Bundled SSL Certificate Public Key does not match Private Key Public Key

Question

I am trying to install a new SSL certificate into Traefik. My certificate is signed by a third party (Setigo), and was provided to me with the chain:

The last certificate in the chain matches the individual certificate. When I pass that certificate and coresponding key to Traefik, I get the following error:

failed to load X509 key pair: tls: private key does not match public key

Researching online, I have found these commands to verify the public keys/modulus for the cert and private key

openssl rsa -modulus -noout -in myserver.key | openssl md5

openssl x509 -modulus -noout -in myserver.crt | openssl md5

When I run this against the chained cert the results do not match. When I run it against the individual cert it matches.

I can not use the individual cert, as it is not signed by a trusted root, so I get the following error when using OpenSSL s_client:

openssl s_client -connect myserver:443 -showcerts
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate

I'm wracking my brain here, what am I missing???

Shane Powell · Accepted Answer

Your chain is wrong. You need to reverse it and drop the root CA certificate.

The server is thinking the root CA is the main certificate and it's trying to load the private key against the root ca certificate which it why you are seeing the message.

Also there is no need for the root CA as this should always be in the clients CA list, so you are sending the CA certificate to the client and the client will just ignore it.

i.e.

Bundled SSL Certificate Public Key does not match Private Key Public Key

Answers (1)

Related Questions