Nginx SSL: error:0B080074:x509 certificate routines: X509_check_private_key:key values mismatch
There are two reasons you may have received this error, and therefore two corresponding fixes.
- Private key mismatch: During the CSR generation using OpenSSL, the key and CSR could have been generated in different directories. In order to find the needed key, run the following command:
find / -name “*.key”
Once the keys are found, run the following pair of commands:
openssl x509 -in /path/to/yourdomain.crt -noout -modulus | openssl sha1
openssl rsa -in /path/to/your.key -noout -modulus | openssl sha1
/path/to/yourdomain.crt should be replaced with the path to your certificate, and /path/to/your.key replaced with paths to the .key files located with “find” command.
If the modulus of the certificate is equal to one of the key moduli, then that key matches the certificate, so nginx configs can be modified accordingly.
The key and the certificate can be matched here.
If none of the outputs match the certificate’s, you should generate a new CSR and private key and reissue.
- Improper order of concatenation of the certificates.
This order is essential and should be as follows: end-entity certificate (your_domain.crt) -> first intermediate -> second intermediate -> root.
The certificate can be also downloaded from the Namecheap Dashboard with full bundle concatenated in one file (yourdomain.ca-bundle) so the command for nginx should appear like this:
cat your_domain.crtyour_domain.ca-bundle >> nginx_bundle.crt
If the bundle is sent in separate files, download it here and use it in the above command instead of your_domainca-bundle.
For example, Comodo (now Sectigo) PositiveSSL has the following files in the bundle: COMODO RSA Domain Validation Secure Server CA -> COMODO RSA Certification Authority-> AddTrust External CA Root (ECDSA analogues are COMODO ECC Domain Validation Secure Server CA -> COMODO ECC Certification Authority).
In this case, the command will appear as follows:
cat your_domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSACertificationAuthority.crt AddTrustExternalCARoot.crt >> nginx_bundle.crt
Next, correct your virtual host for 443 port in server global configuration file:
Once above changes are made, restart nginx instance with “nginx -s reload” command.
The certificate installation can be checked here.