSR? (It’s safe to share.)
Thanks for helping. This it the csr:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
openssl req -in request.csr -noout -text shows a modulus that starts
00:dc:01:3b:27:85:eb:34:54:60:fd:e3:f3:86:94.... Does that match either the private key or the certificate?
Only the certificate matches that modulus. The private key does not.
I used these commands, don’t know if I checked correctly.
Checking modulus of private key:
openssl rsa -noout -text -in ssl_private_key.pem -modulus
Checking modulus of certificate:
openssl x509 -noout -text -in ssl_certificate.pem -modulus
I think the best option is to start with a clean slate regarding ssl. What would be the best way to do this?
Hmm. I think the only way this could have happened is if the private key changed. Maybe check the dates on the files?
Anyway, yeah, you can replace the files in
/home/user-data/ssl with all new things. Or delete them and rerun
start.sh to re-create the private key and CSR (but then check that they match! ).
Ok, fixed it now. The
whats_next now says, among other things:
✓ SSL certificate is signed & valid.
I would expect then that if I connect to https://box.fuess.nl in the browser it would show me the correct certificate, but I still get a warning about a self-signed certificate, in both Safari and Firefox. Browser-cache was already flushed. My mail-client doesn’t complain about it anymore.
The test on https://www.ssllabs.com/ssltest/analyze.html?d=box.fuess.nl&hideResults=on says
After you installed the certificate you need to run
service nginx restart. That might be it.
(Ideally this will be taken care of in the future through some management service like a web-based control panel.)
I thought I did that, but seems like I didn’t because now it works. Great! Thanks
I just had this error and noticed that /home/user-data/ssl/www.example.com/ssl_certificate.pem was not updated to match ssl_private_key.pem.
Probably the same for the other certificates.
Note I did a manual install.
Hi. can you please share how did you fix it? I have the same problem