Nginx SSL Certificate failed SSL: error:0B080074:x509 (Google Cloud)

Question

My server was hosted in Bluehost (Apache), the certificate was working fine. Now, I'm using Google Cloud for multiple pages in NodeJS on different port using proxy_pass. I am trying to configure the SSL but I have problems. I was looking for similar questions, but it still shows the same error. I created the key file following this link

/var/log/nginx/error.log:

2015/07/08 10:47:20 [emerg] 2950#0: SL_CTX_use_PrivateKey_file("/etc/nginx/ssl/domain_com/domain_com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

When I put on console:

openssl rsa -noout -modulus -in domain_com.key shows me this:

Modulus=D484DD1......512 characters in total......5A8F3DEF999005F

openssl x509 -noout -modulus -in ssl-bundle.crt:

Modulus=B1E3B0A.......512 characters in total......AFC79424BE139

This is my Nginx setup:

server {
    listen 443;
    server_name www.domain.com;

    ssl_certificate /etc/nginx/ssl/domain_com/ssl-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/domain_com/domain_com.key;

    ssl on;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/domain_com.access.log;

    location / {
       proxy_set_header                         Host $host;
       proxy_set_header X-Real-IP               $remote_addr;
       proxy_set_header X-Forwarded-For         $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto       $scheme;
       proxy_pass                               http://localhost:8086;
       proxy_read_timeout                       90;
       proxy_redirect                           http://localhost:8086 https://www.domain.com;
    }
}

---

---

Answer 1

The problem may occur in case of wrong concatenation order. You tried:

cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

Which looks correct, but concatenation usually require to eliminate extra download from root CA, therefore Nginx creator said:

Browsers usually store intermediate certificates which they receive and which are signed by trusted authorities, so actively used browsers may already have the required intermediate certificates and may not complain about a certificate sent without a chained bundle.

The official docs explicitly says:

If the server certificate and the bundle have been concatenated in the wrong order, nginx will fail to start and will display the error message:

SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed
   (SSL: error:0B080074:x509 certificate routines:
    X509_check_private_key:key values mismatch)

because nginx has tried to use the private key with the bundle’s first certificate instead of the server certificate.

So to solve the problem please try:

1. Attach www_example_com.crt to ssl_certificate Nginx config key

2. Download latest Comodo CA certificates SHA2 from official web page and try one more time to concatenate the bundle