Private key and CERT do not match after auto-renew

sdb · June 26, 2021, 9:33pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.pammydelux.com
I ran this command:
(this was run from a cron script)
acme.sh --notify-level 3 --renew-all
(this was run from a cron script)
It produced this output:
(mailed to me)
[Sat Jun 26 03:01:59 EDT 2021] Renew: 'www.pammydelux.com'
[Sat Jun 26 03:01:59 EDT 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sat Jun 26 03:01:59 EDT 2021] Multi domain='DNS:www.pammydelux.com,DNS:pammydelux.com'
[Sat Jun 26 03:01:59 EDT 2021] Getting domain auth token for each domain
[Sat Jun 26 03:02:00 EDT 2021] Getting webroot for domain='www.pammydelux.com'
[Sat Jun 26 03:02:00 EDT 2021] Getting webroot for domain='pammydelux.com'
[Sat Jun 26 03:02:00 EDT 2021] Verifying: www.pammydelux.com
[Sat Jun 26 03:02:03 EDT 2021] Pending
[Sat Jun 26 03:02:05 EDT 2021] Success
[Sat Jun 26 03:02:05 EDT 2021] Verifying: pammydelux.com
[Sat Jun 26 03:02:08 EDT 2021] Success
[Sat Jun 26 03:02:08 EDT 2021] Verify finished, start to sign.
[Sat Jun 26 03:02:08 EDT 2021] Lets finalize the order.
[Sat Jun 26 03:02:08 EDT 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/121550531/10654698428'
[Sat Jun 26 03:02:09 EDT 2021] Downloading cert.
[Sat Jun 26 03:02:09 EDT 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/0490f69bec8784014c72386776669f09d595'
[Sat Jun 26 03:02:09 EDT 2021] Cert success.
-----BEGIN CERTIFICATE-----
MIIFOjCCBCKgAwIBAgISBJD2m+yHhAFMcjhndmafCdWVMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA2MjYwNjAyMDhaFw0yMTA5MjQwNjAyMDdaMB0xGzAZBgNVBAMT
End3dy5wYW1teWRlbHV4LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMU5clPcebj8gqdUNoc/Nzhl5gEURkiXEaqlC4ClwGD9VcpvbHHNEaEuH61S
GEmstxE7q2dhaWt/5kKqq1Pftm4dx183LbFOBfEf4oEs9YuX4K4DdjRbtU5X4GlG
7RG6JzLL1A0zy7Vp4+20F2h71EgPWO4qiUZhE0lPgwRoDi3fLs+ZOeWF1QESafiR
j6BEJdGmYIO5ZbwwR3lfgI9CIKlgJ3kCeYB6xJwTWr6SrWCJJLq2zZKQuveeCfx+
QuNe3r4HBVNJJ3yKREO/599cGXFUu6n/pqOr/jaxQRHASVtFG0kOnuUYIWeKqX5b
NJQAY0JuVP2n8HQy56C7TCg0D28CAwEAAaOCAl0wggJZMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQU3ta0VlX8EiRujwkj8OMCkcvpWUUwHwYDVR0jBBgwFoAUFC6zF7dY
VsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw
Oi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy
Lm9yZy8wLQYDVR0RBCYwJIIOcGFtbXlkZWx1eC5jb22CEnd3dy5wYW1teWRlbHV4
LmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsG
AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkC
BAIEgfUEgfIA8AB2AESUZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAAB
ekcgLe8AAAQDAEcwRQIhAIhoLk86MSKRQxRHfwdX/ZLDLGSyxGNDPvJWghXuNKVZ
AiBtf2ONHeBg5PMQ1XbJwXuvRsF0I/deEad9rqSGbDewZAB2AH0+8viP/4hVaCTC
wMqeUol5K8UOeAl/LmqXaJl+IvDXAAABekcgLgAAAAQDAEcwRQIgHA4+iRkwFSwA
ry9KA9DOI2Yjde8ORfKcFACgXyRb33gCIQC+Lp2ZXSKF7kgRSeitT2FbJNeME1cK
HD8YD8u12EqfLjANBgkqhkiG9w0BAQsFAAOCAQEABqqGlVzRYqHMIvnkoBDPG/l8
G+wBKQUMA8Aywl25/sBcQWaoCm8qeMMR8xZGqvPcNtSlDb9iYvdiNvqY+/88cF4M
fLDJTCvCixpaB0/4EUxbiEvviMjYl2VeGjQpSWwRwJMrPUwxdSI5r4JmZh//K6CW
n3dJcg2I+WwV559CVm7flCSbW4yxU5M6OlJsgIbdUgcABtftK7nRJmazSCPu3OFd
URK0keLCjovkpr6Bk0UQr3VbOxfpTqfFJBFlT9QEogMhVdprywR8P1YXf8wsisBR
Ya1NwRq9dx2xweZnualiwwyBUCnr1Ir0yTZD89ajpkcCbcTDuDAUeh75BPTUhg==
-----END CERTIFICATE-----
[Sat Jun 26 03:02:09 EDT 2021] Your cert is in /root/.acme.sh/www.pammydelux.com/www.pammydelux.com.cer
[Sat Jun 26 03:02:09 EDT 2021] Your cert key is in /root/.acme.sh/www.pammydelux.com/www.pammydelux.com.key
[Sat Jun 26 03:02:09 EDT 2021] The intermediate CA cert is in /root/.acme.sh/www.pammydelux.com/ca.cer
[Sat Jun 26 03:02:09 EDT 2021] And the full chain certs is there: /root/.acme.sh/www.pammydelux.com/fullchain.cer
[Sat Jun 26 03:02:09 EDT 2021] Installing cert to:/usr/local/etc/ssl/apache/www.pammydelux.com/cert.pem
[Sat Jun 26 03:02:09 EDT 2021] Installing key to:/usr/local/etc/ssl/apache/www.pammydelux.com/key.pem
[Sat Jun 26 03:02:09 EDT 2021] Installing full chain to:/usr/local/etc/ssl/apache/www.pammydelux.com/fullchain.pem

