search

xdtianyu / scripts

scripts for work
https://www.xdty.org
1.03k stars 244 forks source link

报错 :X509_check_private_key:key values mismatch #30

Closed ichenfeng closed 7 years ago

ichenfeng commented 7 years ago

生成的文件: -rw-r--r-- 1 root root 1647 Oct 13 16:19 .chained.crt -rw-r--r-- 1 root root 1679 Oct 13 15:56 .com.key -rw-r--r-- 1 root root 0 Oct 13 16:19 .crt -rw-r--r-- 1 root root 964 Oct 13 16:19 .csr -rw-r--r-- 1 root root 272 Oct 13 15:54 *_letsencrypt.conf -rw-r--r-- 1 root root 3243 Oct 13 15:56 letsencrypt-account.key -rwxr-xr-x 1 root root 2124 Oct 13 15:56 letsencrypt.sh -rw-r--r-- 1 root root 1647 Jul 3 23:25 lets-encrypt-x3-cross-signed.pem

配置nginx:

SSL配置

ssl on; sslcertificate /opt/letsencrypt/.chained.crt; ssl_certificatekey /opt/letsencrypt/.com.key;

生成后的证书启动nginx报错: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/opt/letsencrypt/*.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) configuration file /opt/nginx/conf/nginx.conf test failed

xdtianyu commented 7 years ago

贴一下脚本的配置文件吧,看样子是配置的问题,为什么会出现 * 这种 wildcard 域名呢? letsencrypt 不支持泛域名证书啊

ichenfeng commented 7 years ago
ichenfeng commented 7 years ago

如果服务器证书和认证方证书链合并时顺序弄错了,nginx就不能正常启动,而且会显示下面的错误信息: SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed (SSL: error:0B080074:x509 certificate routines: X509_check_private_key:key values mismatch)   因为nginx首先需要用私钥去解密服务器证书,而遇到的却是认证方的证书。   浏览器通常会将那些被受信的认证机构认证的中间认证机构保存下来,那么这些浏览器以后在遇到使用这些中间认证机构但不包含证书链的情况时,因为已经保存了这些中间认证机构的信息,所以不会报错。可以使用openssl命令行工具来确认服务器发送了完整的证书链: $ openssl s_client -connect www.godaddy.com:443 ... Certificate chain 0 s:/C=US/ST=Arizona/L=Scottsdale/1.3.6.1.4.1.311.60.2.1.3=US /1.3.6.1.4.1.311.60.2.1.2=AZ/O=GoDaddy.com, Inc /OU=MIS Department/CN=www.GoDaddy.com /serialNumber=0796928-7/2.5.4.15=V1.0, Clause 5.(b) i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc. /OU=http://certificates.godaddy.com/repository /CN=Go Daddy Secure Certification Authority /serialNumber=07969287 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc. /OU=http://certificates.godaddy.com/repository /CN=Go Daddy Secure Certification Authority /serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc. /OU=Go Daddy Class 2 Certification Authority 2 s:/C=US/O=The Go Daddy Group, Inc. /OU=Go Daddy Class 2 Certification Authority i:/L=ValiCert Validation Network/O=ValiCert, Inc. /OU=ValiCert Class 2 Policy Validation Authority /CN=http://www.valicert.com//emailAddress=info@valicert.com ...   在这个例子中,www.GoDaddy.com的服务器证书(#0)的受签者(“s”)是被签发机构(“i”)签名的,而这个签发机构又是证书(#1)的受签者,接着证书(#1)的签发机构又是证书(#2)的受签者,最后证书(#2)是被众所周知的签发机构ValiCert, Inc签发。ValiCert, Inc的证书内嵌在浏览器中,被浏览器自动识别(这段话神似英国诗《在Jack盖的房子里》里面的内容)。 如果没有加入认证方证书链,就只会显示服务器证书(#0)。