"Key values mismatch" error using live certs on nginx


#1

Hi, I was suggested to post here by @jsha in this github issue.

I have several servers hosting several domains and after hitting the rate limit for domains I discovered I could request SAN certificates.

I created a single certificate for 67 domains succesfully on a Parabola GNU/Linux-libre server, using nginx+passenger 1.8 and a latest git clone of LE after the public beta release:

./letsencrypt-auto certonly -d domain1 -d domain2 ...

I used the same method on two other servers, Debian Jessie and Ubuntu Trusty (later upgraded to Wily) and nginx+passenger 1.8 and I get this error.

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/letsencrypt/live/domain1/privkey.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

I also tried vanilla nginx with same error. I also copied the certs produced on those servers and are recognized just fine by the Parabola server.

My nginx.conf reads like this in all servers:

http {

[...]

  ssl_certificate       /etc/letsencrypt/live/domain1/fullchain.pem;
  ssl_certificate_key   /etc/letsencrypt/live/domain1/privkey.pem;
  ssl_dhparam           /etc/ssl/private/2048.dh;

  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_buffer_size 8k;

[...]

}

The certificates are recognized without issues by other daemons, like postfix, dovecot and prosody.

Has anyone seen this happen? I’m guessing it’s the way Debian build nginx, but couldn’t find anything. Single domain certs work just fine, but the rate limit doesn’t allow me to issue all the certs I need :smile:


#2

Same here, my server runs on Ubuntu Trusty and nginx doesn’t start with a multidomain certificate.


#3

Hi,
same issue here with nginx. I resolved it by creating a bundle with all the “renewal” files

/etc/letsencrypt/live/domain.org# cat fullchain.pem chain.pem cert.pem privkey.pem > bundle.pem

Then i use it in my nginx config as in:

# === let’s encrypt config ===
ssl_certificate /etc/letsencrypt/live/domain.org/bundle.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.org/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/domain.org/fullchain.pem;
# === config let’s encrypt ===


#4

isn’t that publishing your privkey? :wink:

do you have a technical explanation for using such a bundle?


#5

I hope not :stuck_out_tongue:
I just found that it works w/o the private key, by the way :slightly_smiling:

cat fullchain.pem chain.pem cert.pem > bundle.pem

ahem…Not really… I found this method somewhere in a forum, long time ago for a totally different issue.
I desperately test the same, my nginx website not wanted to start.


#6

i still find it weird, fullchain should be cert + chain contenated, so you’re having cert + chain + cert + chain in your bundle


#7

On one of my Nginx servers, I noticed this error after a server reboot, and it turns out my configuration was pointing to the wrong key—or maybe at some point certbot/LE switched keys on me!

Before (throwing this error, but worked for a few months at least):

ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/keys/0000_key-certbot.pem;

After (fixed the error):

ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;

#8

It would be interesting to know how that got there. Probably that key would have worked when you first obtained the certificate, but not after a successful renewal, because the renewed fullchain.pem would have a different public key and a different private key. So 0000_key-certbot.pem is probably the correct private key for your first certificate, but not for your second (or later) certificate.

Files in keys are never updated, while files in live are automatically updated upon renewal.


#9

I know I manually set the paths during the installation, which was running Certbot 0.10.0; I usually just copy and paste whatever paths Certbot provides at the end of the first setup, then set certbot-auto on cron to do it’s thing.

I think I set up that particular server with LE certs a couple months ago.

In any case, checking on some of my other servers using the same Ansible role for Certbot/LE setup, they’re all set to use certificate_key_file: /etc/letsencrypt/live/example2.com/privkey.pem so either it was a temporary thing in certbot’s docs, or I just had a brain fart on that particular server configuration (just means I need to automate it better so my own stupidity doesn’t result in site downtime!)