Godaddy chained certs issue

cliffwiggs · June 16, 2008, 11:02pm

I’m having an issue getting a Godaddy chained cert working. It works
fine under Apache.

Apache config:

SSLCertificateFile /etc/certs/domain.com.crt
SSLCertificateKeyFile /etc/certs/domain.com.key
SSLCertificateChainFile /etc/certs/sf_intermediate_bundle.crt

To prepare the certs for use with Nginx, I used the following:

$ cat domain.com.crt sf_intermediate_bundle.crt >
domain.com-combined.crt

(I’ve also tried reversing the order of the files).

Nginx config:

ssl_certificate /etc/certs/domain.com-combined.crt;
ssl_certificate_key /etc/certs/domain.com.key;

Upon starting Nginx I get the following:

Starting nginx: 2008/06/16 13:40:17 [emerg] 8586#0:
SSL_CTX_use_PrivateKey_file("/etc/certs/www.lazulijewelry.com.key")
failed
(SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch)

Any suggestions?

Cliff

cliffwiggs · June 17, 2008, 10:39am

On Mon, Jun 16, 2008 at 01:50:24PM -0700, Cliff W. wrote:

Upon starting Nginx I get the following:

Starting nginx: 2008/06/16 13:40:17 [emerg] 8586#0: SSL_CTX_use_PrivateKey_file(“/etc/certs/www.lazulijewelry.com.key”) failed
(SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

Any suggestions?

Looking in Google, I have found these relevant pages:

https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/apache.html#error2
http://openvpn.net/archive/openvpn-users/2005-03/msg00517.html

cliffwiggs · June 17, 2008, 9:06pm

I will also have to use chained certs once I switch over some work
servers to nginx (not via Godaddy though, but through GeoTrust I
think)

So if there’s any gotchas, putting it on the wiki would be good. I’ve
done it in Lighttpd and I was able to help someone get their Apache
install working with it too, but nginx I have not tried yet.

cliffwiggs · June 17, 2008, 9:49pm

On Tue, 2008-06-17 at 11:58 -0700, mike wrote:

I will also have to use chained certs once I switch over some work
servers to nginx (not via Godaddy though, but through GeoTrust I
think)

So if there’s any gotchas, putting it on the wiki would be good. I’ve
done it in Lighttpd and I was able to help someone get their Apache
install working with it too, but nginx I have not tried yet.

I’ve gotten it working for other domains without much issue. It makes
me suspect there’s something wrong with these certs, but the fact that
it works under Apache is rather disconcerting.

cliffwiggs · June 17, 2008, 10:20pm

On Tue, Jun 17, 2008 at 12:39:01PM -0700, Cliff W. wrote:

me suspect there’s something wrong with these certs, but the fact that
it works under Apache is rather disconcerting.

It’s strange. If you use domain.com.crt and domain.com.key only
without sf_intermediate_bundle.crt, then does nginx start ?

The only domain.com.crt will be rejected by browsers, but nginx should
start. What nginx and OpenSSL versions do you use ?