nginx -t complained about a certificate/key mismatch this afternoon, I first assumed that the problem was on our end during our automated CSR/key generation or our certificate request process. I took a closer look at all three pieces to look for the source of the error using “The Most Common OpenSSL Commands“:
openssl rsa -in example.test.key -check
The info from the key check was pretty unhelpful, but it was a valid key. See the section below for how to better compare that.
openssl req -text -noout -verify -in example.test.csr
The CSR check was somewhat helpful as I was able to verify that the correct domain name and other request information was in place.
openssl x509 -in example.test.cer -text -noout
The certificate check was most helpful as I was able to
diff the results of this with the results of a working certificate. This showed me that nothing was off and all data was formatted as expected, just different.
I turned to searching for the verbose error instead.
Via “SSL Library Error: 185073780 key values mismatch“, I used these commands to compare a certificate and private key to see if they were indeed not matching:
openssl x509 -noout -modulus -in example.test.cer | openssl md5
openssl rsa -noout -modulus -in example.test.key | openssl md5
Each of these generated an md5 hash that I was able to compare. In my case, the error reported by
nginx -t was correct and the certificate generated by Comodo did not match my private key. I double checked this by comparing a working certificate/key pair that resulted in matching md5 hashes.
Bah. This is nice because it’s likely not our fault. This is not nice because now we have less control over fixing it. 😞
I do have a set of commands that may come in useful again. 😃