SSL 安装问题 - “键值不匹配” (但他们确实匹配?)
因此,我收到了一个新的公共证书,要安装在服务器上(.crt 文件)。完毕。重新启动 apache - “失败”。
错误消息:
[Tue Jan 11 12:51:37 2011] [error] Unable to configure RSA server private key
[Tue Jan 11 12:51:37 2011] [error] SSL Library Error: 185073780 error:0B080074:
x509 certificate routines:X509_check_private_key:key values mismatch
我已经检查了键值:
openssl rsa -noout -modulus -in server.key | openssl md5
openssl x509 -noout -modulus -in server.crt | openssl md5
它们确实匹配。
我已经检查了 ssl.conf 文件中的路径,它们指向正确的文件。
如果我恢复旧的(过期的)证书文件,apache 会正常启动,所以它肯定不喜欢新的证书文件。
它是一个 GeoTrust QuickSSL,它附带了一个“intermediate.crt”,我应该用它来代替我之前使用的“ca-bundle.crt”文件。
SSLCertificateFile /etc/pki/tls/certs/www.domain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.domain.com.key
SSLCACertificateFile /etc/pki/tls/certs/intermediate.crt
你知道我可能做错了什么吗?您还需要更多信息吗?
谢谢!
So I've been sent a new public cert to install on a server (.crt file). Done. Restart apache - "FAILED".
Error message:
[Tue Jan 11 12:51:37 2011] [error] Unable to configure RSA server private key
[Tue Jan 11 12:51:37 2011] [error] SSL Library Error: 185073780 error:0B080074:
x509 certificate routines:X509_check_private_key:key values mismatch
I've checked the key values:
openssl rsa -noout -modulus -in server.key | openssl md5
openssl x509 -noout -modulus -in server.crt | openssl md5
and they DO match.
I've checked the paths in my ssl.conf file, and they ARE pointing to the correct files.
If I reinstate the old (expired) cert file, apache starts up ok, so it definitely doesn't like something about the new one.
It's a GeoTrust QuickSSL, and it came with an "intermediate.crt" that I'm supposed to use in place of the the "ca-bundle.crt" file that I was using before
SSLCertificateFile /etc/pki/tls/certs/www.domain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.domain.com.key
SSLCACertificateFile /etc/pki/tls/certs/intermediate.crt
Any ideas what I might be doing wrong? Any more info you need?
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(9)
我也遇到了同样的错误。就我而言,我必须在验证链中提供额外的 CA 证书。我没有在单独的文件中提供证书和密钥,而是将它们组合在一个 .pem 文件中。
但是,当您执行此操作时,密钥和证书以及中间证书的顺序很重要。正确的顺序:
I also came across the same error. In my case I had to supply additional CA certificates in the verification chain. And instead of supplying the certificate and the key in separate files, I combined them in a .pem file.
However, when you do this, the order of the key and the certificate plus the intermediate one(s) is important. The correct order:
我最近在一台 CentOS 6.5 服务器上遇到了同样的问题,这取决于我生成 KEY 和 CSR 的时间。
我在虚拟主机中的该服务器上运行了三个站点,所有站点都具有专用 IP,并且每个站点都有自己的 SSL 证书。
仓促间,在更改其中一个证书时,我愚蠢地只是按照证书提供商的指南获取 CSR 并将其安装在 Apache 中,并被指示使用以下命令:
安装新证书后,我也面临 Apache未启动,并且
/var/log/httpd/ssl_error_log中出现相同的错误:现在我真正应该做的是检查我的
.bash_history文件,因为我已经成功完成了此操作之前在CentOS中多次出现过。我应该运行这两个命令:
然后成功生成了 CSR 和 KEY,我使用新获得的 CSR 重新申请了证书,然后应用了新证书并添加了新的密钥文件,最后 Apache 将干净启动。
另外,需要注意的是,经过一些配置后,我们现在在 SSL 实验室测试中获得了 A+ 的成绩。
I had the same issue on one of my CentOS 6.5 servers recently and it was down to when I generated the KEY and CSR.
I have three sites running on this server in virtualhosts all with dedicated IPs and each site has its own SSL Certificate.
