SSL Library Error: 185073780 key values mismatch

March 9, 2014 83.2k views
tony535690
By:
tony535690
Hello all, Recently I've been migrating a website from Dreamhost Shared Hosting to Linode VPS running Ubuntu 12.04 LTS with all updates installed. The site has SSL set up with Dreamhost through their web interface. I've been trying to get the SSL installed on the Linode side to no success. I've followed instructions from RapidSSL: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO13985 Specifically, I've done the following: sudo a2enmod ssl sudo service apache2 restart sudo mkdir /etc/apache2/ssl cd /etc/apache2/ssl openssl genrsa -out .key 2048 openssl req -new -key .key -out .csr Entered all X.509 attributes of the certificate with the exclusion of email address, challenge password, and optional company name as instructed by RapidSSL's website. After that I extracted the data from the .csr file, made sure there were no empty spaces/hidden characters (using Notepad++), and submitted the CSR reissue request with Namecheap. After approving and receiving the new certificates, namely: certificate.crt intermediate.crt I added a NameVirtualHost IPaddress:443 in the ports (/etc/apache2/ports.conf) file, and also added an additional VirtualHost configuration in the config file: SSLEngine On SSLCertificateKeyFile /etc/apache2/ssl/private.key SSLCertificateFile /etc/apache2/ssl/certificate.crt SSLCACertificateFile /etc/apache2/ssl/intermediate.crt ServerAdmin info@mydomain.com ServerName www.mydomain.com DocumentRoot /home/example_user/public/example_website/ ErrorLog /home/example_user/public/example_website/log/errorssl.log CustomLog /home/example_user/public/example_website/log/accesssl.log combined However, anytime after I save this setting and restart Apache2, it fails and the following shows up in the Error log: [Fri Mar 07 14:59:57 2014] [error] Unable to configure RSA server private key [Fri Mar 07 14:59:57 2014] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch Any idea what's going on? I've looked at stack overflow posts such as: SSL install problem - "key value mismatch" (but they do match?) http://stackoverflow.com/questions/4658484/ssl-install-problem-key-value-mismatch-but-they-do-match and Apache2 SSL Certificate/Key mismatch http://stackoverflow.com/questions/17990537/apache2-ssl-certificate-key-mismatch But I've got nothing so far. Thanks in advance for the help!
Log In to Comment
5 Answers
FMCB March 9, 2014
if you want to make sure whether they keys match or not, run these commands accordingly:
1- first command for getting the decryption of your server certificate:
openssl x509 -noout -modulus -in /etc/yourcertificate.crt | openssl md5

2- 2nd command for your (RSA) private key you got from creating csr:
openssl rsa -noout -modulus -in /etc/private.key | openssl md5

remember to change the files paths to fit where they are in your server.

if both values match, that means the private key is the right key for your certificate. if not, then contact your issuer to inform this them with this problem.

you can test your site to see if your SSL crt is working or not through their site:

https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO9556

and remember that there is a specific order for crt and its key as follow:

your private key
your certificate
intermediate CA certificate
other CA certificates...
intermediate CA certificate highest in the hierarchy

http://stackoverflow.com/questions/4658484/ssl-install-problem-key-value-mismatch-but-they-do-match

Good luck!!
Reply
tony535690 March 9, 2014
Oops, should be from Dreamhost to DigitalOcean. Running on the $10 plan with 1GB ram etc.
Reply
mitayai MOD March 9, 2014
Hi Tony!

Usually that means that the private key and the certificate do not match.

I found the following article that may help explain:

http://www.entrust.net/knowledge-base/technote.cfm?tn=5892

You may need to reach out to your SSL Certificate provider for more assistance.

Regards,
Will
Reply
tony535690 March 10, 2014
Thank you to both for the help!

I double checked the keys, they match. So what I did was subscribe an SSL trial with Symantec and Thawte and did the same procedures for CSR request...etc.etc. Guess what? It worked! Apache service restarted successfully, and https:// was working perfectly.

I'm guessing it has something to do with NameCheap's CSR generation request. I repeated that reissue process at least 5 times and apache still tells me key mismatch.

I guess I'll file a ticket with them to see what's going on.

Thanks again!
Reply
FMCB March 10, 2014
I use Nginx and had the same issue. however, in your case it should be a lot easier.

when you get the email from Geotrust for your SSL certificate, you need to do the following:

http://www.rackspace.com/knowledge_center/article/installing-an-ssl-certificate-on-apache

however, I guess you need to be very careful as one small mistake cause the certificate not to work, which is crazy...

https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO6252&actp=LIST&viewlocale=en_US

if you look at the url above, it says that you must copy exact crt code beginning with 5 dashes ----- from both sides of the code like this:
-----BEGIN CERTIFICATE-----
and end like this:
-----END CERTIFICATE-----

you just follow the rest of the instructions and at last you can check whether both RSA and your certificate from GeoTrust crt decryption match

V.important:

I noticed that your crts are not lined up in the correct order, you put them like this:

SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCertificateFile /etc/apache2/ssl/certificate.crt
SSLCACertificateFile /etc/apache2/ssl/intermediate.crt

and the correct way is this:

SSLCertificateFile /etc/apache2/ssl/certificate.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCACertificateFile /etc/apache2/ssl/intermediate.crt

restart your server after all and check if it works or not...

Good luck!!
Reply
Have another answer? Share your knowledge.