Does Let's Encrypt client checks X509_check_private_key:key values mismatch?


I was able to create Let’s Encrypt SSL for a few domains right now, mainly using a plugin for ISPConfig with executes LetsEncrypt official client.

But I always need to try generating SSL a lot of times, because apache crashes in “emergency error”, with X509_check_private_key:key values mismatch. Looking at MD5 hashes I can see they don’t match.

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5

After trying more times I can get certificates eventually with same key values, or I get blocked by Let’s Encrypt limits.

To try again I removed /etc/letsencrypt/live|archive|renewal/[domain], I don’t know if this is the right procedure since I don’t have a valid key pair.

Since the key values mismatch can prevent Apache from restart, It will be a good precaution to implement this validation if its is already doing that.

At least for me, I never got a valid key pair in the first attempt using the mentioned plugin.


How did you obtain those certificate.crt and privateKey.key? Because I don’t think the original Let’s Encrypt client generates those filenames?


I mean the files inside /etc/letsencrypt/live/[domain]/privkey.pem and /etc/letsencrypt/live/[domain]/cert.pem, which are symlinked as that names.

openssl rsa -noout -modulus -in privkey.pem | openssl md5
openssl x509 -noout -modulus -in cert.pem | openssl md5

not all the times they are the same md5 using this commands above, then Apache2 won’t restart.