Nginx SSL error

matt · July 29, 2015, 10:55am

nginx is failing to start with an SSL error. Have checked the modulus of the certificate and key with output below.

SSL is working for mail services. But no http or https services have started

Im stuck on starting the web services without introducing TLS warnings on the mail side. i.e. deleting the ssl folder and regenerating a self signed cert.

Any thoughts?

openssl rsa -noout -modulus -in ssl_private_key.pem | openssl md5
(stdin)= f7c42aa6eed1af8815d3218d385a040a
openssl x509 -noout -modulus -in ssl_certificate.pem | openssl md5
(stdin)= f7c42aa6eed1af8815d3218d385a040a

nginx -t
nginx: [warn] “ssl_stapling” ignored, issuer certificate not found
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/home/user-data/ssl/ssl_private_key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed

JoshData · July 29, 2015, 11:48am

Run python3 management/status_checks.py. It may be one of the other certificates for a different domain.

matt · July 29, 2015, 11:59am

Output from status_checks.py

System

Could not load host key: /etc/ssh/ssh_host_ed25519_key
HTTP Web (nginx) is not running ([Errno 111] Connection refused; port 80).
nginx: [warn] “ssl_stapling” ignored, issuer certificate not found
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/home/user-data/ssl/ssl_private_key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key
values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
HTTPS Web (nginx) is not running ([Errno 111] Connection refused; port 443).
nginx: [warn] “ssl_stapling” ignored, issuer certificate not found
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/home/user-data/ssl/ssl_private_key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key
values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
✓ SSH disallows password-based login.
✓ System software is up to date.
✓ System administrator address exists as a mail alias. [administrator@mail.stack4.net ↦ matt@stack4.net]
✓ The disk has 11.8 GB space remaining.

Network

✓ Outbound mail (SMTP port 25) is not blocked.
✓ IP address is not blacklisted by zen.spamhaus.org.

mail.stack4.net

✓ Nameserver glue records are correct at registrar. [ns1/ns2.mail.stack4.net ↦ 45.32.243.0]
✓ Domain resolves to box’s IP address. [mail.stack4.net ↦ 45.32.243.0]
✓ Reverse DNS is set correctly at ISP. [45.32.243.0 ↦ mail.stack4.net]
✓ The DANE TLSA record for incoming mail is correct (_25._tcp.mail.stack4.net).
✓ Hostmaster contact address exists as a mail alias. [hostmaster@mail.stack4.net ↦ administrator@mail.stack4.net]
✓ Domain’s email is directed to this domain. [mail.stack4.net ↦ 10 mail.stack4.net]
✓ Postmaster contact address exists as a mail alias.
✓ Domain is not blacklisted by dbl.spamhaus.org.
✓ SSL certificate is signed & valid. The certificate expires in 349 days on 07/12/16.

stack4.net

✓ Nameservers are set correctly at registrar. [ns1.mail.stack4.net; ns2.mail.stack4.net]
✓ Domain’s email is directed to this domain. [stack4.net ↦ 10 mail.stack4.net]
✓ Postmaster contact address exists as a mail alias.
✓ Domain is not blacklisted by dbl.spamhaus.org.
✓ Domain resolves to this box’s IP address. [stack4.net ↦ 45.32.243.0]
✓ SSL certificate is signed & valid. The certificate expires in 349 days on 07/12/16.

matt · July 30, 2015, 7:36am

Figured it out.

Because I hadn’t bothered to install the SSL certificates for the other domains. When I replaced the root private_key, the self-signed certificates in the other directories didn’t match.

status_checks.py didn’t reveal any errors.

By copying the root self signed private key to each sub directory before replacing, ngnix was able to restart.

What caught me out is that if the key is replaced with nginx is running, everything will keep running, but not survive a reboot or service restart.

JoshData · July 30, 2015, 10:01am

You replaced the private key and didn’t mention it in your initial post? Come on…

awfulcitizen · December 30, 2015, 2:07pm

I have a similar problem…

Mine is that one of my administrators started the install of Mail-in-a-Box in a production webserver running Discourse… The install failed and the server was rebooted, when the server came back up and this happened:

[quote=“matt, post:4, topic:707”]What caught me out is that if the key is replaced with nginx is running, everything will keep running, but not survive a reboot or service restart.
[/quote]

I havent been able to restart nginx again, and I really don’t understand how to fix it and get discourse back up…
I was able to remove the SSL Errors but I still keep getting an error about conflicting server name

The error I keep getting is:

* Restarting nginx nginx                                                                                                                                                     nginx: [warn] conflicting server name "www.everythingisgoon.com" on 107.170.153.215:80, ignored
nginx: [warn] conflicting server name "everythingisgoon.com" on 107.170.153.215:80, ignored
nginx: [warn] conflicting server name "www.everythingisgoon.com" on 107.170.153.215:80, ignored
nginx: [warn] conflicting server name "everythingisgoon.com" on 107.170.153.215:80, ignored

Please advise.

v60fan · December 30, 2015, 3:29pm

Probably you’ve got multiple references to “listen 80” and everythingisgoon.com / www.everythingisgoon.com within all of the file structure of /etc/nginx/conf.d.

Consider the last answer here.

The solution was avoiding more than one reference (if you consider all of the conf.d files as a whole) to “listen 80” and “server_name” references …