PK and cert key mismatch

My domain is:*.mfashiftdev.cbe.com.et

I ran this command:openssl x509 -noout -modulus -in fullchain1.pem | openssl md5
openssl rsa -noout -modulus -in privkey1.pem | openssl md5

It produced this output:PS C:\Certbot\live\mfashiftdev.cbe.com.et> openssl x509 -noout -modulus -in fullchain.pem | openssl md5
MD5(stdin)= 5e7776f6ac7eb275a7da7c38d7625014
PS C:\Certbot\live\mfashiftdev.cbe.com.et> openssl rsa -noout -modulus -in privkey.pem | openssl md5
Not an RSA key
MD5(stdin)= d41d8cd98f00b204e9800998ecf8427e

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

I have tried to create a new certificate again but stil it is providing me the same cert. with mismatch key

Hi @Abrham, and welcome to the LE community forum :slight_smile:

Are you sure that is an RSA type cert?
What shows?:
dir C:\Certbot\archive\mfashiftdev.cbe.com.et\*.pem

Your most recent issued certs are clearly NOT of type RSA:
crt.sh | 12312253820
crt.sh | 12311766423
crt.sh | 12311662980
crt.sh | 12311537926
crt.sh | 12303414540

The openssl command errors with:

2 Likes

@rg305 Thank you for your reply,

I have used the below command to create the certificate and those *.pem are issued automatically by certbot and letsencrypt after DNS verification.

certbot certonly --manual --preferred-challenges=dns --email abrhammelaku@cbe.com.et --server https://acme-v02.api.letsencrypt.org/directory --work-dir=. --config-dir=. --logs-dir=. --agree-tos -d *.mfashiftdev.cbe.com.et

Thanks!

1 Like

Okay, but certbot defaults to ECDSA keys since version 2, so it's not clear why you're trying to run openssl commands that only work on RSA keys, or what you're trying to accomplish by doing so.

2 Likes

openssl x509 -noout -modulus -in fullchain.pem errors out on ecdsa key, and md5 commend hashes that error message, so it always prints hash

2 Likes

It's actually the MD5 hash for a zero length (i.e.: nothing) input.

2 Likes

Hi peter, the reason why I use openssl is to compare the two keys(fullchain and privkey), I have used the same for other certificates issued by letsencrypt and the key matchs.

This is an error message “Not an RSA key” and a hash of 0 bytes.

The hashes don’t match because the second command returned an error, so you’re not properly comparing them.

4 Likes

That one only works on RSA type certs.
You need another one that can be used to check ECDSA type certs.

2 Likes

Dear all,
Thank you for your support. I used the below command to check ECDSA type cert keys. And it matches.

openssl x509 -noout -pubkey -in fullchain1.pem | openssl md5
openssl pkey -pubout -in privkey1.pem | openssl md5

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.