There are two reasons you may have received this error, and therefore two corresponding fixes.
-
Private key mismatch: During the CSR generation using OpenSSL, the key and CSR could have been generated in different directories. In order to find the needed key, run the following command:
find / -name “*.key”
Once the keys are found, run the following pair of commands:
openssl x509 -in /path/to/yourdomain.crt -noout -modulus | openssl sha1
openssl rsa -in /path/to/your.key -noout -modulus | openssl sha1/path/to/yourdomain.crt should be replaced with the path to your certificate, and /path/to/your.key replaced with paths to the .key files located with “find” command.
If the modulus of the certificate is equal to one of the key moduli, then that key matches the certificate, so nginx configs can be modified accordingly.
The key and the certificate can be matched here.If none of the outputs match the certificate’s, you should generate a new CSR and private key and reissue.
-
Improper order of concatenation of the certificates.
This order is essential and should be as follows: end-entity certificate (your_domain.crt) -> first intermediate -> second intermediate -> root.
The certificate can be also downloaded from the Namecheap Dashboard with full bundle concatenated in one file (yourdomain.ca-bundle) so the command for nginx should appear like this:cat your_domain.crtyour_domain.ca-bundle >> nginx_bundle.crt
If the bundle is sent in separate files, download it here and use it in the above command instead of your_domainca-bundle.
For example, Comodo (now Sectigo) PositiveSSL has the following files in the bundle: COMODO RSA Domain Validation Secure Server CA -> COMODO RSA Certification Authority-> AddTrust External CA Root (ECDSA analogues are COMODO ECC Domain Validation Secure Server CA -> COMODO ECC Certification Authority).
In this case, the command will appear as follows:
cat your_domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSACertificationAuthority.crt AddTrustExternalCARoot.crt >> nginx_bundle.crt
Next, correct your virtual host for 443 port in server global configuration file:
server {
listen 443;
server_name your_domain_name;
ssl on;
ssl_certificate /path/to/nginx_bundle.crt;
ssl_certificate_key /path/to/your.key;
};
Once above changes are made, restart nginx instance with “nginx -s reload” command.
The certificate installation can be checked here.
For SSL key values mismatch issue, there are two main reasons.
Error message about X509_check_private_key:key values mismatch
[email protected]:~# service nginx restart
Restarting nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file(“/etc/nginx/conf.d/ssl/ssl.key”) failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
Failed to load private key from ./envoy/test/extensions/transport_sockets/tls/test_data/san_dns2_key.pem, Cause: error:0b000074:X.509 certificate routines:OPENSSL_internal:KEY_VALUES_MISMATCH
Thu Jul 28 17:55:12 2016 OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Cannot load SSL private key file. Error: error: 0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch.
- key values mismatch in private key, CSR, and certificate file.
- certificate chain order is not correct
Verifying Our Keys Match
To verify the public and private keys match, extract the public key from CSR, certificate, Key file and generate a hash output for it.
All three files should share the same public key and the same hash value.
Before we run the verification command:
- Make sure our CSR, certificate, and Key are PEM format. If not then convert them using openssl command
- Check hash of the public key to ensure that it matches with what is in a private key
Use the following commands to generate a hash of each file’s public key:
- openssl pkey -pubout -in private.key | openssl sha256
- openssl req -pubkey -in request.csr -noout | openssl sha256
- openssl x509 -pubkey -in certificate.crt -noout | openssl sha256
Each command will output (stdin)= followed by a string of characters. If the output of each command matches, then the keys for each file are the same.
If we run into a key mismatch error, we need to do one of the following:
- Transfer the private key from the machine used to generate the CSR to the one we are trying to install the certificate on.
- Install the certificate on the machine with the private key.
- Generate an entirely new key and create a new CSR on the machine that will use the certificate.
Check the certificate order
If the server certificate and the bundle have been concatenated in the wrong order, we also get this key values mismatch error.
In this case, we need to put the server certificate on top of the certificate file.
Before (which is wrong) :
cat ca_bundle.crt server_certificate.crt > bundle_chained.crt
After (which is right)
cat server_certificate.crt ca_bundle.crt > bundle_chained.crt
The working certificate bundle file should look like below.
