Question
SSL Library Error: 185073780 key values mismatch
- Posted March 9, 2014
Hello all,
Recently I’ve been migrating a website from Dreamhost Shared Hosting to Linode VPS running Ubuntu 12.04 LTS with all updates installed. The site has SSL set up with Dreamhost through their web interface. I’ve been trying to get the SSL installed on the Linode side to no success.
I’ve followed instructions from RapidSSL:
Specifically, I’ve done the following:
sudo a2enmod ssl sudo service apache2 restart sudo mkdir /etc/apache2/ssl cd /etc/apache2/ssl openssl genrsa -out <privatekeyfilename>.key 2048 openssl req -new -key <privatekeyfilename>.key -out <csrfilename>.csr
Entered all X.509 attributes of the certificate with the exclusion of email address, challenge password, and optional company name as instructed by RapidSSL’s website.
After that I extracted the data from the .csr file, made sure there were no empty spaces/hidden characters (using Notepad++), and submitted the CSR reissue request with Namecheap.
After approving and receiving the new certificates, namely: certificate.crt intermediate.crt
I added a NameVirtualHost IPaddress:443 in the ports (/etc/apache2/ports.conf) file, and also added an additional VirtualHost configuration in the config file:
<VirtualHost 12.34.56.78:443> SSLEngine On SSLCertificateKeyFile /etc/apache2/ssl/private.key SSLCertificateFile /etc/apache2/ssl/certificate.crt SSLCACertificateFile /etc/apache2/ssl/intermediate.crt
ServerAdmin info@mydomain.com ServerName www.mydomain.com DocumentRoot /home/example_user/public/example_website/ ErrorLog /home/example_user/public/example_website/log/errorssl.log CustomLog /home/example_user/public/example_website/log/accesssl.log combined </VirtualHost>
However, anytime after I save this setting and restart Apache2, it fails and the following shows up in the Error log:
[Fri Mar 07 14:59:57 2014] [error] Unable to configure RSA server private key [Fri Mar 07 14:59:57 2014] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Any idea what’s going on? I’ve looked at stack overflow posts such as: SSL install problem - “key value mismatch” (but they do match?) http://stackoverflow.com/questions/4658484/ssl-install-problem-key-value-mismatch-but-they-do-match and Apache2 SSL Certificate/Key mismatch http://stackoverflow.com/questions/17990537/apache2-ssl-certificate-key-mismatch
But I’ve got nothing so far.
Thanks in advance for the help!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
if you want to make sure whether they keys match or not, run these commands accordingly: <br>1- first command for getting the decryption of your server certificate: <br>openssl x509 -noout -modulus -in /etc/yourcertificate.crt | openssl md5
<br> <br>2- 2nd command for your (RSA) private key you got from creating csr: <br>openssl rsa -noout -modulus -in /etc/private.key | openssl md5 <br> <br>remember to change the files paths to fit where they are in your server. <br> <br>if both values match, that means the private key is the right key for your certificate. if not, then contact your issuer to inform this them with this problem. <br> <br>you can test your site to see if your SSL crt is working or not through their site: <br> <br>https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO9556 <br> <br>and remember that there is a specific order for crt and its key as follow: <br> <br>your private key <br>your certificate <br>intermediate CA certificate <br>other CA certificates… <br>intermediate CA certificate highest in the hierarchy <br> <br>http://stackoverflow.com/questions/4658484/ssl-install-problem-key-value-mismatch-but-they-do-match <br> <br>Good luck!!
if you want to make sure whether they keys match or not, run these commands accordingly: <br>1- first command for getting the decryption of your server certificate: <br>openssl x509 -noout -modulus -in /etc/yourcertificate.crt | openssl md5
<br> <br>2- 2nd command for your (RSA) private key you got from creating csr: <br>openssl rsa -noout -modulus -in /etc/private.key | openssl md5 <br> <br>remember to change the files paths to fit where they are in your server. <br> <br>if both values match, that means the private key is the right key for your certificate. if not, then contact your issuer to inform this them with this problem. <br> <br>you can test your site to see if your SSL crt is working or not through their site: <br> <br>https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO9556 <br> <br>and remember that there is a specific order for crt and its key as follow: <br> <br>your private key <br>your certificate <br>intermediate CA certificate <br>other CA certificates… <br>intermediate CA certificate highest in the hierarchy <br> <br>http://stackoverflow.com/questions/4658484/ssl-install-problem-key-value-mismatch-but-they-do-match <br> <br>Good luck!!
