Cert and key do not match

I think this i a certificate problem, not an Apache problem, so I hope someone here can help me:
I used wacs.exe on windows to generate the SSL-files. Put them in my Apache config, but when I start Apache, I get the error:
cert and key do not match

My domain is: scoutingtono.nl

I ran this command:

  • Run command line as Administrator
  • run wacs.exe --force
    Within wacs.exe:
  • M (Creae new certificate (full options)
  • 1 (Manual input)
  • Enter host names: scoutingtono.nl,www.scoutingtono.nl
  • Suggested friendly name ‘[Manual] scoutingtono.nl’:
  • 1 ([http-01] Save verification files on (network) path
  • Path to root of site: D:\websites\nl\scoutingtono\www
  • Copy default Web.config before validation?: y
  • 2: RSA key
  • 2 PEM encoded files (Apache, nginx, etc.)
  • Path to folder where .pem files are stored: C:\Server\certificates\certificaatfiles\nl\scoutingtono\www
    -3: No (additional) store steps
  • 4: No (additional) installation steps
  • Do you want to install the certificate?: y
  • < Store with PemFiles…>
    <Exporting .pem files to C:\Server\certificates\certificaatfiles\nl\scoutingtono\www>
  • Do you want to automaically renew this certificate: y

<Path c:\Server\certificates\script>
<Command wacs.exe --renew --baseuri “https://acme-staging-v02.api.letsencrypt.org/”>
<Start at 09:00:00>
<Time limit 02:00:00>

  • Do you want to specify the user the task will run as?: n

It produced this output:
In the directory C:\Server\certificates\certificaatfiles\nl\scoutingtono\www, there are now 3 files:
scoutingtono.nl-chain.pem
scoutingtono.nl-crt.pem
scoutingtono.nl-key.pem

My web server is (include version): Apache 2.4.27 as part of Wamp-server

The operating system my web server runs on is (include version): Windows 10

My hosting provider, if applicable, is: Hosting myself (yes, on the computer in the basement)

I can login to a root shell on my machine (yes or no, or I don’t know): I can log in as Administrator

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): WIN-ACME (from www.win-acme.com), 2.1.6.1 (64-bit, pluggable)

Contents of Apache httpd-vhosts.conf:

<VirtualHost *:443>
ServerAdmin webmaster@scoutingtono.nlt
ServerName www.scoutingtono.nl

DocumentRoot D:/websites/nl/scoutingtono/www/

RewriteEngine On

Redirect to the correct domain name

RewriteCond %{HTTP_HOST} !^www.scoutingtono.nl$ [NC]
RewriteRule ^/?(.*)$ https://www.scoutingtono.nl/$1 [NE,L,R=301]

SSLEngine on
SSLCertificateFile      "C:/Server/certificates/certificaatfiles/nl/scoutingtono/www/scoutingtono.nl-crt.pem"
SSLCertificateKeyFile   "C:/Server/certificates/certificaatfiles/nl/scoutingtono/www/scoutingtono.nl-key.pem"
SSLCertificateChainFile "C:/Server/certificates/certificaatfiles/nl/scoutingtono/www/scoutingtono.nl-chain.pem"

# Allow a dot (.) in the temporary directory which is created by win-acme 
<Directory "D:/websites/nl/scoutingtono/www/.well_known">
  Options Indexes FollowSymLinks MultiViews
  AllowOverride None
  Order allow,deny
  Allow from all
</Directory>
...

When I start Apache, I get the error message:
Certificate and private key www.scoutingtono.nl:443:0 from C:/Server/certificates/certificaatfiles/nl/scoutingtono/www/scoutingtono.nl-crt.pem and C:/Server/certificates/certificaatfiles/nl/scoutingtono/www/scoutingtono.nl-key.pem do not match

How should I proceed?
Many thanks in advance!

I found on DigiCert (https://knowledge.digicert.com/solution/SO28996.html) that I can check the key and certificate. So I ran
… echo “–Certificate:” && openssl x509 -noout -modulus -in scoutingtono.nl-crt.pem && echo “–key:” && openssl rsa -noout -modulus -in scoutingtono.nl-key.pem

The result:

“–Certificate:”
Modulus=A11D5E3C919073438243F87B321F12B5D88DAAE6D884CE0A505CAB301CBE9F7DC725DF
[snip]
“–key:”
Modulus=9631937D8FE18AA2761C0AB447BC6F3355067CFDDE15759B38FB5ACFFCD9A406A86FB9
[snip]

As you can see, they do indeed not match.

Runing Win-acme again has the same result.

I finally figured out how to use https://check-your-website.server-daten.de/ :slight_smile:

I also have a mailserver running. Here I used a self-singned certificate, where the mailserver handles everyting about the certificate.
When I take a look at https://check-your-website.server-daten.de/?q=scoutingtono.nl , I see this self-signed certificate from my mailserver. Could it be this old self-signed certificate is the origin of the key/cert matching problems I am having?

And if this is likely the problem, how should I proceed? Can I revoke the self-signed certicate (want to replace this old certificate with one from Let’s Encrypt anyway).

Any help is highly appreciated!

1 Like

Hi @rspruit

that’s a general error.

A “key” is always a key pair - private key and public key.

But you have two “keys”. And you mix the private key from your first key with the public key from your second key.

That’s always wrong and can’t work.

So you use the wrong private key file -> find the correct private key that matches to your public key.

No, that’s a completely different problem.

First, you have to find your correct private key. Then you can use the key pair - with your port 443 and with your mail server. Simple replacement is enough, revoking something isn’t required.

1 Like

Thank you for your advice. I really appreciate it.

Now off to find the original private key, for I have no idea where to look, or why there are two private/public-key pairs in the first place :slight_smile:

I don’t know. It’s a very untypical problem.

Looks like you have copied some files manual, then the wrong private key was used.

1 Like

Still: thanks anyway, really appreciate this.

I have searched everywhere I can think of, and can not find another key. As far as I can remember, I have not copied or moved any files. I even checked the waste bin, which has not been cleaned since I started making keys.

Can I create a totally new private/public key pair? Maybe if I delete the current key and all files in C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates, win-acme will create a new pair for me?

I actually solved this, a bit to my surprise.

As a subdirectory of my mailserver, I found some folders I had no acces to. However, with admin privileges, I was able to acces them. In de folder C:\Program Files\Kerio\MailServer\dbSSL, I found a file with the name
key.pem, with in it a key.

So I copies this key to the directory where I generate the Let’s Encrypt keys. and ran (with admin privileges):

WACS.exe --pkfile …/certificates/key.pem

and created my certificates as stated in an earlier posting here.
With the generated files I ran:

echo “-Certificate:” && openssl x509 -noout -modulus -in scoutingtono.nl-crt.pem && echo “-key:” && openssl rsa -noout -modulus -in scoutingtono.nl-key.pem

The result? A matching key and certificate.

I updates the configuration of my Apache webserver, solved some other problem, and now my website is secured!

So, somehow, WIN-ACME found the key of the webserver, either in some obscure subdirectory on a different drive, or on-line (perhaps?) and evidently used this key to generate the certificate.

Anyhow, my problem is solved. Thanks for all the help here. Is there some way I should mark this post as “Solved”?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.