SSL install problem - "key value mismatch" (but they do match?)

Question

So I've been sent a new public cert to install on a server (.crt file). Done. Restart apache - "FAILED".

Error message:

[Tue Jan 11 12:51:37 2011] [error] Unable to configure RSA server private key 
[Tue Jan 11 12:51:37 2011] [error] SSL Library Error: 185073780 error:0B080074:
x509 certificate routines:X509_check_private_key:key values mismatch

I've checked the key values:

openssl rsa -noout -modulus -in server.key | openssl md5
openssl x509 -noout -modulus -in server.crt | openssl md5

and they DO match.

I've checked the paths in my ssl.conf file, and they ARE pointing to the correct files.

If I reinstate the old (expired) cert file, apache starts up ok, so it definitely doesn't like something about the new one.

It's a GeoTrust QuickSSL, and it came with an "intermediate.crt" that I'm supposed to use in place of the the "ca-bundle.crt" file that I was using before

SSLCertificateFile /etc/pki/tls/certs/www.domain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.domain.com.key
SSLCACertificateFile /etc/pki/tls/certs/intermediate.crt

Any ideas what I might be doing wrong? Any more info you need?

Thanks!

Answer 1

I also came across the same error. In my case I had to supply additional CA certificates in the verification chain. And instead of supplying the certificate and the key in separate files, I combined them in a .pem file.

However, when you do this, the order of the key and the certificate plus the intermediate one(s) is important. The correct order:

your private key
your certificate
(intermediate) CA certificate lowest in the hierarchy
other CA certificates higher in the hierarchy...
(intermediate) CA certificate highest in the hierarchy

Answer 2

I had the same issue on one of my CentOS 6.5 servers recently and it was down to when I generated the KEY and CSR.

I have three sites running on this server in virtualhosts all with dedicated IPs and each site has its own SSL Certificate.

In a rush, when changing one of the certificates, I stupidly just followed the certificate provider's guide to gaining the CSR and installing it in Apache, and I was instructed to use the following command:

openssl req -new -newkey rsa:2048 -nodes -keyout domain-name-here.key -out domain-name-here.csr

After installing the new certificate I was then also facing Apache not starting and the same errors in /var/log/httpd/ssl_error_log:

[error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

[error] Unable to configure RSA server private key

Now what I really should have done was check my .bash_history files, as I have successfully done this in CentOS many times before.

I should have run these two commands instead :

openssl genrsa -des3 -out domain-name-here.co.uk.key 2048

openssl req -new -key domain-name-here.co.uk.key -out domain-name-here.co.uk.csr

This then successfully generated the CSR and KEY, and I re-applied for the certificate using the newly gained CSR, then applied the new certificate and added the new key file and finally then Apache would start cleanly.

Also, just to note, after a little configuration we now score A+ in an SSL labs test.