13

I am trying to install an SSL certificate on my Ubuntu server. I have purchased the certificate from my CA and have downloaded the certificate itself and an intermediate certificate. As so:

my certificate: mydomain.crt
intermediate certificate: GandiStandardSSLCA.pem

I also have (made using openssl)

my private key (?): mydomain.key
and signing request: mydomain.csr

I have uploaded all these files to my server and followed a guide to combine my certificate with the intermediate:

cat mydomain.crt GandiStandardSSLCA.pem > mydomain-bundle.crt

I then add the following to my vhost's config:

listen 443 ssl; ssl_certificate /etc/nginx/ssl/mydomain-bundle.crt; ssl_certificate_key /etc/nginx/ssl/mydomain.key;

But when I go to restart nginx I get this error:

* Restarting nginx
* Stopping nginx nginx [ OK ]
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mydomain.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) nginx: configuration file /etc/nginx/nginx.conf test failed

Any ideas why and how to solve?

Improve this question
2
  • what "openssl verify -untrusted ca-bundle mydomain-bundle.crt" say? Commented Jan 30, 2014 at 22:15
  • what is ca-bundle? Commented Jan 30, 2014 at 22:43

1 Answer 1

Reset to default
23

Does your key list ok:

openssl rsa -in /etc/nginx/ssl/mydomain.key

Do the modulus of the key and the cert match:

openssl x509 -in mydomain.crt -modulus openssl rsa -in qa.server.key -modulus

These numbers must match.

Improve this answer
6
  • yes, the key lists ok and the modulae match. I could only list in as root though. Could it be an ownership issue Commented Jan 30, 2014 at 22:42
  • assuming qa.server.key is my private key Commented Jan 30, 2014 at 23:02
  • Note that the order of concatenation of the certificates (SLL cert and Intermediate) is crucial. @davey answer helped me figure out that I had a wrong aggregated crt. Commented Oct 13, 2016 at 16:27
  • Excellent. I was using the wrong file for ssl_certificate. The modulas commands helped me figure out that was the issue. Genius! Commented Oct 8, 2017 at 12:34
  • If they don't match? then what... Commented Aug 5, 2019 at 15:03

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.