- server certificate
- intermediate certificate1
- intermediate certificate2 if we have
—–BEGIN CERTIFICATE—–
MIICC-this-is-the-certificate-that-signed-your-request
-this-is-the-certificate-that-signed-your-request-this
-is-the-certificate-that-signed-your-request-this-is-t
he-certificate-that-signed-your-request-this-is-the-ce
rtificate-that-signed-your-request-A
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIICC-this-is-the-certificate-that-signed-for-that-one
-this-is-the-certificate-that-signed-for-that-one-this
-is-the-certificate-that-signed-for-that-one-this-is-t
he-certificate-that-signed-for-that-one-this-is-the-ce
rtificate-that-signed-for-that-one-this-is-the-certifi
cate-that-signed-for-that-one-AA
—–END CERTIFICATE—–
Reference:
2 Ways to Fix SSL key values mismatch
The following error message may be thrown when trying to start nginx:
nginx: [emerg] SSL_CTX_use_PrivateKey_file(“/etc/ssl/private/cert1.key”) failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
The root cause of this error message is that your private key and your certificate do not match when trying to enable SSL in your nginx instance. To verify the private and public key nginx will compare the modulus of each. If they don’t match, you will get this error.
The key and certificate that are being compared can be found in your site’s nginx server configuration:
- The private key is defined as
ssl_certificate_key - The certificate is defined as
ssl_certificate
Verify the modulus of your private key (passing it through md5sum to create a smaller string to visually compare):
1 2 |
$ sudo openssl rsa -modulus -in /etc/ssl/private/cert1.key -noout | md5sum 5c9f7e379e9e28adf61ece609d32c878 - |
And compare that with the modulus from the certificate:
1 2 |
$ sudo openssl x509 -modulus -in /etc/ssl/certs/cert1_wrong.crt -noout | md5sum fed25082bfadf88e0e505fd5e92602fb - |
As you can see in my case, the digests are different. What can cause this different modulus? Namely that it could be a certificate that was generated from a different key. But also, if you have extracted the certificate from a PKCS#12 bundle, you might have to change the order of certificates in the certificate extracted from the bundle, as the modulus will be calculated from the first certificate found in the file. When extracting the certificate, you can first extract just the client certificate with -clcerts and the concatenate that with the CA certs with -cacerts subsequently to create a full chain certificate with the right order of certificates.
Once you have resolved the mismatched certificate, you should be able to validate the matching moduli before successfully starting nginx:
1 2 |
$ sudo openssl x509 -modulus -in /etc/ssl/certs/cert1_fixed.crt -noout | md5sum 5c9f7e379e9e28adf61ece609d32c878 - |
Hopefully this can help you quickly resolve this nginx SSL issue!
This post is licensed under CC BY 4.0 by the author.
For SSL key values mismatch issue, it means the private key file does not match the certificate. There are two main reasons.
- key values mismatch in private key, CSR, and certificate file.
- certificate chain order is not correct
Error message:Cannot load SSL private key file. Error: error: 0B080074:x509 certificate routines:X509_check_private_key:key values mismatch.
What is SSL certificate
Server certificates are the most popular type of X.509 certificate. SSL/TLS certificates are issued to hostnames (machine names like ‘ABC-SERVER-02’ or domain names like google.com).
A server certificate is a file installed on a website’s origin server. It’s simply a data file containing the public key and the identity of the website owner, along with other information. Without a server certificate, a website’s traffic can’t be encrypted with TLS.
Technically, any website owner can create their own server certificate, and such certificates are called self-signed certificates. However, browsers do not consider self-signed certificates to be as trustworthy as SSL certificates issued by a certificate authority.
Understanding SSL certificates
How to get a SSL server Certificate
- generate a key pair
- use this key pair to generate a certificate signing request (CSR) that contains the public key and domain name of our website
- upload the request to a certificate authority
- download the certificate and install it on our web server along with the key pair
Verifying Our Keys Match
To verify the public and private keys match, extract the public key from CSR, certificate, Key file and generate a hash output for it.
All three files should share the same public key and the same hash value.
Before we run the verification command:
- Make sure our CSR, certificate, and Key are PEM format. If not then convert them using openssl command
- Check hash of the public key to ensure that it matches with what is in a private key
Use the following commands to generate a hash of each file’s public key:
- openssl pkey -pubout -in private.key | openssl sha256
- openssl req -pubkey -in request.csr -noout | openssl sha256
- openssl x509 -pubkey -in certificate.crt -noout | openssl sha256
Each command will output (stdin)= followed by a string of characters. If the output of each command matches, then the keys for each file are the same.
If we run into a key mismatch error, we need to do one of the following:
- Transfer the private key from the machine used to generate the CSR to the one we are trying to install the certificate on.
- Install the certificate on the machine with the private key.
- Generate an entirely new key and create a new CSR on the machine that will use the certificate.
Check the certificate order
If the server certificate and the bundle have been concatenated in the wrong order, we also get this key values mismatch error. In this case, we need to put the server certificate on top of the certificate file.
