SSL problem failed (SSL: error:0B080074:x509 certificate routines:X509_check_private

Discussion:

SSL problem failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

tophi

2011-02-17 15:36:16 UTC

Hello,
I'm not able to setup ssl and I need some help please:
Here is what I have done already:
1: step by step this touturial
http://nginx.groups.wuyasea.com/articles/how-to-setup-godaddy-ssl-certificate-on-nginx/2
2.read this:
http://nginx.org/en/docs/http/configuring_https_servers.html
3 read this and folowed step by step second post:
http://forum.nginx.org/read.php?2,98745,98757

I'm getting this error:
[***@x316 ssl]# /etc/init.d/nginx restart
[emerg]: SSL_CTX_use_PrivateKey_file("/root/ssl/site.com.key") failed
(SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch)
configuration file /usr/local/nginx/conf/nginx.conf test failed

My certificate is from godaddy and is valid for 2 years.
output from dir:
[***@x316 ssl]# ls
gd_bundle.crt ssl.zip site.pem Site.crt Site.csr Site.com.key

Regards

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,176163,176163#msg-176163

Francis Daly

2011-02-17 15:58:04 UTC

Permalink

On Thu, Feb 17, 2011 at 10:36:16AM -0500, tophi wrote:

Hi there,
I haven't looked at any of the documentation you linked to, but on

Post by tophi
[emerg]: SSL_CTX_use_PrivateKey_file("/root/ssl/site.com.key") failed

that filename

Post by tophi
gd_bundle.crt ssl.zip site.pem Site.crt Site.csr Site.com.key

and that last filename

are not the same. Suggest you either rename the .key file, or put the
right spelling in your .conf file.

Good luck with it,

f

--
Francis Daly francis-WAapifVIWUkdnm+***@public.gmane.org

John Feuerstein

2011-02-17 15:58:27 UTC

Permalink

Hi,

Post by tophi
[emerg]: SSL_CTX_use_PrivateKey_file("/root/ssl/site.com.key") failed
(SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch)
configuration file /usr/local/nginx/conf/nginx.conf test failed

make sure to re-read the section about chains:
http://nginx.org/en/docs/http/configuring_https_servers.html#chains

The message basically means that the key in your private key file (nginx
option "ssl_certificate_key") does not work for the _FIRST_ certificate
found in the chain file (nginx option "ssl_certificate").

Possible errors:

- chain in wrong order (own cert first, followed by intermediates)
- wrong private key
- wrong certificate
- corrupted private key file or chain (should all be in ASCII / PEM
container format), also check for broken line endings

Hope this helps,
John

tophi

2011-02-17 16:55:19 UTC

Permalink

@Francis Daly
Re: SSL problem failed (SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch) new
February 17, 2011 11:00AM

I have replaced my site withs Site.com , byt the pats in my conf. are
correct (small and capital letters)

@John Feuerstein
Have downloaded new chain from
https://certs.godaddy.com/anonymous/repository.seam - same result as
before.
Have also opened all files and replaced them manal( different
combinations) without white spaces, again - no luck :(
Then I just rm -rf /ssl and started new... 1. download ssl.rar from
godaddy's site, created dir , followed all steps, and - again, same
error ...

someting that confuse me is, that in GoDaddy's website there is no
option to download cert for Nginx, but for other servers. I have tryed
to download Apache, then "Other" . My gd_bundle.crt contains 3x
-----BEGIN CERTIFICATE----- and the one I downloaded from
https://certs.godaddy.com/anonymous/repository.seam (gd_intermediate )
only 1 .

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,176163,176205#msg-176205

AlexXF

2011-11-17 10:38:00 UTC

Permalink

I've got this problem also, but solved!

There is a two files that gandi sent to you:
site.crt
site-bundle.crt

Use site.crt instead of site-bundle.crt. Nginx requires certificate for
exactly site only. So it is not require to use chain (bundle)
certificate file.

Enjoy!

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,176163,218470#msg-218470

Maxim Dounin

2011-11-17 10:40:42 UTC

Permalink

Hello!

Post by AlexXF
I've got this problem also, but solved!
site.crt
site-bundle.crt
Use site.crt instead of site-bundle.crt. Nginx requires certificate for
exactly site only. So it is not require to use chain (bundle)
certificate file.

Both site certificate and bundle should be used. See here for
details:

http://nginx.org/en/docs/http/configuring_https_servers.html#chains

Maxim Dounin

AlexXF

2011-11-17 10:44:32 UTC

Permalink

Anyway - it works after i've made that changes in nginx.conf file.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,176163,218472#msg-218472

AlexXF

2011-11-17 10:53:05 UTC

Permalink

Upd. It works for concatenated cert files also.

Looks like topic starter forgot to concatenate cert files before.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,176163,218473#msg-218473

Igor Sysoev

2011-11-17 11:36:17 UTC

Permalink

Post by AlexXF
Upd. It works for concatenated cert files also.
Looks like topic starter forgot to concatenate cert files before.

He might concatenate them in the wrong order or might use only
site-bundle.crt.

--
Igor Sysoev

Igor Sysoev

2011-11-17 11:36:51 UTC

Permalink

Post by AlexXF
Anyway - it works after i've made that changes in nginx.conf file.

Browsers usually store intermediate certificates which they receive
and which are signed by trusted authorities, so actively used browsers
may already have the required intermediate certificates and may not
complain about a certificate sent without a chained bundle.

--
Igor Sysoev