Apache2 SSL Certificate/Key mismatch

ssl apache2 openssl certificate
43,444

Solution 1

$ openssl s_server -cert server.crt -key server.key
140518544565920:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
140518544565920:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:831:
140518544565920:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=n, Type=RSA
140518544565920:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:115:

Add -keyform. It can be DER or PEM. You'll have to look at server.key to determine the form.

If server.key has --- BEGIN RSA PRIVATE KEY --- (or similar), its PEM. If its not PEM encoded, then try DER.

Also, server.key might be encrypted. You might have to re-save the key without a passphrase.

Solution 2

What does your virtual hosts file look like? Without seeing that file it's hard to tell why you are getting the warning. However, the warning is most likely coming from your virtual hosts file having a different server name than what the SSL cert has been set up for.
Check your virtual hosts file and change 

<VirtualHost _default_:443>

to

<VirtualHost *:443>

or even

<VirtualHost yoursevername:443>
Share:
43,444
Bas Goossen
Author by

Bas Goossen

Updated on July 09, 2022

Comments

  • Bas Goossen
    Bas Goossen almost 2 years

    I'm trying to set-up Apache to use a private key and certificate for SSL usage. The problem is that Apache somehow thinks that the key and the crt files do not match:

    [Thu Aug 01 11:35:18 2013] [warn] RSA server certificate wildcard CommonName (CN) `*.-----.nl' does NOT match server name!?
[Thu Aug 01 11:35:18 2013] [debug] ssl_engine_init.c(846): Configuring RSA server private key
[Thu Aug 01 11:35:18 2013] [error] Unable to configure RSA server private key
[Thu Aug 01 11:35:18 2013] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

    After this error i checked wether or not the key and the certificate matched using:

    $ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5

    And the results are both the same, so it seems that the key and the certificate do match!? My site configuration contains the folowing for SSL set-up:

        SSLCertificateFile    /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key

    The certificate is signed by a self created CA that i use for my customers. At this moment i'm hosting the HTTPS site through Java (and Chrome/Firefox/IE/Safari/... all accept the certificate and key), however the performance is not as i'd like it to be, hence i'm willing to switch to Apache. However i don't understand why Apache says the certificate and the key do not match? I've googled a lot for this error and found a lot of results however none represent my situation nor provide a valid solution for my problem. The reason i use my own CA is that i have a few hundred (and counting) certificates in use for a trust based network.

    edit: The issue seems openssl related, i tested the following with the same final error:

    ..............:~$ openssl s_server -cert server.crt -key server.key
140518544565920:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
140518544565920:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:831:
140518544565920:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=n, Type=RSA
140518544565920:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:115:
Using default temp DH parameters
Using default temp ECDH parameters
error setting private key
140518544565920:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:331:

    Can anybody point me in the right direction for what i'm doing wrong?

    I retranscoded the used JKS directly used by the webserver (accepted by all browsers) to PEM certificate and private key, but still when i get the same error from openssl:

    openssl s_server -debug -cert server.crt -key server.key
Using default temp DH parameters
Using default temp ECDH parameters
error setting private key
140157841004192:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:331:

    How is it possible that all browsers accept the key/cert combination and openssl refuses to use them together?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

OpenSSL Verify Peer (Client) Certificate in C++
Error while creating self-signed SSL certificate
SSL certificate not accepted
How to configure multiple SSL certs on Apache virtual host with aliases?
SSL certificate generated with OpenSSL not working on NSS
How force that all connections to my Apache use TLSv1.1 or TLSv1.2?
How to make & install self signed certificate in apache ubuntu 16.04?
Unable to load Key pair from p12 certificate - OPENSSL error
SSL issue: The private key did not match the public key provided
Can't verify an openssl certificate against a self signed openssl certificate?