Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

With multiple domains, key mismatch for snakeoil cert #923

Closed
jsha opened this issue Oct 8, 2015 · 13 comments
Closed

With multiple domains, key mismatch for snakeoil cert #923

jsha opened this issue Oct 8, 2015 · 13 comments
Labels
area: nginx

Comments

@jsha
Copy link
Contributor

jsha commented Oct 8, 2015 

letsencrypt --server http://localhost:4000/directory --no-verify-ssl --dvsni-port 5001 --simple-http-port 5001           --text         --agree-eula         --agree-tos         --email "" --authenticator nginx -d yo.wtf -d foo.wtf auth  

...
2015-10-07 22:20:07,914:ERROR:letsencrypt_nginx.configurator:Nginx Restart Failed!
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/var/lib/letsencrypt/snakeoil/0037_key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

This doesn't happen with a single domain. Poking around, it looks like multiple snakeoil keys are created but only one cert, which is probably the reason for the mismatch.
@blinry
Copy link

blinry commented Dec 3, 2015

I'm also getting this error. I invoked the client simply with "letsencrypt", having the nginx plugin installed, and selected multiple domains. Then I get this error:

2015-12-03 23:25:45,174:ERROR:letsencrypt_nginx.configurator:Nginx Restart Failed!

2015/12/03 23:25:45 [emerg] 25958#0: SSL_CTX_use_PrivateKey_file("/var/lib/letsencrypt/snakeoil/0016_key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

And after that:

Correct zName not found for TLS SNI challenge.

For a single domain, it also works for me.

@fauno
Copy link

fauno commented Dec 4, 2015

i've seen this issue on an ubuntu server with openssl 1.0.1f but moving the cert and key to a parabola server with openssl 1.0.2d worked correctly

@fauno
Copy link

fauno commented Dec 4, 2015

but i got the same error on ubuntu wily with openssl 1.0.2d

@blinry
Copy link

blinry commented Dec 4, 2015

I'm using Arch Linux, and have tried openssl 1.0.2d and 1.0.2e.

@fauno
Copy link

fauno commented Dec 5, 2015

well it may be a nginx error since the same cert loaded+worked fine with dovecot, postfix and prosody

@fauno
Copy link

fauno commented Dec 13, 2015

fails in debian jessie with libssl 1.0.1k and both nginx 1.6 from debian and nginx 1.8 from phusion passenger...

@fauno
Copy link

fauno commented Dec 13, 2015

@jsha these are not the snakeoil certs, could you edit the title?

@jsha
Copy link
Contributor Author

jsha commented Dec 14, 2015

@fauno: Could you explain more? You mean the problem is using a snakeoil key with a non-snakeoil cert?

@fauno
Copy link

fauno commented Dec 14, 2015

Jacob Hoffman-Andrews notifications@github.com writes:

@fauno: Could you explain more? You mean the problem is using a
snakeoil key with a non-snakeoil cert?

you reported the issue for the snakeoil certs, but i'm having the same
error with the production certs.

have you solved it?

:>

@jsha
Copy link
Contributor Author

jsha commented Dec 14, 2015

Ah, now I get it. The issue is not regarding the staging certs ("happy hacker fake CA"), but regarding the self-signed (snakeoil) certs that the letsencrypt client creates locally to solve the TLS-SNI challenge.

@fauno
Copy link

fauno commented Dec 14, 2015

the error i see is with the live certs:

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/letsencrypt/live/domain.com/privkey.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

http://librevpn.org.ar

@jsha
Copy link
Contributor Author

jsha commented Dec 14, 2015

That's a different problem, probably related to the configuration of your Nginx. Please post about it on https://community.letsencrypt.org/, including the relevant sections of your Nginx configuration.

@fauno
Copy link

fauno commented Dec 14, 2015

done: https://community.letsencrypt.org/t/key-values-mismatch-error-using-live-certs-on-nginx/7029

@zauguin zauguin mentioned this issue Jan 29, 2016
Merged
@pde pde closed this as completed in #2313 Jan 29, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: nginx
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@blinry @jsha @fauno