Nginx, setup https

Question

I'm trying to setup https on my ubuntu server with NGINX ver 1.4.7 and Phusion Passenger 4.0.41.

I created .key and .csr using these two commands

sudo openssl genrsa -des3 -out server.key 2048
sudo openssl req -new -key server.key -out server.csr

and sent .csr to sslshopper.com guys

Got 3 files:

Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - USERTrustSecureServerCA.crt
Your COMODO SSL Certificate - subdomain_domain_com.crt

This is how my nginx.conf looks right now

http {
    passenger_root /usr/local/rvm/gems/ruby-2.1.1/gems/passenger-4.0.41;
    passenger_ruby /usr/local/rvm/gems/ruby-2.1.1/wrappers/ruby;

server_names_hash_bucket_size 64;
include       mime.types;
default_type  application/octet-stream;

#access_log  logs/access.log  main;

sendfile        on;
#tcp_nopush     on;

#keepalive_timeout  0;
keepalive_timeout  65;

server {
    listen 443 default ssl;
    ssl on;
    ssl_certificate /opt/nginx/ssl/subdomain_domain_com.crt;
    ssl_certificate_key /opt/nginx/ssl/server.key;

    server_name app.petosevic.com; 
    root /var/www/petosevic/public; 
    passenger_enabled on;

   location / {
      # set X-FORWARDED_PROTO so ssl_requirement plugin works
      proxy_set_header X-FORWARDED_PROTO https;

          # standard rails+mongrel configuration goes here.
   }
}}

And when I try to start the server, I need to enter the password I entered when I created the .key file. When is accepted, I'm getting the error:

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/opt/nginx/ssl/server.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

I'm 100% sure that I sent correct .csr file to sslshopper.com guys, but this looks like they are not match.

What do you think about this?

score 6 · Accepted Answer · answered May 07 '14 at 21:37

6

You can verify the certificate/key pair manually using:

openssl x509 -noout -modulus -in subdomain_domain_com.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5

The output of the two commands should be the same. This will tell you that it's a valid pair.

If it's valid, but you're getting that error, take a look at the section on "certificate chains" in nginx - configuring https servers. NGINX expects a chained cert to be in one file, with the intermediate concatenated after the server certificate. If you have them in the wrong order, that is the error you'll get.

answered May 07 '14 at 21:37

rjewell

234
1
7

1

I'm getting different output :( – Passenger May 07 '14 at 21:47
In the certificate file, is there just one x509 stanza, or are there multiple "BEGIN"/"END" statements? – rjewell May 07 '14 at 21:51
1

Just one "BEGIN" and "END" – Passenger May 07 '14 at 21:54
I'd be pretty confident at this point that there's something wrong with the files, as opposed to the nginx config. Check out [https://www.sslshopper.com/certificate-key-matcher.html](https://www.sslshopper.com/certificate-key-matcher.html), which can confirm this suspicion and give you info to take to sslshopper.com's support. (Note, there's a risk with giving anyone your private key, so take that into consideration before pasting it in that box! The openssl commands you ran should be good enough to get sslshopper.com to help you.) _edit: link_ – rjewell May 07 '14 at 22:10
Ok, thank you guys. Will try to generate these files again. – Passenger May 07 '14 at 22:13

Nginx, setup https

1 Answers1