Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Apache2 SSL Certificate/Key mismatch

I'm trying to set-up Apache to use a private key and certificate for SSL usage. The problem is that Apache somehow thinks that the key and the crt files do not match:

[Thu Aug 01 11:35:18 2013] [warn] RSA server certificate wildcard CommonName (CN) `*.-----.nl' does NOT match server name!?
[Thu Aug 01 11:35:18 2013] [debug] ssl_engine_init.c(846): Configuring RSA server private key
[Thu Aug 01 11:35:18 2013] [error] Unable to configure RSA server private key
[Thu Aug 01 11:35:18 2013] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

After this error i checked wether or not the key and the certificate matched using:

$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5

And the results are both the same, so it seems that the key and the certificate do match!? My site configuration contains the folowing for SSL set-up:

    SSLCertificateFile    /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key

The certificate is signed by a self created CA that i use for my customers. At this moment i'm hosting the HTTPS site through Java (and Chrome/Firefox/IE/Safari/... all accept the certificate and key), however the performance is not as i'd like it to be, hence i'm willing to switch to Apache. However i don't understand why Apache says the certificate and the key do not match? I've googled a lot for this error and found a lot of results however none represent my situation nor provide a valid solution for my problem. The reason i use my own CA is that i have a few hundred (and counting) certificates in use for a trust based network.

edit: The issue seems openssl related, i tested the following with the same final error:

..............:~$ openssl s_server -cert server.crt -key server.key
140518544565920:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
140518544565920:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:831:
140518544565920:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=n, Type=RSA
140518544565920:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:115:
Using default temp DH parameters
Using default temp ECDH parameters
error setting private key
140518544565920:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:331:

Can anybody point me in the right direction for what i'm doing wrong?

I retranscoded the used JKS directly used by the webserver (accepted by all browsers) to PEM certificate and private key, but still when i get the same error from openssl:

openssl s_server -debug -cert server.crt -key server.key
Using default temp DH parameters
Using default temp ECDH parameters
error setting private key
140157841004192:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:331:

How is it possible that all browsers accept the key/cert combination and openssl refuses to use them together?

like image 832
Bas Goossen Avatar asked Aug 01 '13 09:08

Bas Goossen


People also ask

How do I fix SSL mismatch error?

First, you'll need to enter your website domain into the SSL checker. For case 1, when the site address is not included in the SAN, click the 'Ignore certificate mismatch' in the SSL checker. You can then see a full analysis wherein you can check if the right domains and IP addresses have been included.

Do I need to restart Apache after changing certificate?

For Apache to use your newly installed certificate, you will need to restart Apache. Normally this can be done with apachectl restart, /etc/init. d/httpd restart, or /etc/init. d/apache restart.

Why is my SSL certificate not working?

The most common cause of a "certificate not trusted" error is that the certificate installation was not properly completed on the server (or servers) hosting the site. Use our SSL Certificate tester to check for this issue. In the tester, an incomplete installation shows one certificate file and a broken red chain.

What is Net :: Err_cert_common_name_invalid?

However, if the NET::ERR_CERT_COMMON_NAME_INVALID error occurs, it means the browser has failed to verify the SSL certificate. Most of the time, this happens because the common name which is written in the SSL certificate doesn't match the actual domain name.


1 Answers

$ openssl s_server -cert server.crt -key server.key
140518544565920:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
140518544565920:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:831:
140518544565920:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=n, Type=RSA
140518544565920:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:115:

Add -keyform. It can be DER or PEM. You'll have to look at server.key to determine the form.

If server.key has --- BEGIN RSA PRIVATE KEY --- (or similar), its PEM. If its not PEM encoded, then try DER.

Also, server.key might be encrypted. You might have to re-save the key without a passphrase.

like image 113
jww Avatar answered Oct 14 '22 08:10

jww