Key and Cert do not match? WTH?


#1

Hey everyone,

I’m using Let’sEncrypt together with ISPConfig 3. This morning, I came across some strange behaviour. First: All of a sudden, my services completely restarted. I thought “Well, might happen sometimes” and didn’t think any of it, continues writing my mails when suddenly my mail client reported “SMTP server unreachable”.
Long story short: After analysis, my Apache finally gave me a clue: “Private key and certificate do not match”. It revoked the old certificate and issued a new, using certbot-auto (the only “client” ISPConfig currently works with)

certbot-auto certonly --standalone -d kirito.ennabe.de

Now, the certificate got issued and everything LOOKED fine, but when I replaced the existing self-signed certs with the LE ones (using ln -s), I still got the message “[…] do not match”

What’s going on? Am I too dumb to correctly configure the server?

I have checked DNS settings, everything is fine, so DNS is pretty much ruled out.

Thank you very much in advance.

Kind Regards

Zero


#2

Hi,

It looks as if you have your server slightly misconfigured somewhere, and are using the certificate for pricefield.de

What is your OS ? you should find the apache config files in either /etc/https or /etc/apache2 where you can check them directly.


#3

I don’t know, where…actually…

I mean, when I enter the command as I did, I’d expect that a cert is issued for the entered name, and that key and cert contain the same set of information.
Where should LE get these information from, anyway? As far as I understand, the keyfile is also generated by LE. So I’d expect them to match perfectly.

All I do is to relink the ISPConfig certificate AND key to /etc/letsencrypt/live/kirito.ennabe.de/ And then it shouldn’t matter anymore, since LE handles key and cert. ANd if they don’t match, I don’t know why. Is there any way to check the contents, like, some online service that reads the contents of a copy and pasted cert and key?


#4

I’d check your symlink, as I suspect it’s pointing to the wrong certificate.

To check the certificate yourself you can use;

openssl x509 -noout -text -in /etc/letsencrypt/live/kirito.ennabe.de/cert.pem


#5

Interestingly, Let’s Encrypt created wrong Certs…I reissued them, now it works again. Thank you :slight_smile:


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.