My web server is (include version):
apache 2.4.46
The operating system my web server runs on is (include version):
FreeBSD 11.4-RELEASE-p9
My hosting provider, if applicable, is:
I am system admin for the server
I can login to a root shell on my machine (yes or no, or I don't know):
Yes.
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

v2.8.8

ADDITIONAL INFORMATION

Several websites on this server, all have run for years with letsencrypt.
I upgraded to acme.sh a few months ago because of the new protocol change.
All websites have been running witht the new certs and it was their renewal time yesterday.
This is the only one which had a problem on renewal (and didn't before)
Apache would not boot unless I commented out the host entry for this website in the httpd.conf file.

edit; here's error from apache log

[Sat Jun 26 16:16:42.596420 2021] [ssl:emerg] [pid 77088] AH02565: Certificate and private key www.pammydelux.com:443:0 from /usr/local/etc/ssl/apache/www.pammydelux.com/fullchain.pem and /usr/local/etc/ssl/apache/www.pammydelux.com/key.pem do not match

Thanks in advance for any help.

_az · June 26, 2021, 9:50pm

I think it's worth to verify first that the problem isn't related to Apache or the certificate fullchain order. Do either of these produce any output?

diff <(openssl rsa -in /usr/local/etc/ssl/apache/www.pammydelux.com/key.pem -noout -modulus) <(openssl x509 -in /usr/local/etc/ssl/apache/www.pammydelux.com/cert.pem -noout -modulus)

and

diff <(openssl rsa -in /root/.acme.sh/www.pammydelux.com/www.pammydelux.com.key -noout -modulus) <(openssl x509 -in /root/.acme.sh/www.pammydelux.com/www.pammydelux.com.cer -noout -modulus)

sdb · June 26, 2021, 10:08pm

No output from either command.
i have no idea what that means...

_az · June 26, 2021, 10:26pm

No output means the private key (key.pem) and the certificate (cert.pem) match.

If you slightly change your Apache configuration to use cert.pem rather than fullchain.pem, do you still see the error from Apache?

Not that you should do that permanently, we're just narrowing down the problem.

sdb · June 26, 2021, 10:38pm

Reading openssl... it appears that the fullchain.pem installed by acme.sh is for www.ssr.com, another website on this server (which is running just fine at the moment):

CN=www.ssr.com

the cert.pem file is for the correct domain.

Following up _az's hint to look at the /root/.acme files, it seems the certificate file there is correct for the problem domain (looking at fullchain.cer)

Subject: CN=www.pammydelux.com

So, short term, can I get this domain running again by manually copying the file?

And long term, why did acme.sh copy the wrong file and how do I fix that?

_az · June 26, 2021, 10:46pm

In the configuration file for that other certificate (/root/.acme.sh/www.ssr.com/www.ssr.com.conf) check what is configured for:

Le_RealFullChainPath
Le_RealKeyPath
Le_RealCertPath

If I had to guess, I would say that the Le_RealFullChainPath for www.ssr.com has been accidentally set to the wrong directory, and that it overwrote the fullchain.pem for www.pammydelux.com.

sdb · June 26, 2021, 10:53pm

Thank you so much! It's all working now. Much, MUCH appreciated!

system · July 26, 2021, 10:54pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.