# nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/nginx/ssl/key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) - **ID:** `nginx/ssl-certificate-key-mismatch` - **Domain:** nginx - **Category:** config_error - **Verification:** ai_generated - **Fix Rate:** 95% ## Root Cause The private key does not match the certificate's public key, often due to using a key from a different certificate or generating a new key without updating the certificate. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | nginx 1.24.0 | active | — | — | | nginx 1.22.1 | active | — | — | | nginx 1.18.0 | active | — | — | | nginx 1.20.2 | active | — | — | ## Workarounds 1. **Verify the key matches the certificate using: 'openssl x509 -noout -modulus -in /etc/nginx/ssl/cert.pem | openssl md5' and 'openssl rsa -noout -modulus -in /etc/nginx/ssl/key.pem | openssl md5'. If the hashes differ, generate a new CSR or use the correct key.** (95% success) ``` Verify the key matches the certificate using: 'openssl x509 -noout -modulus -in /etc/nginx/ssl/cert.pem | openssl md5' and 'openssl rsa -noout -modulus -in /etc/nginx/ssl/key.pem | openssl md5'. If the hashes differ, generate a new CSR or use the correct key. ``` 2. **Regenerate the certificate with the existing key: 'openssl req -new -x509 -days 365 -key /etc/nginx/ssl/key.pem -out /etc/nginx/ssl/cert.pem' to create a matching certificate.** (90% success) ``` Regenerate the certificate with the existing key: 'openssl req -new -x509 -days 365 -key /etc/nginx/ssl/key.pem -out /etc/nginx/ssl/cert.pem' to create a matching certificate. ``` 3. **If using a CA-signed certificate, ensure the private key used for CSR submission is the same as the one in ssl_certificate_key; if lost, re-issue the certificate with a new key.** (95% success) ``` If using a CA-signed certificate, ensure the private key used for CSR submission is the same as the one in ssl_certificate_key; if lost, re-issue the certificate with a new key. ``` ## Dead Ends - **** — The error is about mismatch; both files must correspond to the same key pair. (80% fail) - **** — Password handling is about decryption, not validation of key-certificate pairing. (90% fail) - **** — The mismatch is a static file issue; restarting won't change file contents. (100% fail)