2

We have purchased a SHA-2 certificate from RapidSSL, but I can't for the life of me get it working! We first created out .key and .crt files on the destination server, using (obviously blanked out the important stuff);

openssl req -new -newkey rsa:2048 -nodes -out www_x.com.csr -keyout www_x_com.key -subj "/C=GB/ST=x/L=x/O=x/CN=www.x.com"

This created the .crt and .key files fine. Now, I saved the certificate they sent me as main.crt. Then, in the email they send me to:

https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1549

On here, they have 2 SHA-2 intermediate certificates ... I'm assuming it the 2nd one I would need? (not even sure what the first one is!)

Then, after saving that I cat the files:

cat www_x.com.csr CA_Cert.crt > new.crt

(also tried it the other way around: cat CA_Cert.crt www_x.com.csr > new.crt , but neither work)

Then, in my nginx config I have:

ssl on; ssl_certificate /home/test/certs/new.crt; ssl_certificate_key /home/test/certs/www_x_com.key;

..then when I reboot, I get a failed error:

nginx[30762]: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/home/test/certs/www_x_com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

Can anyone help? I'm used to being provided with a ZIP file that has everything I need in it... but not so with these guys!

UPDATE: All working! Thanks everyone for your help. It turns out to be a double whammy:

1) The person I was doing this for (who purchased the SSL certificate), didn't think to enter the CSR code when generating the certificate =) 2) cat was putting the certificates with no break - so it was reading it all as one line

Other than that, it all seems to be working now. Glad that ones out of the way, it was driving me up the wall!!!

Improve this question
9
  • nginx.org/r/ssl_certificate Commented Sep 4, 2015 at 8:43
  • @MichaelHampton - thanks. All that tells me is: the primary certificate comes first, then the intermediate certificates. ... which I'm doing and it still fails (I've tried it with the CA first, then our crt... and vica versa... neither work) Commented Sep 4, 2015 at 8:46
  • @AndrewNewby Make sure each cert has -----BEGIN CERTIFICATE----- and end like this: -----END CERTIFICATE----- Between the certs there should be no line spaces Commented Sep 4, 2015 at 8:48
  • @Drifter104 - should it have newlines between the end of a one, and start of a new one? Mine has END, new line, START ... is that correct? I just feel like I'm missing something still, as there are only 2 certificates with in the main .crt Commented Sep 4, 2015 at 8:50
  • @AndrewNewby no it should be end start with no gap between Commented Sep 4, 2015 at 8:51

2 Answers 2

Reset to default
3

From the confirmation in the comments and from what you have put in the question

cat www_x.com.csr CA_Cert.crt > new.crt

What you should have done is

cat x.com.crt CA_Cert.crt > new.crt

The csr is used to pass to the CA which in this case RapidSSL, for them to create the crt.

Improve this answer
6
  • If this doesn't fix the issue then it is more then likely a problem in the process of creating/signing the certificate. So I would go back to step one and try again. Commented Sep 4, 2015 at 9:27
  • Thanks. The support team just replied to me about that mistake =) However, after doing it all again - I still get an error (different one now); "nginx: [emerg] PEM_read_bio_X509_AUX("/home/user/certs/test.crt") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line)" ... BTW - I did the cat using the CA first, and the the .crt file , as from what I've read up - the order makes a difference. Still no joy though Commented Sep 4, 2015 at 9:37
  • Thanks. Mine looks like the attached (minus the actual cert contents of course :D)- pastebin.com/g2wRDMPT Commented Sep 4, 2015 at 9:42
  • Ah I might of confused matters here with poor wording in another comment End Certificate then on the next line begin certificate. No blank line space in between, but on separate lines Commented Sep 4, 2015 at 9:44
  • OK pastebin.com/MdneUV0e is spot on, but you will only have two certs. Remember no csr in the crt you concatenated Commented Sep 4, 2015 at 9:50
3

"Key values mismatch" means that the private key you're pointing nginx to is not the same private key from which the public key in the corresponding certificate was derived. As Drifter104 mentioned, you appear to be concatenating the CSR with the intermediate CA certificate, which could definitely cause this problem (nginx will skip over the CSR and assume the intermediate cert is the end-entity cert, which would cause this problem). Otherwise, you've managed to get your keys mixed up, and if you can't find the correct key, you'll need to get a re-sign from the CA.

Improve this answer
4
  • yeah, turned out the client I was doing this for, didn't bother to enter his CSR value into the generator, when creating the SSL certificate... duh! Commented Sep 5, 2015 at 11:15
  • 1
    Well, that'll do it... Commented Sep 5, 2015 at 23:54
  • tell me about it. Wasn't too impressed when I found that out. 3-4 hours of my life wasted :/ Commented Sep 6, 2015 at 11:33
  • 1
    My keyid script is useful in situations like this; point it at everything (CSRs, certs, keys) and see where the key IDs don't match. Saves so much time. Commented Sep 6, 2015 at 22:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.