TOPPOT
November 28, 2024, 1:03pm
1
I am trying to figure out why my private key doesn't match the certificates I got not does it match the CA certificates publicly available on my client. The keys are being used on a StrongSwan server. Domains and other information has been changed.
I ran:
certbot certonly --key-type rsa --rsa-key-size 4096 --email melville@moby.edu --agree-tos -d firm.mattress.es
I tried to verify that the private key match the cert and fullchain certs:
root@dorothy:/etc/ipsec.d/ca# openssl x509 -in ../cert/cert.pem -pubkey -outform pem | sha256sum
472ce7b06b1fbb51f5132371c85672b488c7bee8d9cbc9680cb70d32a01ea90c -
root@dorothy:/etc/ipsec.d/ca# openssl x509 -in ../ca/fullchain.pem -pubkey -outform pem | sha256sum
472ce7b06b1fbb51f5132371c85672b488c7bee8d9cbc9680cb70d32a01ea90c -
root@dorothy:/etc/ipsec.d/ca# openssl rsa -in ../private/privkey.pem -pubout -outform pem | sha256sum
writing RSA key
bd9e3ed8b0a3fe3527fcce2cf3cf85171f82e793618c742302a8f6ef4bc911fe -
The key doesn't match the certificates and when used with my VPN, the key does not match any certificate authorities.
These certs and key are being used with StrongSwan and are soft links from the /etc/letsencrypt directory to the ipsec.d directory in the appropriate locations.
certbot 2.9.0
MikeMcQ
November 28, 2024, 3:19pm
2
TOPPOT:
-d firm.mattress.es
Would you show output of below command? Because I do not see any history of you getting a Let's Encrypt cert for that domain name. Thanks
sudo certbot certificates
3 Likes
rg305
November 28, 2024, 3:41pm
3
cert.pem
in /cert/
and privkey.pem
in /private/
makes sense [to me].
But... fullchain
in /ca/
doesn't make much sense [to me].
[perhaps you could try using chain.pem
instead]
4 Likes
TOPPOT
November 28, 2024, 10:15pm
4
How will that change the hashes to agree which is the problem to be resolved?
Maybe try some OpenSSL commands of this form
openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
2 Likes
TOPPOT
November 28, 2024, 11:51pm
6
No change in the result:
root@dorothy:/etc/ipsec.d# openssl pkey -in private/privkey.pem -pubout -outform pem | sha256sum
bd9e3ed8b0a3fe3527fcce2cf3cf85171f82e793618c742302a8f6ef4bc911fe -
root@dorothy:/etc/ipsec.d# openssl x509 -in cert/cert.pem -pubkey -outform pem | sha256sum
472ce7b06b1fbb51f5132371c85672b488c7bee8d9cbc9680cb70d32a01ea90c -
I didn't bother with the csr as in my VPN application the cert and the private key agreement is what the logs are complaining about.
TOPPOT
November 28, 2024, 11:54pm
7
certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Certificate Name: firm.mattress.es
Serial Number: 4789e5a75878b4b582a9f6e7f273cced780
Key Type: RSA
Domains: firm.mattress.es
Expiry Date: 2025-02-26 11:34:29+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/firm.mattress.es/fullchain.pem
Private Key Path: /etc/letsencrypt/live/firm.mattress.es/privkey.pem
fqdn has been changed for posting in public spaces.
rg305
November 29, 2024, 2:09am
8
TOPPOT:
firm.mattress.es
Then use an FQDN from "example.com|net|org
"
[that is a valid domain]
4 Likes
TOPPOT:
No change in the result:
I would say that the private key does not have the same public key portion that the certificate has,
thus they are not a match.
Edit
Also this is the private key and hopefully paired certificate (in the fullchain) that should match.
3 Likes
TOPPOT
November 29, 2024, 5:19am
10
Yes it bears further investigation. When I get home I'll look into it and post the results.
I wonder how these things work on my websites with a strange private key.
TOPPOT
November 29, 2024, 9:54am
11
It is starting to get through my thick skull what is going on and what I think is supposed to be going on. The ACME client should generate the private key on my server during the certificate installation process, then it creates a key signing request and sends that and the certificate associated with the private key to LE to sign. The fullchain.pem should contain the signed key and the chain back to the CA. So in my thinking the cert at the top of the fullchain file should match up to the private key, and it doesn't. So where did the cert come from that I got back?
