Private Key Mismatch Errors on AWS - Fixed

So you’re running an EC2 instance on AWS and you need to install an SSL certificate served up by Nginx. Normally this is a straightforward process but this time you get a strange key mismatch error. The other day I had this happen to me and I’m by no means new to installing SSL certificates. If you’re running Nginx or even Apache and it’s complaining about some sort of key mismatch error this is what will fix it.

The possible causes

First off, let’s get the obvious causes out of the way. You need to eliminate the easy causes before getting into the weeds.

Now before we get any further let me ask you this – did you generate a CSR (certificate signing request) which then generated a private key, then submit the CSR to your certificate provider, then concatenated your server’s certificate along with any intermediate certificates, and finally updated your virtual host configuration to point to the new key and certificate? You did that? Did you do it right? Let’s see.

The only cause of this type of error comes from either a certificate that really doesn’t match the key or a certificate that was created incorrectly (you put the certs in the wrong order). Barring that, there’s only one more thing that could cause this if you’re running your servers on AWS’s EC2 service.

1 Your key and certificate really don’t match

Make sure you really did generate the correct key and that it matches the certificate. Run the following commands on your private key and SSL certificate and make sure the output matches.

Note that you’ll need OpenSSL installed (but you should have that anyway if you’re installing an SSL certificate).

1
2
3
4
5
openssl x509 -noout -modulus -in /path-to/your/certificate.crt | openssl md5 

 # Output looks like: a77c7953ea5283056a0c9ad75b274b96 

openssl rsa -noout -modulus -in /path/to/your/serverKey.key | openssl md5 

At this point both of the above commands should have returned the same output. If they didn’t check out one of my other guides on how to install SSL certificates for Nginx or Apache:

If you did get the same output and you’re using Amazon’s EC2 then keep reading.

2 You haven’t configured Nginx or Apache correctly

You updated your virtual host configuration to point to the new key and certificate files right? Now do those files have the right permissions on them? They should be owned by the root with 400 permissions on them.

Yes? Okay then one last thing to check before we give up.

You are using AWS EC2 right?

Are you using an ELB (Elastic Load Balancer) by chance? If so, the issue is that you should not be installing SSL certs on the load balanced servers. You need to install the certificate on the load balancer. Taking it a step further, if you use one of Amazon’s ELB load balancers then you can request a free certificate for the load balancer. You don’t even need to get your hands dirty in the command line! Just a few clicks and it’s installed. Rather than explain it, you should go straight to the source and see follow Amazon’s own instructions.

If you’re not using Amazon and you still have this issue then go back to steps 1 or 2 and follow the steps carefully. There’s a 99% chance you made a mistake there.

SSL, System administration, Web development

« Your startup idea sucks and you're going to fail How to get things done »

Comments