In a rush, when changing one of the certificates, I stupidly just followed the certificate provider's guide to gaining the CSR and installing it in Apache, and I was instructed to use the following command:
After installing the new certificate I was then also facing Apache not starting and the same errors in
/var/log/httpd/ssl_error_log:Now what I really should have done was check my
.bash_historyfiles, as I have successfully done this in CentOS many times before.I should have run these two commands instead :
This then successfully generated the CSR and KEY, and I re-applied for the certificate using the newly gained CSR, then applied the new certificate and added the new key file and finally then Apache would start cleanly.
Also, just to note, after a little configuration we now score A+ in an SSL labs test.
当重新颁发我的 Rapid SSL 证书(通过 Namecheap 购买)以处理 Heartbeat bug 时,新证书始终是根据用于先前 CSR 请求的私钥颁发的。在大约第五次重新发布之后,将其与第四次重新发布尝试中使用的私钥配对使得一切正常。
When reissuing my Rapid SSL certificate (purchased through Namecheap) to deal with the Heartbeat bug, the new certificate was always issued against the private key used for the previous CSR request. After about the fifth reissue, pairing that with the private key used in the fourth reissue attempt made things work fine.
确保所有证书文件均使用
ANSI编码,而不是UTF-8。对我来说,所有测试都显示:密钥、crt 和 csr 确实匹配,但日志显示
X509_check_private_key:key value Mismatch直到我看到其中一个文件是用UTF-8。make sure all cert files are encoded using
ANSI, notUTF-8.For me all tests said: key, crt and csr do match, but the logs said
X509_check_private_key:key values mismatchuntil I saw that one of the files was encoded inUTF-8.就我而言,我有两个站点和两个略有不同的私钥:
修复该问题后,错误消息更改为提及
/some/path/server.pem。注意不同的私钥,只是文件扩展名不同。我有两个使用不同密钥加密的不同站点(这意味着我已经修复了第一个站点,但现在需要修复第二个站点)。所以一定要仔细阅读错误信息!In my case, I had two sites and two subtley different private keys:
After I fixed that, the error message changed to mention
/some/path/server.pem. Note the different private key, which only differed in file extension. I had 2 different sites encrypted with different keys (meaning I had fixed the first site but now needed to fix the second site). So be sure to read the error message carefully!我们还遇到了 NameCheap 的问题,颁发的证书与用于生成先前 CERT 的 CSR 相匹配。我们通过他们的支持页面告知他们,他们说他们已经知道这个问题。
We also had the issue with NameCheap, the issued Cert matched the CSR that was used to generate the previous CERT. We let them know via their support page, and they said they already knew about the issue.
根据 Apache 网站上的常见问题解答,证书和密钥的模数和公共指数必须匹配,这样才是有效的检查。
http://httpd.apache.org/docs/2.0/ssl/ssl_faq .html#verify
正如您和其他人已经说过的,与证书颁发者合作
According the FAQ on the Apache website, the modulus and the public exponent for the cert and the key must match so that is a valid check.
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify
As you and others have already stated, work with the cert issuer
在我的例子中,最棘手的部分是设置
SSLCACertificateFile。一旦证书公司颁发了我们的证书,我们就会收到两个额外的证书:中间证书和根证书。SSLCACertificateFile使用哪一个?两者..这是我的证书链的样子:
对于
SSLCACertificateFile我必须将 digicert_sha2_high_assurance_server_ca.crt 和 digicert.crt 按上述顺序连接到一个文件中。The trickiest bit in my case is setting up the
SSLCACertificateFile. Once the certificate company issued our cert, alongside it we received two additional certs: an intermediate and a root certificate. Which one to use forSSLCACertificateFile? Both..Here's what my certificate chain look like:
And for the
SSLCACertificateFileI have to concatenate digicert_sha2_high_assurance_server_ca.crt and digicert.crt into one file in the mentioned order.Dynadot 重新颁发的 RapidSSL 证书似乎也存在同样的问题。我刚刚收到一个非工作证书,然后触发了 Apache 的另一个问题,当这个问题得到解决后,我找到了这个问题并在这里回答了最初的问题,感谢大家提供的信息。我将放弃 RapidSSL 证书,因为我无论如何都存在一些客户端兼容性问题,并从 AlphaSSL 购买一个新证书。
Dynadot seem to have the same issues with the RapidSSL certificates they are re-issuing. I just received a non working certificate, which then triggered another issue with Apache, when that was fixed I found this question and answer here for the original problem, thanks for the information everybody. I shall be scrapping the RapidSSL Cert as I have some client compatibility issues with it anyway and purchasing a new one from AlphaSSL instead.