nginx
config_error
ai_generated
true
nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/nginx/ssl/key.pem") 失败 (SSL: error:0B080074:x509证书例程:X509_check_private_key:密钥值不匹配)
nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/nginx/ssl/key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
ID: nginx/ssl-certificate-key-mismatch
95%修复率
90%置信度
1证据数
2023-09-05首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| nginx 1.24.0 | active | — | — | — |
| nginx 1.22.1 | active | — | — | — |
| nginx 1.18.0 | active | — | — | — |
| nginx 1.20.2 | active | — | — | — |
根因分析
私钥与证书的公钥不匹配,通常是由于使用了来自不同证书的密钥或生成了新密钥但未更新证书。
English
The private key does not match the certificate's public key, often due to using a key from a different certificate or generating a new key without updating the certificate.
官方文档
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key解决方案
-
Verify the key matches the certificate using: 'openssl x509 -noout -modulus -in /etc/nginx/ssl/cert.pem | openssl md5' and 'openssl rsa -noout -modulus -in /etc/nginx/ssl/key.pem | openssl md5'. If the hashes differ, generate a new CSR or use the correct key.
-
Regenerate the certificate with the existing key: 'openssl req -new -x509 -days 365 -key /etc/nginx/ssl/key.pem -out /etc/nginx/ssl/cert.pem' to create a matching certificate.
-
If using a CA-signed certificate, ensure the private key used for CSR submission is the same as the one in ssl_certificate_key; if lost, re-issue the certificate with a new key.
无效尝试
常见但无效的做法:
-
80% 失败
The error is about mismatch; both files must correspond to the same key pair.
-
90% 失败
Password handling is about decryption, not validation of key-certificate pairing.
-
100% 失败
The mismatch is a static file issue; restarting won't change file contents.