Certificate Error

S
  • 15 Dec '22
Hi All,
I would really appreciate some help with this sticky problem. I am
using nginx as a reverse proxy. I have version 1.20.1 running on
FreeBSD 13.1. Today I set up for a new domain. I got a wildcard
certificate for mydomain.com from GoDaddy. I put the paths in
nginx.conf but when I run nginx -t
I get the following error: nginx:
[emerg] SSL_CTX_use_PrivateKey("/usr/local/etc/nginx/ssl/domain.com.key")
failed (SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch)
nginx: configuration file /usr/local/etc/nginx /nginx.conf test failed

When I ran the test below to check the Public and Private keys, I get
back the same checksum so I guess the Certs must be ok.
# openssl rsa -modulus -in domain.com.key -noout | md5sum
# openssl x509 -modulus -in domain.com.crt -noout | md5sum

This is the relevant section in my nginx.conf
   server {
         if ($country_access = no) {
         return 403;
         }
         listen 443 ssl http2;
         server_tokens off;
         more_clear_headers Server;
         server_name this.domain.com;
         ssl_certificate ssl/gd_bundle-g2-g1.crt;
         ssl_certificate_key ssl/domain.com.key;
         ssl_dhparam ssl/dhparams.pem;
         ssl_ecdh_curve secp384r1;
         ssl_stapling on;
         ssl_stapling_verify on;
         ssl_trusted_certificate ssl/domain.com.crt;
         resolver 8.8.8.8 8.8.4.4 valid=300s;
         resolver_timeout 10s;
         ssl_protocols TLSv1.3 TLSv1.2;
         ssl_prefer_server_ciphers on;
         ssl_ciphers
'EECDH+AESGCM:EDH+AESGCM:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA38
         ssl_session_cache shared:SSL:1m;
         ssl_session_timeout 1h;
         ssl_session_tickets off;
         add_header Strict-Transport-Security
"max-age=31536000;includeSubDomains" always;
         access_log /var/log/nginx/access.log main;
         log_not_found on;
        }
L
  • 15 Dec '22
You can inspect the certificate at

https://www.ssllabs.com/ssltest/

Maybe you will get lucky and it will help you find out what is wrong. 

      Original Message      

From: softwareinfojam at gmail.com
Sent: December 14, 2022 7:02 PM
To: nginx at nginx.org
Reply-to: nginx at nginx.org
Subject: Certificate Error

Hi All,
I would really appreciate some help with this sticky problem. I am
using nginx as a reverse proxy. I have version 1.20.1 running on
FreeBSD 13.1. Today I set up for a new domain. I got a wildcard
certificate for mydomain.com from GoDaddy. I put the paths in
nginx.conf but when I run nginx -t
I get the following error: nginx:
[emerg] SSL_CTX_use_PrivateKey("/usr/local/etc/nginx/ssl/domain.com.key")
failed (SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch)
nginx: configuration file /usr/local/etc/nginx /nginx.conf test failed

When I ran the test below to check the Public and Private keys, I get
back the same checksum so I guess the Certs must be ok.
# openssl rsa -modulus -in domain.com.key -noout | md5sum
# openssl x509 -modulus -in domain.com.crt -noout | md5sum

This is the relevant section in my nginx.conf
   server {
         if ($country_access = no) {
         return 403;
         }
         listen 443 ssl http2;
         server_tokens off;
         more_clear_headers Server;
         server_name this.domain.com;
         ssl_certificate ssl/gd_bundle-g2-g1.crt;
         ssl_certificate_key ssl/domain.com.key;
         ssl_dhparam ssl/dhparams.pem;
         ssl_ecdh_curve secp384r1;
         ssl_stapling on;
         ssl_stapling_verify on;
         ssl_trusted_certificate ssl/domain.com.crt;
         resolver 8.8.8.8 8.8.4.4 valid=300s;
         resolver_timeout 10s;
         ssl_protocols TLSv1.3 TLSv1.2;
         ssl_prefer_server_ciphers on;
         ssl_ciphers
'EECDH+AESGCM:EDH+AESGCM:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA38
         ssl_session_cache shared:SSL:1m;
         ssl_session_timeout 1h;
         ssl_session_tickets off;
         add_header Strict-Transport-Security
"max-age=31536000;includeSubDomains" always;
         access_log /var/log/nginx/access.log main;
         log_not_found on;
        }
_______________________________________________
nginx mailing list
nginx at nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
M
  • 15 Dec '22
Hello!

On Wed, Dec 14, 2022 at 10:02:04PM -0500, Software Info wrote:

> Hi All,
> I would really appreciate some help with this sticky problem. I am
> using nginx as a reverse proxy. I have version 1.20.1 running on
> FreeBSD 13.1. Today I set up for a new domain. I got a wildcard
> certificate for mydomain.com from GoDaddy. I put the paths in
> nginx.conf but when I run nginx -t
> I get the following error: nginx:
> [emerg] SSL_CTX_use_PrivateKey("/usr/local/etc/nginx/ssl/domain.com.key")
> failed (SSL: error:0B080074:x509 certificate
> routines:X509_check_private_key:key values mismatch)
> nginx: configuration file /usr/local/etc/nginx /nginx.conf test failed
> 
> When I ran the test below to check the Public and Private keys, I get
> back the same checksum so I guess the Certs must be ok.
> # openssl rsa -modulus -in domain.com.key -noout | md5sum
> # openssl x509 -modulus -in domain.com.crt -noout | md5sum
> 
> This is the relevant section in my nginx.conf

[...]

>          ssl_certificate ssl/gd_bundle-g2-g1.crt;
>          ssl_certificate_key ssl/domain.com.key;

You are "gd_bundle-g2-g1.crt" instead of "domain.com.crt", this 
looks like the culprit.

See 

http://nginx.org/en/docs/http/configuring_https_servers.html

for some basic tips about configuring HTTPS servers.

[...]

>          ssl_trusted_certificate ssl/domain.com.crt;

And this also looks incorrect.

Hope this helps.

-- 
Maxim Dounin
http://mdounin.ru/