nginx
config_error
ai_generated
true
nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/nginx/ssl/key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
ID: nginx/ssl-certificate-key-mismatch
95%Fix Rate
90%Confidence
1Evidence
2023-09-05First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| nginx 1.24.0 | active | — | — | — |
| nginx 1.22.1 | active | — | — | — |
| nginx 1.18.0 | active | — | — | — |
| nginx 1.20.2 | active | — | — | — |
Root Cause
The private key does not match the certificate's public key, often due to using a key from a different certificate or generating a new key without updating the certificate.
generic中文
私钥与证书的公钥不匹配,通常是由于使用了来自不同证书的密钥或生成了新密钥但未更新证书。
Official Documentation
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_keyWorkarounds
-
95% success Verify the key matches the certificate using: 'openssl x509 -noout -modulus -in /etc/nginx/ssl/cert.pem | openssl md5' and 'openssl rsa -noout -modulus -in /etc/nginx/ssl/key.pem | openssl md5'. If the hashes differ, generate a new CSR or use the correct key.
Verify the key matches the certificate using: 'openssl x509 -noout -modulus -in /etc/nginx/ssl/cert.pem | openssl md5' and 'openssl rsa -noout -modulus -in /etc/nginx/ssl/key.pem | openssl md5'. If the hashes differ, generate a new CSR or use the correct key.
-
90% success Regenerate the certificate with the existing key: 'openssl req -new -x509 -days 365 -key /etc/nginx/ssl/key.pem -out /etc/nginx/ssl/cert.pem' to create a matching certificate.
Regenerate the certificate with the existing key: 'openssl req -new -x509 -days 365 -key /etc/nginx/ssl/key.pem -out /etc/nginx/ssl/cert.pem' to create a matching certificate.
-
95% success If using a CA-signed certificate, ensure the private key used for CSR submission is the same as the one in ssl_certificate_key; if lost, re-issue the certificate with a new key.
If using a CA-signed certificate, ensure the private key used for CSR submission is the same as the one in ssl_certificate_key; if lost, re-issue the certificate with a new key.
中文步骤
Verify the key matches the certificate using: 'openssl x509 -noout -modulus -in /etc/nginx/ssl/cert.pem | openssl md5' and 'openssl rsa -noout -modulus -in /etc/nginx/ssl/key.pem | openssl md5'. If the hashes differ, generate a new CSR or use the correct key.
Regenerate the certificate with the existing key: 'openssl req -new -x509 -days 365 -key /etc/nginx/ssl/key.pem -out /etc/nginx/ssl/cert.pem' to create a matching certificate.
If using a CA-signed certificate, ensure the private key used for CSR submission is the same as the one in ssl_certificate_key; if lost, re-issue the certificate with a new key.
Dead Ends
Common approaches that don't work:
-
80% fail
The error is about mismatch; both files must correspond to the same key pair.
-
90% fail
Password handling is about decryption, not validation of key-certificate pairing.
-
100% fail
The mismatch is a static file issue; restarting won't change file contents.