OK; so here is an example with one of my test domains (yes, that is the real FQDN).
I am tying to show that I get a match between the private key and the certificate in the fullchain.pem
$ sudo certbot --version
certbot 2.11.0
$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: petrifiedhaggis.us.kg
Serial Number: 4bf7128903c15f6efcde100e5ef26fd1b10
Key Type: ECDSA
Domains: petrifiedhaggis.us.kg *.petrifiedhaggis.us.kg
Expiry Date: 2025-02-26 17:14:24+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/petrifiedhaggis.us.kg/fullchain.pem
Private Key Path: /etc/letsencrypt/live/petrifiedhaggis.us.kg/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$ sudo openssl pkey -in /etc/letsencrypt/live/petrifiedhaggis.us.kg/privkey.pem -pubout -outform pem | sha256sum
c48f4da1a746a5322d80533338d4cbe0fb912a6fe10c8755268dbe3315f22ba2 -
$ sudo openssl x509 -in /etc/letsencrypt/live/petrifiedhaggis.us.kg/fullchain.pem -pubkey -noout -outform pem | sha256sum
c48f4da1a746a5322d80533338d4cbe0fb912a6fe10c8755268dbe3315f22ba2 -
$ sudo cat /etc/letsencrypt/live/petrifiedhaggis.us.kg/fullchain.pem
-----BEGIN CERTIFICATE-----
MIID0jCCA1mgAwIBAgISBL9xKJA8FfbvzeEA5e8m/RsQMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNDExMjgxNzE0MjVaFw0yNTAyMjYxNzE0MjRaMCAxHjAcBgNVBAMTFXBl
dHJpZmllZGhhZ2dpcy51cy5rZzB2MBAGByqGSM49AgEGBSuBBAAiA2IABDa8ayNG
ImZnl0p1Ir8hUxkogmz51e/tjVviXlr2exJ/gHY1pzp7SW9Z5yMR1RYC/7S+0b0Y
jQmoSF1bf4vIphVVxcwV+DV5GOdXg+BxJ31/owd4mUKxLAFgvrQ+4T4fCaOCAkIw
ggI+MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUVRTeFjRgFgNp/ZE4lkgd/iaI8PAw
HwYDVR0jBBgwFoAUkydGmAOpUWiOmNbEQkjbI79YlNIwVQYIKwYBBQUHAQEESTBH
MCEGCCsGAQUFBzABhhVodHRwOi8vZTYuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly9lNi5pLmxlbmNyLm9yZy8wOQYDVR0RBDIwMIIXKi5wZXRyaWZpZWRo
YWdnaXMudXMua2eCFXBldHJpZmllZGhhZ2dpcy51cy5rZzATBgNVHSAEDDAKMAgG
BmeBDAECATCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AObSMWNAd4zBEEEG13G5
zsHSQPaWhIb7uocyHf0eN45QAAABk3P53m8AAAQDAEYwRAIgYPaATrE7QbzX9URU
nxgNhZmXDY2wAeXUrwTcNIYWa6QCIE3iJXTKmJIbtXvdlLwr90FzU5E5l8bzwMgU
0LNCq9rcAHYAouMK5EXvva2bfjjtR2d3U9eCW4SU1yteGyzEuVCkR+cAAAGTc/ne
bQAABAMARzBFAiBNzPsIoYiDQ5k9NEmnPDo63bCBfVaB+WQol4D4BiDsVwIhAMyM
DFc0rvIUv3N/anrTurSdOuh36qM1B3STHX/wUGoVMBEGCCsGAQUFBwEYBAUwAwIB
BTAKBggqhkjOPQQDAwNnADBkAjB5MSJ2jHr+0NCkUGZwmev7rJwu40sgtEwH1VKR
dumtkyaezDd7KaJ1pkmpKQ5acQECMEZYFGpX13ykNmNPQeLpizwXs0gWt0d96JeN
tzar1MpkikVH7xyz38ym4Xyjkcxt/g==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----
4 Likes