{
  "id": "nginx/ssl-certificate-key-mismatch",
  "signature": "nginx: [emerg] SSL_CTX_use_PrivateKey(\"/etc/nginx/ssl/key.pem\") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)",
  "signature_zh": "nginx: [emerg] SSL_CTX_use_PrivateKey(\"/etc/nginx/ssl/key.pem\") 失败 (SSL: error:0B080074:x509证书例程:X509_check_private_key:密钥值不匹配)",
  "regex": "SSL_CTX_use_PrivateKey.*failed \\(SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch\\)",
  "domain": "nginx",
  "category": "config_error",
  "subcategory": null,
  "root_cause": "The private key does not match the certificate's public key, often due to using a key from a different certificate or generating a new key without updating the certificate.",
  "root_cause_type": "generic",
  "root_cause_zh": "私钥与证书的公钥不匹配，通常是由于使用了来自不同证书的密钥或生成了新密钥但未更新证书。",
  "versions": [
    {
      "version": "nginx 1.24.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "nginx 1.22.1",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "nginx 1.18.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "nginx 1.20.2",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "The error is about mismatch; both files must correspond to the same key pair.",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Password handling is about decryption, not validation of key-certificate pairing.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "The mismatch is a static file issue; restarting won't change file contents.",
      "fail_rate": 1.0,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Verify the key matches the certificate using: 'openssl x509 -noout -modulus -in /etc/nginx/ssl/cert.pem | openssl md5' and 'openssl rsa -noout -modulus -in /etc/nginx/ssl/key.pem | openssl md5'. If the hashes differ, generate a new CSR or use the correct key.",
      "success_rate": 0.95,
      "how": "Verify the key matches the certificate using: 'openssl x509 -noout -modulus -in /etc/nginx/ssl/cert.pem | openssl md5' and 'openssl rsa -noout -modulus -in /etc/nginx/ssl/key.pem | openssl md5'. If the hashes differ, generate a new CSR or use the correct key.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Regenerate the certificate with the existing key: 'openssl req -new -x509 -days 365 -key /etc/nginx/ssl/key.pem -out /etc/nginx/ssl/cert.pem' to create a matching certificate.",
      "success_rate": 0.9,
      "how": "Regenerate the certificate with the existing key: 'openssl req -new -x509 -days 365 -key /etc/nginx/ssl/key.pem -out /etc/nginx/ssl/cert.pem' to create a matching certificate.",
      "condition": "",
      "sources": []
    },
    {
      "action": "If using a CA-signed certificate, ensure the private key used for CSR submission is the same as the one in ssl_certificate_key; if lost, re-issue the certificate with a new key.",
      "success_rate": 0.95,
      "how": "If using a CA-signed certificate, ensure the private key used for CSR submission is the same as the one in ssl_certificate_key; if lost, re-issue the certificate with a new key.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Verify the key matches the certificate using: 'openssl x509 -noout -modulus -in /etc/nginx/ssl/cert.pem | openssl md5' and 'openssl rsa -noout -modulus -in /etc/nginx/ssl/key.pem | openssl md5'. If the hashes differ, generate a new CSR or use the correct key.",
    "Regenerate the certificate with the existing key: 'openssl req -new -x509 -days 365 -key /etc/nginx/ssl/key.pem -out /etc/nginx/ssl/cert.pem' to create a matching certificate.",
    "If using a CA-signed certificate, ensure the private key used for CSR submission is the same as the one in ssl_certificate_key; if lost, re-issue the certificate with a new key."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.9,
  "fix_success_rate": 0.95,
  "resolvable": "true",
  "first_seen": "2023-09-05",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}