Error to add ssl for my website


(Vu Hoang) #1

Hi guys,

I had the error message when i try to add ssl for my wesbite:

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/shared/ssl/ssl.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

So, pls help me to fix this issue.
Many thanks guys!


Advanced Setup Only: Allowing SSL / HTTPS for your Discourse Docker setup
(Jay Pfaffman) #2

How did you get to add it?

The easiest way is to run disourse-setup again and let discourse configure let’s encrypt.


(Andrew Schleifer) #3

That error means that the key file does not match the certificate nginx is using.

Running these commands should output the same hex numbers:

  • openssl rsa -noout -modulus -in ssl.key | openssl md5
  • openssl x509 -noout -modulus -in ssl.crt | openssl md5

(Replace ssl.key and ssl.crt with the path to the key and certificate file.) You will probably not get a match.

My guess would be that the certificate file is a bundle and has the server and CA keys in the wrong order for nginx.

I.e., your certificate files has:

-----BEGIN CERTIFICATE-----
MIICC-second-chain-certificate-second-chain-certificate-
second-chain-certificate-second-chain-certificate-second-
chain-certificate-second-chain-certificate-second-chain-
etc-
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICC-first-chain-certificate-first-chain-certificate-
first-chain-certificate-first-chain-certificate-first-chain-
certificate-first-chain-certificate-first-chain-certificate-
etc-
-----END CERTIFICATE-----

Nginx needs to see the first certificate in the chain (your site certificate) before the second one. Editing the file to swap the order should fix it.


(Vu Hoang) #4

Thanks for your answer @schleifer,
after run the command i got the message:

openssl x509 -noout -modulus -in /var/discourse/shared/standalone/ssl/ssl.crt | openssl md5
(stdin)= 6d24790c68cc06776427516cc4cacbe2

open ssl.crt file i saw 4 line of certificate like this image

So, any idea for my issue? could you pls help me a bit?
Thank you!