- Before (which is wrong) : cat ca_bundle.crt server_certificate.crt > bundle_chained.crt
- After (which is right): cat server_certificate.crt ca_bundle.crt > bundle_chained.crt
Check SSL Certificate Chain with OpenSSL Examples
The working certificate bundle file should look like below.
- server certificate
- intermediate certificate1
- intermediate certificate2 if we have
—–BEGIN server CERTIFICATE—–
MIICC-this-is-the-certificate-that-signed-your-request
-this-is-the-certificate-that-signed-your-request-this
-is-the-certificate-that-signed-your-request-this-is-t
he-certificate-that-signed-your-request-this-is-the-ce
rtificate-that-signed-your-request-A
—–END server CERTIFICATE—–
—–BEGIN intermediate CERTIFICATE—–
MIICC-this-is-the-certificate-that-signed-for-that-one
-this-is-the-certificate-that-signed-for-that-one-this
-is-the-certificate-that-signed-for-that-one-this-is-t
he-certificate-that-signed-for-that-one-this-is-the-ce
rtificate-that-signed-for-that-one-this-is-the-certifi
cate-that-signed-for-that-one-AA
—–END intermediate CERTIFICATE—–
- Exploring SSL Certificate Chain with Examples
- Understanding X509 Certificate with Openssl Command
- OpenSSL Command to Generate View Check Certificate
- Converting CER CRT DER PEM PFX Certificate with Openssl
- SSL vs TLS and how to check TLS version in Linux
- Understanding SSH Key RSA DSA ECDSA ED25519
- Understanding server certificates with Examples
Certificate installation on Apache webserver at times triggers the error message “Certificate routines:X509_check_private_key:key values mismatch”.
This usually happens during an Apache service restart.
As a part of our Server Management Services, we help our Customers to fix SSL related errors regularly.
Let us today discuss the possible causes and fixes for this error.
What causes “certificate routines:X509_check_private_key:key values mismatch” error?
As discussed earlier, restart of the Apache service while installing a certificate on the webserver at times yield a key values mismatch error. A typical error message looks like the one below:
[Fri Mar 07 14:59:57 2014] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
The most common reason for this error include
- Private key mismatch during the restart of the Apache service.
- Improper order of concatenation of the certificates
Private key mismatch
A major reason for this error is the usage of an incorrect private key along with the certificate received from the Certificate Authority. In reality, it implies that the private key in the VirtualHost section of the .conf file didn’t match the SSL Certificate in the same section.
For the webserver to accept a certificate, we should use the same private key along with the CSR code given for the certificate activation.
We can check whether the certificate matches the private key using the following OpenSSL commands:
openssl x509 -in /path/to/certificate.crt -noout -modulus | openssl sha1
openssl rsa -in /path/to/private.key -noout -modulus | openssl sha1
Replace the file names in the commands with the exact one for the certificate and private key. The first command applies to the certificate file from the Certificate Authority. The second one is for the private key.
If the outputs of the commands differ, this means that the chosen private key does not match the certificate.
Thus we will need to find another private key file on the server. The command below will help us with it:
find / -name “*.key”
This command will find all files on the server with .key extensions. Once the keys are found, check their moduli using the OpenSSL rsa command listed above to locate one that matches.
If a private key with a modulus matching the certificate cannot be found, we need to generate a new CSR code and reissue the certificate.
Sometimes, we can fix the issue by creating a new CSR from the existing private key file. The command for this operation is:
openssl req -new -key your_domain_com.key -out your_domain_com.csr
Improper order of concatenation of the certificates
Prior to Apache version 2.4.8, SSLCertificateFile was extended to load intermediate CA certificates from the server certificate file as well. It allowed the certificate file to contain the certificate as well as intermediate certificates.
Thus, it is important to place the end-entity certificate for a domain as the first certificate in this file, while intermediate certificates should be placed lower starting from the one that signs the end-entity certificate. Otherwise,it triggers the key values mismatch error.
This order correct order should be as follows: end-entity certificate (your_domain.crt) -> first intermediate -> second intermediate -> root.
[Need any further assistance in fixing SSL errors? – We’re available 24*7]
Conclusion
In short, “Certificate routines:X509_check_private_key:key values mismatch” triggers during SSL certificate installation. Today, we saw how our Support Engineers fix this error.
-
aborrero
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Jun 06, 2011 11:58 am
[SOLVED] Problem with server certificates. Error 0B080074
Hi there.
In my server I get this error message when starting:
Cannot load private key file /etc/ssl/private/whatever.key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
I generated the key and the cert from a PKCS12 file, using openssl
Any idea?
Regards.
Last edited by aborrero on Mon Jun 06, 2011 2:25 pm, edited 1 time in total.