if you want to make sure whether they keys match or not, run these commands accordingly: <br>1- first command for getting the decryption of your server certificate: <br>openssl x509 -noout -modulus -in /etc/yourcertificate.crt | openssl md5
<br> <br>2- 2nd command for your (RSA) private key you got from creating csr: <br>openssl rsa -noout -modulus -in /etc/private.key | openssl md5 <br> <br>remember to change the files paths to fit where they are in your server. <br> <br>if both values match, that means the private key is the right key for your certificate. if not, then contact your issuer to inform this them with this problem. <br> <br>you can test your site to see if your SSL crt is working or not through their site: <br> <br>https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO9556 <br> <br>and remember that there is a specific order for crt and its key as follow: <br> <br>your private key <br>your certificate <br>intermediate CA certificate <br>other CA certificates… <br>intermediate CA certificate highest in the hierarchy <br> <br>http://stackoverflow.com/questions/4658484/ssl-install-problem-key-value-mismatch-but-they-do-match <br> <br>Good luck!!
if you want to make sure whether they keys match or not, run these commands accordingly: <br>1- first command for getting the decryption of your server certificate: <br>openssl x509 -noout -modulus -in /etc/yourcertificate.crt | openssl md5
<br> <br>2- 2nd command for your (RSA) private key you got from creating csr: <br>openssl rsa -noout -modulus -in /etc/private.key | openssl md5 <br> <br>remember to change the files paths to fit where they are in your server. <br> <br>if both values match, that means the private key is the right key for your certificate. if not, then contact your issuer to inform this them with this problem. <br> <br>you can test your site to see if your SSL crt is working or not through their site: <br> <br>https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO9556 <br> <br>and remember that there is a specific order for crt and its key as follow: <br> <br>your private key <br>your certificate <br>intermediate CA certificate <br>other CA certificates… <br>intermediate CA certificate highest in the hierarchy <br> <br>http://stackoverflow.com/questions/4658484/ssl-install-problem-key-value-mismatch-but-they-do-match <br> <br>Good luck!!
if you want to make sure whether they keys match or not, run these commands accordingly: <br>1- first command for getting the decryption of your server certificate: <br>openssl x509 -noout -modulus -in /etc/yourcertificate.crt | openssl md5
<br> <br>2- 2nd command for your (RSA) private key you got from creating csr: <br>openssl rsa -noout -modulus -in /etc/private.key | openssl md5 <br> <br>remember to change the files paths to fit where they are in your server. <br> <br>if both values match, that means the private key is the right key for your certificate. if not, then contact your issuer to inform this them with this problem. <br> <br>you can test your site to see if your SSL crt is working or not through their site: <br> <br>https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO9556 <br> <br>and remember that there is a specific order for crt and its key as follow: <br> <br>your private key <br>your certificate <br>intermediate CA certificate <br>other CA certificates… <br>intermediate CA certificate highest in the hierarchy <br> <br>http://stackoverflow.com/questions/4658484/ssl-install-problem-key-value-mismatch-but-they-do-match <br> <br>Good luck!!
I use Nginx and had the same issue. however, in your case it should be a lot easier. <br> <br>when you get the email from Geotrust for your SSL certificate, you need to do the following: <br> <br>http://www.rackspace.com/knowledge_center/article/installing-an-ssl-certificate-on-apache <br> <br>however, I guess you need to be very careful as one small mistake cause the certificate not to work, which is crazy… <br> <br>https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO6252&actp=LIST&viewlocale=en_US <br> <br>if you look at the url above, it says that you must copy exact crt code beginning with 5 dashes ----- from both sides of the code like this: <br>-----BEGIN CERTIFICATE----- <br>and end like this: <br>-----END CERTIFICATE----- <br> <br>you just follow the rest of the instructions and at last you can check whether both RSA and your certificate from GeoTrust crt decryption match <br> <br>V.important: <br> <br>I noticed that your crts are not lined up in the correct order, you put them like this: <br> <br>SSLCertificateKeyFile /etc/apache2/ssl/private.key <br>SSLCertificateFile /etc/apache2/ssl/certificate.crt <br>SSLCACertificateFile /etc/apache2/ssl/intermediate.crt <br> <br>and the correct way is this: <br> <br>SSLCertificateFile /etc/apache2/ssl/certificate.crt <br>SSLCertificateKeyFile /etc/apache2/ssl/private.key <br>SSLCACertificateFile /etc/apache2/ssl/intermediate.crt <br> <br>restart your server after all and check if it works or not… <br> <br>Good luck!!
Thank you to both for the help! <br> <br>I double checked the keys, they match. So what I did was subscribe an SSL trial with Symantec and Thawte and did the same procedures for CSR request…etc.etc. Guess what? It worked! Apache service restarted successfully, and https:// was working perfectly. <br> <br>I’m guessing it has something to do with NameCheap’s CSR generation request. I repeated that reissue process at least 5 times and apache still tells me key mismatch. <br> <br>I guess I’ll file a ticket with them to see what’s going on. <br> <br>Thanks again!
Hi Tony! <br> <br>Usually that means that the private key and the certificate do not match. <br> <br>I found the following article that may help explain: <br> <br>http://www.entrust.net/knowledge-base/technote.cfm?tn=5892 <br> <br>You may need to reach out to your SSL Certificate provider for more assistance. <br> <br>Regards, <br>Will <br>
Oops, should be from Dreamhost to DigitalOcean. Running on the $10 plan with 1GB ram etc.