After updating my SSL certificates this morning as I normally do, everything looked ok, but when I try to upload them into the AWS Load Balancer using the web console, I get the following error:
Failed to import to IAM
KeyPairMismatchException: The private key did not match the public key provided. Please verify the key material and try again.
I'm assuming the error is saying the uploaded key files don't match somehow, so I checked several things:
- Verify that the files are in PEM format: yes, the blocks in the .key file begin with "-----BEGIN PRIVATE KEY-----" and end with "-----END PRIVATE KEY-----", and the blocks in the .crt and chain files begin with "-----BEGIN CERTIFICATE-----" and end with "-----END PRIVATE KEY-----".
- Verify that the key files match: yes, I ran "openssl x509 -noout -modulus" on both the .key file and the .crt file and the md5 outputs matched.
- Verify that the public keys contained in the .key and .crt files are the same: yes, I ran "openssl x509 -in zoomroses.com.crt -noout -pubkey" and "openssl rsa -in zoomroses.com.key -pubout" and the outputs matched.
- Verify that the dates of the certificate are correct: yes, I ran "openssl verify -CAfile zoomroses.com.crt" and got "notBefore=Mar 27 11:25:36 2025 GMT, notAfter=Jun 25 11:25:35 2025 GMT". The current time was a bit after 12:00:00 2025 GMT.
- Verify the validity of the chain file: yes, I ran "openssl verify -partial_chain -CAfile chain.crt zoomroses.com.crt" and the output was "zoomroses.com.crt: OK".
What am I missing?
My domain is:
I ran this command:
getssl -u -a
It produced this output:
Renewing SSL certificates.
Check all certificates
Registering account
Verify each domain
Verifying zoomroses.com
copying challenge token to /home/www/html/.well-known/acme-challenge/uVvQWx5EukFjcfjOIVGLOky9fYeB5oRIeW9vBzA7NXI
sending request to ACME server saying we're ready for challenge
checking if challenge is complete
Pending
checking if challenge is complete
Verified zoomroses.com
Verifying www.zoomroses.com
copying challenge token to /home/www/html/.well-known/acme-challenge/FBfejldSIUHoddBOuSC7mMxIjWR-RNqVWbdWeIpN4_Q
sending request to ACME server saying we're ready for challenge
checking if challenge is complete
Pending
checking if challenge is complete
Verified www.zoomroses.com
Verification completed, obtaining certificate.
Requesting Finalize Link
Requesting Order Link
Requesting certificate
Certificate saved in /root/.getssl/zoomroses.com/zoomroses.com.crt
purge /root/.getssl/zoomroses.com/archive/2024_10_14_09_42
purge /root/.getssl/zoomroses.com/archive/2024_10_14_10_20
copying domain certificate to /home/www/ssl/zoomroses.com/zoomroses.com.crt
copying private key to /home/www/ssl/zoomroses.com/zoomroses.com.key
copying CA certificate to /home/www/ssl/zoomroses.com/chain.crt
reloading SSL services
/root/.getssl/zoomroses.com/zoomroses.com.crt didn't match server
getssl: zoomroses.com - rsa certificate obtained but certificate on server is different from the new certificate
My web server is (include version)
Apache/2.4.62
The operating system my web server runs on is (include version):
Amazon Linux 2023.6.20241111
My hosting provider, if applicable, is:
Amazon Web Services
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No (Amazon Web Services Web Console)
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
getssl version 2.49