Problems with ssl certificate from namecheap using nginx on ubuntu server

Question

I have just purchased a ssl certificate from namecheap, positivessl single use domain, went through the steps at: https://sneeit.com/install-https-ssl-nginx/

I also tryed just the website.crt, the key and the csr where created at the same time it matches my domain name on namecheap.org, I got the ssl certificate issued after http based method and try the above and the other and it shows 2 errors,

First error is with just website.crt (not concated together): SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/website.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

Second error after installling the concated bundle : PEM_read_bio_X509("/etc/nginx/ssl/concated.crt") failed (SSL: error:0908F066:PEM routines:get_header_and_data:bad end line)

My NGINX configuration is :

server {
        listen 80;
        listen [::]:80;
        server_name website.com;
        server_tokens off;
        return 301 https://website.com$request_uri;
}

server {
        listen 443;
        listen [::]:443;
        ssl on;
        ssl_certificate /etc/nginx/ssl/website.crt;
        ssl_certificate_key     /etc/nginx/ssl/website.key;
        ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers     HIGH:!aNULL:!MD5;
        root /var/www/website/web;
        index index.php;
        server_name website.com;
        server_tokens off;
        location / {
                try_files $uri $uri/ =404;
        }
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        }
}

This is not my first rodeo, installed ssl from anme cheap many a times and just used the .crt not a concated one, but niether are working on nginx version: 1.14.0

any help would be appreciated as im stuck and googling doesent help on those errors :(

thanks!

Hect0r

Answer 1

The first error x509 certificate routines:X509_check_private_key:key values mismatch explicitly tells you that the certificate you are trying to use is not matching the private key. Make sure to use the private key file generated along with CSR you used while passing the cert for activation to CA. Check cert and key modulus hashes using openssl:

openssl x509 -in file.crt -noout -modulus | openssl sha1
openssl rsa -in file.key -noout -modulus | openssl sha1

You should receive the same values in case they are matching.

As for the second errorPEM routines:get_header_and_data:bad end line, its caused due to concatenated crt file broken formatting most likely. If you open the file, there should be a similar line somewhere in there -----END CERTIFICATE----------BEGIN CERTIFICATE-----. Place certificate beginning tag on the next line this way:

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

This may seem like a rodeo to you, but the errors are quite self-explanatory. I recommend you check the file contents in case you confirm that the key modulus does match the one for your cert.

Answer 2

I think it was because on the command openssl req -new I specified a key of 4096 instead of 2048, as it now works with 2048...