Want more timely Centmin Mod News Updates?
Become a Member

SSL SSL_CTX_use_PrivateKey_file Fail

Discussion in 'Domains, DNS, Email & SSL Certificates' started by pamamolf, Apr 29, 2016.

Tags:
  1. pamamolf

    pamamolf Well-Known Member

    2,491
    229
    63
    May 31, 2014
    Ratings:
    +390
    Local Time:
    5:38 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Hi

    Target is to get :

    Code:
    https://www.domain.com
    My ssl config file:

    Code:
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    server {
           listen   80;
           server_name domain.com www.domain.com;
           return 302 https://$server_name$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name domain.com www.domain.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/ssl-unified.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
      # You'd want to include subdomains if you're using SSL wildcard certificates
      # include subdomain
      #add_header Public-Key-Pins 'pin-sha256="QBOPIgcPytpHLlqejWCM0Vd/OWx8MUJcwrxCVQsyU8I="; pin-sha256="tsWSzg/trQlqIOJ4tDdoXCLTEJGj5ezYhmCAmF/QX1o="; max-age=86400; includeSubDomains';
      # exclude subdomains
      #add_header Public-Key-Pins 'pin-sha256="QBOPIgcPytpHLlqejWCM0Vd/OWx8MUJcwrxCVQsyU8I="; pin-sha256="tsWSzg/trQlqIOJ4tDdoXCLTEJGj5ezYhmCAmF/QX1o="; max-age=86400';
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt; 
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always; 
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      #include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      location ~ (?:^|/)\. {
       deny all;
      } 
    
      location / {
      #include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    I am having an issue with a certificate that i try to install and it is from Godaddy:

    Code:
    SSL_CTX_use_PrivateKey_file("/usr/local/nginx/conf/ssl/domain.com/domain.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
    From godaddy i select Other on server type as Nginx is not an option (i try also Apache) and i got from them to download two files:

    Code:
    f947e7f8a05b0e7b.crt
    gd_bundle-g2-g1.crt
    On centminmod i add my domain with self signed certificate and i keep only the:
    Code:
    dhparam.pem
    Then i create the domain.com.key online here:

    Code:
    https://www.gogetssl.com/online-csr-generator/
    (I also try the one that was already auto generated by Centminmod....)

    So after reading the Centminmod instructions i did that:

    Code:
    cat f947e7f8a05b0e7b.crt gd_bundle-g2-g1.crt > ssl-unified.crt
    and then:

    Code:
    cat gd_bundle-g2-g1.crt > ssl-trusted.crt
    Then i go to the auto generated domain.com.ssl.conf and set the correct paths....

    Reading on the net the files modulus info must match:

    Code:
    openssl x509  -in f947e7f8a05b0e7b.crt -modulus
    openssl rsa  -in domain.com.key  -modulus
    But for me they doesn't match and i got that Nginx error :(

    Any help... ?

    Thanks
     
    Last edited: Apr 29, 2016
  2. pamamolf

    pamamolf Well-Known Member

    2,491
    229
    63
    May 31, 2014
    Ratings:
    +390
    Local Time:
    5:38 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Just fixed it was an issue with an old .csr content provided to godaddy by the old server :)

    All done !
     
    Last edited: Apr 29, 2016
    • Like Like x 1