5

My server was hosted in Bluehost (Apache), the certificate was working fine. Now, I'm using Google Cloud for multiple pages in NodeJS on different port using proxy_pass. I am trying to configure the SSL but I have problems. I was looking for similar questions, but it still shows the same error. I created the key file following this link

/var/log/nginx/error.log:

2015/07/08 10:47:20 [emerg] 2950#0: SL_CTX_use_PrivateKey_file("/etc/nginx/ssl/domain_com/domain_com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

When I put on console:

openssl rsa -noout -modulus -in domain_com.key shows me this:

Modulus=D484DD1......512 characters in total......5A8F3DEF999005F

openssl x509 -noout -modulus -in ssl-bundle.crt:

Modulus=B1E3B0A.......512 characters in total......AFC79424BE139

This is my Nginx setup:

server {
    listen 443;
    server_name www.domain.com;

    ssl_certificate /etc/nginx/ssl/domain_com/ssl-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/domain_com/domain_com.key;

    ssl on;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/domain_com.access.log;

    location / {
       proxy_set_header                         Host $host;
       proxy_set_header X-Real-IP               $remote_addr;
       proxy_set_header X-Forwarded-For         $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto       $scheme;
       proxy_pass                               http://localhost:8086;
       proxy_read_timeout                       90;
       proxy_redirect                           http://localhost:8086 https://www.domain.com;
    }
}

enter image description here

Improve this question

1 Answer 1

Reset to default
7
+100

The problem may occur in case of wrong concatenation order. You tried:

cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

Which looks correct, but concatenation usually require to eliminate extra download from root CA, therefore Nginx creator said:

Browsers usually store intermediate certificates which they receive and which are signed by trusted authorities, so actively used browsers may already have the required intermediate certificates and may not complain about a certificate sent without a chained bundle.

The official docs explicitly says:

If the server certificate and the bundle have been concatenated in the wrong order, nginx will fail to start and will display the error message:

SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed
   (SSL: error:0B080074:x509 certificate routines:
    X509_check_private_key:key values mismatch)

because nginx has tried to use the private key with the bundle’s first certificate instead of the server certificate.

So to solve the problem please try:

  1. Attach www_example_com.crt to ssl_certificate Nginx config key

  2. Download latest Comodo CA certificates SHA2 from official web page and try one more time to concatenate the bundle

Improve this answer
Sign up to request clarification or add additional context in comments.

13 Comments

@wZVanG sure, let's get it sorted today.
I appreciate your answer, What do you mean by "Attach"?. I am very new on Ubuntu and servers configuration, please verify the question's edit. Excuse my english
@wZVanG ssl_certificate /etc/nginx/ssl/dragonboundaimbot_com/www_example_com.crt;
Yes, I know, I knew you'd say about the path, but that are there.
@wZVanG either of last two in sslcerts directory
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.