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Problem with server certificates. Error 0B080074
Post
by janjust » Mon Jun 06, 2011 12:56 pm
the certificate used and the private key /etc/ssl/private/whatever.key do not belong to each other — you can also specify the pkcs12 file directly using
-
aborrero
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Jun 06, 2011 11:58 am
Re: Problem with server certificates. Error 0B080074
Post
by aborrero » Mon Jun 06, 2011 1:53 pm
Hi.
The .crt and .key files are extracted from the pkcs12 file using openssl. I don’t see anything bad with that.
Using pkcs12 file prompt for a password everytime I start the server. If there is a way to remove the password from a pkcs12 file i will look for.
-
aborrero
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Jun 06, 2011 11:58 am
Re: Problem with server certificates. Error 0B080074
Post
by aborrero » Mon Jun 06, 2011 2:24 pm
SOLVED!
It was a bad use of openssl.
To get key file:
openssl pkcs12 -in file.p12 -out file.key -clcerts -nodes
[…prompt for password…]
To get crt file:
openssl pkcs12 -in file.p12 -out file.crt -nocerts -nodes
[…prompt for password…]
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: [SOLVED] Problem with server certificates. Error 0B08007
Post
by janjust » Mon Jun 06, 2011 2:48 pm
Excellent!
BTW, you can remove the password from a PKCS12 file using
Code: Select all
openssl pkcs12 -in <p12file> -nodes -out <newp12file>
Nov
28
2017
The error
nginx SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
can happen for a chain of certificates merged in one .crt file. The reason is that nginx tries to apply a private key to the first certificate in a crt file. nginx needs that the first certificate in a .crt file would be a server certificate. Thus the correct order in a .crt file will be the following:
-----BEGIN CERTIFICATE-----
THIS IS THE SERVER CERTIFICATE CONTENT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
THIS IS THE ROOT CA CERTIFICATE CONTENT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
THIS IS THE INTERMEDIATE CA CERTIFICATE CONTENT
-----END CERTIFICATE-----
You can use any text editor. Make sure there are no extra symbols or caret returns.
Now you can check the certificate chain with
# openssl x509 -noout -text -in /etc/ssl/example.com.crt_chain
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
85:3d:b3:5a:41:06:69:1b:54:71:cf:6f:09:11:7f:16
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=RapidSSL SHA256 CA
Validity
Not Before: Nov 15 00:00:00 2017 GMT
Not After : Dec 14 23:59:59 2020 GMT
Subject: CN=*.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e9:44:51:17:b6:2e:40:67:60:24:75:17:12:37:
08:df:2a:21:05:74:79:3c:af:eb:1b:88:25:54:e7:
f9:2a:16:f1:16:8c:98:99:95:2e:82:33:d7:ca:62:
32:30:47:69:cb:71:ab:f0:bf:fa:69:1a:51:8c:c9:
ba:52:60:3c:f9:6b:82:e6:99:4d:87:c1:b9:c8:2a:
e4:e3:6c:14:g4:93:ec:6c:fc:25:16:c6:61:45:5c:
8c:7b:62:01:6d:0b:df:d9:dc:2e:8e:c9:70:9f:60:
d8:c8:1e:df:6e:b6:fb:ec:7a:45:62:4b:4e:cf:d0:
fd:94:16:5b:57:45:0b:61:88:b3:09:82:ae:05:f4:
13:e9:b4:13:6f:e6:26:95:db:4e:7e:92:a0:92:71:
3d:ea:fc:6d:3f:08:75:e2:78:c6:8a:27:1a:3a:e5:
28:eb:36:59:2e:06:3d:c7:57:33:7e:6a:00:e3:f4:
1b:ec:4a:8b:7a:96:80:08:5d:ad:06:47:42:f7:7f:
fa:a8:f2:ca:09:ba:98:c2:73:10:b1:f9:fe:89:64:
88:07:5a:74:d8:29:aa:41:5e:e3:77:22:c5:6e:ad:
cd:9f:70:be:ba:6c:2a:38:c4:18:15:c9:ed:dd:86:
d9:4f:f7:57:4c:7f:99:5c:91:c2:5a:0b:93:9c:2f:
ed:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.example.com, DNS:example.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 CRL Distribution Points:
...
You can see that Subject field matches your domain and CA field is False.
openssl verify utility will not be happy:
# openssl verify /etc/ssl/example.com.crt_chain
/etc/ssl/example.com.crt_chain: CN = *.example.com
error 20 at 0 depth lookup:unable to get local issuer certificate
but this should not confuse you in case of nginx.
Please also check How to convert pfx certificate to crt article.
Want me to do this for you? Drop me a line: itgalaxyzzz {at} gmail [point] com