(Andrew Schleifer) #5

If you copy one BEGIN/END section into a new file and run openssl x509 -text -in $FILE it will output a human-readable representation that looks something like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ee:de:a8:bc:c1:f5:21:98:e4:c4:d4:5b:f9:ef:3a:50:22:5e:62:92
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Andrew Schleifer, C=XX, O=andrewschleifer.name/emailAddress=me@andrewschleifer.name
        Validity
            Not Before: Dec 27 17:36:49 2017 GMT
            Not After : Dec 26 17:36:49 2022 GMT
        Subject: C=XX, CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f1:4c:e4:02:e7:0d:cc:77:22:2c:8e:51:34:f5:
                    f3:57:e4:d1:89:b2:0e:b3:c8:80:8d:4b:7e:5b:0f:
                    90:a3:71:80:d7:c6:e8:50:62:97:e7:a2:d1:6c:86:
                    ef:16:5e:60:f4:2c:b2:6c:87:84:dd:46:7b:9a:d1:
                    00:d1:a4:aa:e1:04:b6:2d:23:e5:b8:49:ff:18:38:
                    fb:f2:61:1c:3b:15:6d:c5:96:83:b9:0d:17:91:41:
                    17:6f:09:af:3d:f1:be:ba:75:e9:ad:36:29:02:67:
                    46:88:ee:21:5b:11:18:b5:10:93:09:94:64:f1:72:
                    22:51:5b:d6:5d:a3:ac:59:e1:79:77:02:6f:95:3a:
                    30:74:7b:48:e8:0e:c1:8b:a6:57:e8:70:7a:35:9d:
                    82:81:a4:05:6b:1f:cd:99:4f:df:e4:22:28:e3:a2:
                    b0:89:18:09:4f:67:e5:1f:14:65:b1:e7:75:fc:2f:
                    35:92:73:71:29:0c:f8:ed:02:da:64:4e:78:41:83:
                    cc:5f:a4:ff:09:de:78:42:15:42:e5:f1:c4:bb:7f:
                    70:d5:47:b2:fa:cf:df:c4:f0:6a:af:b0:d5:6f:96:
                    06:e9:a0:45:52:26:88:82:6d:4f:c6:f8:cf:91:9e:
                    83:ad:b0:bb:de:56:fd:7c:e5:39:5c:9a:b0:48:ec:
                    53:3b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:example.com, DNS:www.example.com
    Signature Algorithm: sha256WithRSAEncryption
         c0:ef:da:de:42:1b:81:98:1c:6f:f8:7a:dd:c3:71:3e:cd:7e:
         a5:b8:58:c8:d6:42:58:2d:f5:bd:bb:4a:75:f4:46:24:ed:30:
         42:02:b2:cc:c4:66:35:e7:3c:ff:48:15:9d:a5:55:a9:d1:a1:
         67:1f:cf:c0:5b:3c:d8:ea:f4:1a:90:30:58:7a:57:14:93:a5:
         bf:8f:7d:43:8b:07:27:31:62:cf:5f:4d:21:00:e8:47:2b:ba:
         91:2a:2b:ca:a1:3d:b5:f9:b4:8e:b4:b8:59:82:ff:15:6d:fe:
         65:57:b7:a2:da:2d:84:a9:44:3b:2b:60:7a:46:d9:1c:38:97:
         a9:7e:ef:84:fd:9d:2d:91:29:2d:13:e4:6d:e9:73:d1:a3:fa:
         bd:02:7e:b5:01:22:8f:88:4f:e2:1c:8d:16:e4:6b:53:b2:02:
         a2:8d:47:e0:e1:fc:99:80:91:0d:11:1e:e9:8a:2d:d4:f3:a1:
         f8:9e:45:e1:8a:99:a3:3f:9f:7e:f7:8a:0e:c1:72:8e:e6:f2:
         7a:16:90:06:cb:6a:76:90:fe:3c:be:e0:21:cb:43:8e:b8:08:
         47:eb:68:4b:8f:fe:84:de:bc:0a:f9:11:a4:5f:4a:a2:05:a3:
         79:43:87:fa:05:fe:74:3f:b6:f2:0a:22:4c:c8:a7:cd:16:73:
         ca:9c:89:90
-----BEGIN CERTIFICATE-----
MIIDpDCCAoygAwIBAgIVAO7eqLzB9SGY5MTUW/nvOlAiXmKSMA0GCSqGSIb3DQEB
CwUAMIGZMRkwFwYDVQQDExBBbmRyZXcgU2NobGVpZmVyMQswCQYDVQQGEwJVUzES
MBAGA1UECBMJTWlubmVzb3RhMRQwEgYDVQQHEwtNaW5uZWFwb2xpczEdMBsGA1UE
ChMUYW5kcmV3c2NobGVpZmVyLm5hbWUxJjAkBgkqhkiG9w0BCQEWF21lQGFuZHJl
d3NjaGxlaWZlci5uYW1lMB4XDTE3MTIyNzE3MzY0OVoXDTIyMTIyNjE3MzY0OVow
IzELMAkGA1UEBhMCWFgxFDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8UzkAucNzHciLI5RNPXzV+TRibIOs8iAjUt+
Ww+Qo3GA18boUGKX56LRbIbvFl5g9CyybIeE3UZ7mtEA0aSq4QS2LSPluEn/GDj7
8mEcOxVtxZaDuQ0XkUEXbwmvPfG+unXprTYpAmdGiO4hWxEYtRCTCZRk8XIiUVvW
XaOsWeF5dwJvlTowdHtI6A7Bi6ZX6HB6NZ2CgaQFax/NmU/f5CIo46KwiRgJT2fl
HxRlsed1/C81knNxKQz47QLaZE54QYPMX6T/Cd54QhVC5fHEu39w1Uey+s/fxPBq
r7DVb5YG6aBFUiaIgm1PxvjPkZ6DrbC73lb9fOU5XJqwSOxTOwIDAQABo1gwVjAJ
BgNVHRMEAjAAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAnBgNV
HREEIDAeggtleGFtcGxlLmNvbYIPd3d3LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEB
CwUAA4IBAQDA79reQhuBmBxv+Hrdw3E+zX6luFjI1kJYLfW9u0p19EYk7TBCArLM
xGY15zz/SBWdpVWp0aFnH8/AWzzY6vQakDBYelcUk6W/j31DiwcnMWLPX00hAOhH
K7qRKivKoT21+bSOtLhZgv8Vbf5lV7ei2i2EqUQ7K2B6RtkcOJepfu+E/Z0tkSkt
E+Rt6XPRo/q9An61ASKPiE/iHI0W5GtTsgKijUfg4fyZgJENER7pii3U86H4nkXh
ipmjP59+94oOwXKO5vJ6FpAGy2p2kP48vuAhy0OOuAhH62hLj/6E3rwK+RGkX0qi
BaN5Q4f6Bf50P7byCiJMyKfNFnPKnImQ
-----END CERTIFICATE-----

The relevant entries for your purposes are Subject: and Issuer:. Your site certificate is the BEGIN/END section with a Subject that includes your domain name. The Issuer in that section is the entity that signed your site.

The 4 segments of the chain need to be put in order, with each Issuer followed by the section with the matching Subject.

  1. your site certificate
  2. the certificate that signed your site certificate
  3. the certificate that signed the certificate that signed your site certificate
  4. the certificate that signed the certificate that signed the certificate that signed your site certificate