let's encrypt / nginx 問題

新申請的 lets' encrypt 憑證，在 nginx 出現錯誤：

# nginx
nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/letsencrypt/live/nidbox.cc/privkey.pem") failed
(SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
 

Let's encrypt TLS/SSL 申請過程

# certbot certonly --preferred-challenges dns --manual \
>   -d *.nidbox.cc --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you 
requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/nidbox.cc.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for *.nidbox.cc

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/nidbox.cc/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/nidbox.cc/privkey.pem
   Your certificate will expire on 2023-01-30. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

  先檢查證書與金鑰是否相符合：

# cd /etc/letsencrypt/live/nidbox.cc

# openssl x509 -noout -modulus -in cert.pem |openssl md5
(stdin)= 5c99f1f04c2096631da7c7217682d5c9

# openssl rsa -noout -modulus -in privkey.pem |openssl md5
(stdin)= 5c99f1f04c2096631da7c7217682d5c9

 

  解決：

# cd /etc/letsencrypt/live/nidbox.cc
# cat cert.pem chain.pem > bundle_chained.crt

修改 nginx 的 TLS/SSL 設定：
   ssl_certificate_key "/etc/letsencrypt/live/nidbox.cc/privkey.pem"; 
   ssl_certificate     "/etc/letsencrypt/live/nidbox.cc/fullchain.pem";
   改為：
   ssl_certificate_key "/etc/letsencrypt/live/nidbox.cc/privkey.pem"; 
   ssl_certificate     "/etc/letsencrypt/live/nidbox.cc/bundle_chained.crt";

nginx 原廠說明
http://nginx.org/en/docs/http/configuring_https_servers.html

SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
https://stackoverflow.com/questions/26191463/ssl-error0b080074x509-certificate-routinesx509-check-private-keykey-values