1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I accidentally modified my original domain.crt Now nginx doesn't start

Discussion in 'Server Configuration and Hosting' started by RoldanLT, Jan 16, 2014.

  1. RoldanLT

    RoldanLT Well-Known Member

    How can I fix this? :(
    Code:
    nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/nginx/conf/ssl/phcornernet/www_phcorner_net.key") fail                      ed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
    
     
  2. Null

    Null Well-Known Member

    If you don't have it backed up somewhere, you'd have to ask the people you bought the SSL certificate from. They should have a copy of your signed certified.

    If you've lost your key, you need to generate a new CSR and see if your SSL provider will reissue a certificate (most do).

    Code:
    openssl req -new -newkey rsa:2048 -nodes -keyout www.example.com.key -out www.example.com.csr
     
    Last edited: Jan 16, 2014
    RoldanLT likes this.
  3. p4guru

    p4guru Well-Known Member

    As you're using Centmin Mod http://centminmod.com/nginx.html, every time you update your Nginx version, an automatic backup of your full nginx directory is created including nginx/conf/ssl directory.

    You can find your automatic backups at /usr/local/nginxbackup ;)

    i.e. /usr/local/nginxbackup/confbackup/conf_datetimestamp folder is backup of your /usr/local/nginx/conf directory and subdirectories

     
    RoldanLT likes this.
  4. RoldanLT

    RoldanLT Well-Known Member

    WoW let me scan this.
    Thanks for pointing this out, didn't know this before (y)

    I am using Startssl temporarily :D
     
  5. p4guru

    p4guru Well-Known Member

    RoldanLT likes this.
  6. RoldanLT

    RoldanLT Well-Known Member

  7. p4guru

    p4guru Well-Known Member

    RoldanLT likes this.
  8. RoldanLT

    RoldanLT Well-Known Member

    Thanks!
    Now How can I fix this?
    upload_2014-1-17_7-37-28.png

    This is my config:
    Code:
    server {
        server_name phcorner.net www.phcorner.net;
        return 301 https://www.phcorner.net$request_uri;
    }
    
    server {
        listen 192.99.1.216:443 ssl spdy default_server;
        server_name www.phcorner.net;
    
         ssl_certificate /usr/local/nginx/conf/ssl/phcorner_net/ssl-unified.crt;
            ssl_certificate_key /usr/local/nginx/conf/ssl/phcorner_net/www_phcorner_net.key;
            ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
            ssl_session_cache shared:SSL:10m;
            ssl_session_timeout  10m;
            ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!kEDH:!EDH:!CAMELLIA;
            ssl_prefer_server_ciphers  on;
            add_header Alternate-Protocol 443:npn-spdy/2;
            # enable ocsp stapling
            # resolver 8.8.8.8;
            # ssl_stapling on;
    
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /usr/local/nginx/conf/ssl/phcorner_net/ssl-trusted.crt;
        resolver 8.8.8.8 8.8.4.4 valid=10m;
        resolver_timeout 10s;
       
      # custom added
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      add_header  X-Content-Type-Options "nosniff";
      add_header X-Frame-Options DENY;
    
      # logs
      access_log /home/nginx/domains/phcorner.net/log/access.log combined buffer=32k;
      error_log /home/nginx/domains/phcorner.net/log/error.log;
    
      root /home/nginx/domains/phcorner.net/public;
    
      # block common exploits, sql injections etc
      include /usr/local/nginx/conf/block.conf;
    
      # Start XenForo
      location / {
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
            }
    
            location /internal_data/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
            location = /data/taigachat/ {
         open_file_cache off;
            }   
      # End Xenforo
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
    }
    
     
  9. RoldanLT

    RoldanLT Well-Known Member

  10. Floren

    Floren Well-Known Member

    Andy.N and RoldanLT like this.
  11. p4guru

    p4guru Well-Known Member

    RoldanLT likes this.
  12. RoldanLT

    RoldanLT Well-Known Member

    I think rapidssl and geo trust is just the same, or connected.
     
  13. p4guru

    p4guru Well-Known Member

    if that is case, change order of the last 2 certs
     
    Last edited: Jan 17, 2014
  14. RoldanLT

    RoldanLT Well-Known Member

    Last edited: Jan 17, 2014
  15. Floren

    Floren Well-Known Member

    All you have to do is execute what @Marcus told you. :D
     
    RoldanLT likes this.
  16. RoldanLT

    RoldanLT Well-Known Member

    Post #14 edited.
    Yes I follow what he said.

    But when my ssl_certificate has only:

    1. Mydomain.crt +
    2. (root) Secondary Intermediate CA.crt +
    No Primary Intermediate CA.crt, I got a recommendation to add it to support older browser's.
    Still both of this doesn't fix my OCSP Stapling :(
     
  17. Marcus

    Marcus Well-Known Member

    Try this:

    ssl certificate:
    1. Mydomain.crt +
    2. (root) Secondary Intermediate CA.crt

    ssl_trusted_certificate: (different order here)
    1. Primary Intermediate CA.crt
    2. (root) Secondary Intermediate CA.crt
    From my understanding, the browser fetches the trusted certificate (oscp ...) if it doesn't trust your ssl certificate. So it is fine to not put the root certificate into the ssl certificate.
     
    RoldanLT likes this.
  18. RoldanLT

    RoldanLT Well-Known Member

  19. Floren

    Floren Well-Known Member

  20. Floren

    Floren Well-Known Member

    Yes, you have a very good understanding. :)
     

Share This Page