Verifying private key with cert and fullchain

I am trying to figure out why my private key doesn't match the certificates I got not does it match the CA certificates publicly available on my client. The keys are being used on a StrongSwan server. Domains and other information has been changed.

I ran:

certbot certonly --key-type rsa --rsa-key-size 4096 --email melville@moby.edu --agree-tos -d firm.mattress.es

I tried to verify that the private key match the cert and fullchain certs:

root@dorothy:/etc/ipsec.d/ca# openssl x509 -in ../cert/cert.pem -pubkey -outform pem | sha256sum
472ce7b06b1fbb51f5132371c85672b488c7bee8d9cbc9680cb70d32a01ea90c -
root@dorothy:/etc/ipsec.d/ca# openssl x509 -in ../ca/fullchain.pem -pubkey -outform pem | sha256sum
472ce7b06b1fbb51f5132371c85672b488c7bee8d9cbc9680cb70d32a01ea90c -
root@dorothy:/etc/ipsec.d/ca# openssl rsa -in ../private/privkey.pem -pubout -outform pem | sha256sum
writing RSA key
bd9e3ed8b0a3fe3527fcce2cf3cf85171f82e793618c742302a8f6ef4bc911fe -

The key doesn't match the certificates and when used with my VPN, the key does not match any certificate authorities.

These certs and key are being used with StrongSwan and are soft links from the /etc/letsencrypt directory to the ipsec.d directory in the appropriate locations.

certbot 2.9.0

Would you show output of below command? Because I do not see any history of you getting a Let's Encrypt cert for that domain name. Thanks

sudo certbot certificates
3 Likes

cert.pem in /cert/ and privkey.pem in /private/ makes sense [to me].
But... fullchain in /ca/ doesn't make much sense [to me].
[perhaps you could try using chain.pem instead]

4 Likes

How will that change the hashes to agree which is the problem to be resolved?

Maybe try some OpenSSL commands of this form

openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
2 Likes

No change in the result:

root@dorothy:/etc/ipsec.d# openssl pkey -in private/privkey.pem -pubout -outform pem | sha256sum
bd9e3ed8b0a3fe3527fcce2cf3cf85171f82e793618c742302a8f6ef4bc911fe -
root@dorothy:/etc/ipsec.d# openssl x509 -in cert/cert.pem -pubkey -outform pem | sha256sum
472ce7b06b1fbb51f5132371c85672b488c7bee8d9cbc9680cb70d32a01ea90c -

I didn't bother with the csr as in my VPN application the cert and the private key agreement is what the logs are complaining about.

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: firm.mattress.es
Serial Number: 4789e5a75878b4b582a9f6e7f273cced780
Key Type: RSA
Domains: firm.mattress.es
Expiry Date: 2025-02-26 11:34:29+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/firm.mattress.es/fullchain.pem
Private Key Path: /etc/letsencrypt/live/firm.mattress.es/privkey.pem


fqdn has been changed for posting in public spaces.

Then use an FQDN from "example.com|net|org"
[that is a valid domain]

4 Likes

I would say that the private key does not have the same public key portion that the certificate has,
thus they are not a match. :frowning:

Edit

Also this is the private key and hopefully paired certificate (in the fullchain) that should match.

3 Likes

Yes it bears further investigation. When I get home I'll look into it and post the results.

I wonder how these things work on my websites with a strange private key.

It is starting to get through my thick skull what is going on and what I think is supposed to be going on. The ACME client should generate the private key on my server during the certificate installation process, then it creates a key signing request and sends that and the certificate associated with the private key to LE to sign. The fullchain.pem should contain the signed key and the chain back to the CA. So in my thinking the cert at the top of the fullchain file should match up to the private key, and it doesn't. So where did the cert come from that I got back?

Your advice is noted.

OK; so here is an example with one of my test domains (yes, that is the real FQDN).
I am tying to show that I get a match between the private key and the certificate in the fullchain.pem

$ sudo certbot --version
certbot 2.11.0
$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: petrifiedhaggis.us.kg
    Serial Number: 4bf7128903c15f6efcde100e5ef26fd1b10
    Key Type: ECDSA
    Domains: petrifiedhaggis.us.kg *.petrifiedhaggis.us.kg
    Expiry Date: 2025-02-26 17:14:24+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/petrifiedhaggis.us.kg/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/petrifiedhaggis.us.kg/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$ sudo openssl pkey -in /etc/letsencrypt/live/petrifiedhaggis.us.kg/privkey.pem -pubout -outform pem | sha256sum
c48f4da1a746a5322d80533338d4cbe0fb912a6fe10c8755268dbe3315f22ba2  -
$ sudo openssl x509 -in /etc/letsencrypt/live/petrifiedhaggis.us.kg/fullchain.pem -pubkey -noout -outform pem | sha256sum
c48f4da1a746a5322d80533338d4cbe0fb912a6fe10c8755268dbe3315f22ba2  -
$ sudo cat /etc/letsencrypt/live/petrifiedhaggis.us.kg/fullchain.pem
-----BEGIN CERTIFICATE-----
MIID0jCCA1mgAwIBAgISBL9xKJA8FfbvzeEA5e8m/RsQMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNDExMjgxNzE0MjVaFw0yNTAyMjYxNzE0MjRaMCAxHjAcBgNVBAMTFXBl
dHJpZmllZGhhZ2dpcy51cy5rZzB2MBAGByqGSM49AgEGBSuBBAAiA2IABDa8ayNG
ImZnl0p1Ir8hUxkogmz51e/tjVviXlr2exJ/gHY1pzp7SW9Z5yMR1RYC/7S+0b0Y
jQmoSF1bf4vIphVVxcwV+DV5GOdXg+BxJ31/owd4mUKxLAFgvrQ+4T4fCaOCAkIw
ggI+MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUVRTeFjRgFgNp/ZE4lkgd/iaI8PAw
HwYDVR0jBBgwFoAUkydGmAOpUWiOmNbEQkjbI79YlNIwVQYIKwYBBQUHAQEESTBH
MCEGCCsGAQUFBzABhhVodHRwOi8vZTYuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly9lNi5pLmxlbmNyLm9yZy8wOQYDVR0RBDIwMIIXKi5wZXRyaWZpZWRo
YWdnaXMudXMua2eCFXBldHJpZmllZGhhZ2dpcy51cy5rZzATBgNVHSAEDDAKMAgG
BmeBDAECATCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AObSMWNAd4zBEEEG13G5
zsHSQPaWhIb7uocyHf0eN45QAAABk3P53m8AAAQDAEYwRAIgYPaATrE7QbzX9URU
nxgNhZmXDY2wAeXUrwTcNIYWa6QCIE3iJXTKmJIbtXvdlLwr90FzU5E5l8bzwMgU
0LNCq9rcAHYAouMK5EXvva2bfjjtR2d3U9eCW4SU1yteGyzEuVCkR+cAAAGTc/ne
bQAABAMARzBFAiBNzPsIoYiDQ5k9NEmnPDo63bCBfVaB+WQol4D4BiDsVwIhAMyM
DFc0rvIUv3N/anrTurSdOuh36qM1B3STHX/wUGoVMBEGCCsGAQUFBwEYBAUwAwIB
BTAKBggqhkjOPQQDAwNnADBkAjB5MSJ2jHr+0NCkUGZwmev7rJwu40sgtEwH1VKR
dumtkyaezDd7KaJ1pkmpKQ5acQECMEZYFGpX13ykNmNPQeLpizwXs0gWt0d96JeN
tzar1MpkikVH7xyz38ym4Xyjkcxt/g==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----
4 Likes