# nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/nginx/ssl/key.pem") 失败 (SSL: error:0B080074:x509证书例程:X509_check_private_key:密钥值不匹配)

- **ID:** `nginx/ssl-certificate-key-mismatch`
- **领域:** nginx
- **类别:** config_error
- **验证级别:** ai_generated
- **修复率:** 95%

## 根因

私钥与证书的公钥不匹配，通常是由于使用了来自不同证书的密钥或生成了新密钥但未更新证书。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| nginx 1.24.0 | active | — | — |
| nginx 1.22.1 | active | — | — |
| nginx 1.18.0 | active | — | — |
| nginx 1.20.2 | active | — | — |

## 解决方案

1. ```
   Verify the key matches the certificate using: 'openssl x509 -noout -modulus -in /etc/nginx/ssl/cert.pem | openssl md5' and 'openssl rsa -noout -modulus -in /etc/nginx/ssl/key.pem | openssl md5'. If the hashes differ, generate a new CSR or use the correct key.
   ```
2. ```
   Regenerate the certificate with the existing key: 'openssl req -new -x509 -days 365 -key /etc/nginx/ssl/key.pem -out /etc/nginx/ssl/cert.pem' to create a matching certificate.
   ```
3. ```
   If using a CA-signed certificate, ensure the private key used for CSR submission is the same as the one in ssl_certificate_key; if lost, re-issue the certificate with a new key.
   ```

## 无效尝试

- **** — The error is about mismatch; both files must correspond to the same key pair. (80% 失败率)
- **** — Password handling is about decryption, not validation of key-certificate pairing. (90% 失败率)
- **** — The mismatch is a static file issue; restarting won't change file contents. (100% 失败率)