PK and cert key mismatch

Abrham · March 8, 2024, 9:12am

My domain is:*.mfashiftdev.cbe.com.et

I ran this command:openssl x509 -noout -modulus -in fullchain1.pem | openssl md5
openssl rsa -noout -modulus -in privkey1.pem | openssl md5

It produced this output:PS C:\Certbot\live\mfashiftdev.cbe.com.et> openssl x509 -noout -modulus -in fullchain.pem | openssl md5
MD5(stdin)= 5e7776f6ac7eb275a7da7c38d7625014
PS C:\Certbot\live\mfashiftdev.cbe.com.et> openssl rsa -noout -modulus -in privkey.pem | openssl md5
Not an RSA key
MD5(stdin)= d41d8cd98f00b204e9800998ecf8427e

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

I have tried to create a new certificate again but stil it is providing me the same cert. with mismatch key

rg305 · March 8, 2024, 9:26am

Hi @Abrham, and welcome to the LE community forum

Are you sure that is an RSA type cert?
What shows?:
dir C:\Certbot\archive\mfashiftdev.cbe.com.et\*.pem

The openssl command errors with:

Abrham · March 8, 2024, 11:49am

@rg305 Thank you for your reply,

I have used the below command to create the certificate and those *.pem are issued automatically by certbot and letsencrypt after DNS verification.

certbot certonly --manual --preferred-challenges=dns --email abrhammelaku@cbe.com.et --server https://acme-v02.api.letsencrypt.org/directory --work-dir=. --config-dir=. --logs-dir=. --agree-tos -d *.mfashiftdev.cbe.com.et

Thanks!

petercooperjr · March 8, 2024, 4:40pm

Okay, but certbot defaults to ECDSA keys since version 2, so it's not clear why you're trying to run openssl commands that only work on RSA keys, or what you're trying to accomplish by doing so.

orangepizza · March 8, 2024, 4:47pm

openssl x509 -noout -modulus -in fullchain.pem errors out on ecdsa key, and md5 commend hashes that error message, so it always prints hash

Osiris · March 8, 2024, 5:38pm

It's actually the MD5 hash for a zero length (i.e.: nothing) input.

Abrham · March 9, 2024, 4:46am

Hi peter, the reason why I use openssl is to compare the two keys(fullchain and privkey), I have used the same for other certificates issued by letsencrypt and the key matchs.

mcpherrinm · March 9, 2024, 5:22am

This is an error message “Not an RSA key” and a hash of 0 bytes.

The hashes don’t match because the second command returned an error, so you’re not properly comparing them.

rg305 · March 9, 2024, 5:51am

That one only works on RSA type certs.
You need another one that can be used to check ECDSA type certs.

Abrham · March 13, 2024, 5:38am

Dear all,
Thank you for your support. I used the below command to check ECDSA type cert keys. And it matches.

openssl x509 -noout -pubkey -in fullchain1.pem | openssl md5
openssl pkey -pubout -in privkey1.pem | openssl md5

system · April 12, 2024, 5:39am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to verify privkey.pem file Help	20	2033	May 28, 2023
How to get the private key modulus Help	4	2529	February 11, 2023
Verifying private key with cert and fullchain Help	13	1003	December 29, 2024
Private key does not match with my certificate Help	14	7452	May 17, 2018
Zimbra Certbot LetsEncrypt - certificate and private key do not match Help	11	4586	December 27, 2022

PK and cert key mismatch

Related topics