Issues setting up ssl - private key values mismatch

So I’ve got Mailinabox running fine, with an unsigned certificate so far. Wanted to change that, so I purchased a certificate at Downloaded both the intermediate and the certificate (a .crt file) itself. Then copied the contents of the certificate in a new file, in the same file copied the contents of the intermediate, directly below the certificate. Something like:


Following the instructions, I need to restart Nginx, but that fails. Running nginx -t results in:

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/home/user-data/ssl/ssl_private_key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed

And that is correct because this:

openssl rsa  -inform PEM  -noout -modulus -in /home/user-data/ssl/ssl_private_key.pem
openssl x509 -noout -modulus -in /home/user-data/ssl/ssl_certificate.pem

results in different outputs. But I have no idea how to fix it. Can someone please help?

It sounds like you did everything right. The next thing would be to check that the CSR that you gave to Gandi was right. Can you paste the CSR? (It’s safe to share.)

Thanks for helping. This it the csr:


openssl req -in request.csr -noout -text shows a modulus that starts 00:dc:01:3b:27:85:eb:34:54:60:fd:e3:f3:86:94.... Does that match either the private key or the certificate?

Only the certificate matches that modulus. The private key does not.

I used these commands, don’t know if I checked correctly.

Checking modulus of private key:

openssl rsa -noout -text -in ssl_private_key.pem -modulus

Checking modulus of certificate:

openssl x509 -noout -text -in ssl_certificate.pem -modulus

I think the best option is to start with a clean slate regarding ssl. What would be the best way to do this?

Hmm. I think the only way this could have happened is if the private key changed. Maybe check the dates on the files?

Anyway, yeah, you can replace the files in /home/user-data/ssl with all new things. Or delete them and rerun to re-create the private key and CSR (but then check that they match! :frowning: ).

Ok, fixed it now. The whats_next now says, among other things:
✓  SSL certificate is signed & valid.

I would expect then that if I connect to in the browser it would show me the correct certificate, but I still get a warning about a self-signed certificate, in both Safari and Firefox. Browser-cache was already flushed. My mail-client doesn’t complain about it anymore.

The test on says NOT TRUSTED

Any ideas?

After you installed the certificate you need to run service nginx restart. That might be it.

(Ideally this will be taken care of in the future through some management service like a web-based control panel.)

I thought I did that, but seems like I didn’t because now it works. Great! Thanks :smile:

I just had this error and noticed that /home/user-data/ssl/ was not updated to match ssl_private_key.pem.

Probably the same for the other certificates.

Note I did a manual install.

Hi. can you please share how did you fix it? I have the same problem