I have updated my certificate on Gandi like this :
我在Gandi上更新了我的证书,如下所示:
sudo openssl genrsa -des3 -out mywebsite.com_encrypted.key 4096
sudo openssl req -new -key mywebsite.com_encrypted.key -out mywebsite.com.csr
cd /etc/nginx/ssl/
sudo nano mywebsite.com.crt # > pasted the Gandi certificate in this file
sudo wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
sudo cat GandiStandardSSLCA.pem >> mywebsite.com.crt
sudo openssl rsa -in mywebsite.com_encrypted.key -out mywebsite.com.key
sudo chown root:root mywebsite.com.key
sudo chmod 400 mywebsite.com.key
Everything was working good with older certificate but since I updated configuration with new certificate here is is my log on nginx. I can't restart :
一切都与旧证书一起工作,但由于我用新证书更新配置,这是我的登录nginx。我无法重启:
Nginx logs :
Nginx日志:
2015/05/12 20:53:03 [emerg] 7515#0: SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mywebsite.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
What's wrong with process ?
流程有什么问题?
Configuration of nginx is ok.
nginx的配置没问题。
Here is my nginx configuration :
这是我的nginx配置:
ssl on;
ssl_certificate /etc/nginx/ssl/mywebsite.com.crt;
ssl_certificate_key /etc/nginx/ssl/mywebsite.com.key;
1 个解决方案
#1
I have no idea what you are trying to achieve. It looks like you replaced the key in /etc/nginx/ssl/mywebsite.com.key, leaving the original certificate /etc/nginx/ssl/mywebsite.com.crt unchanged (the mywebsite.com.crt certificate is still bound to the original key - and you cannot change that - public key is an integral part of X509 certificate). This is exactly what openssl is trying to tell you - you are trying to use a certificate with different private key that was originaly created with.
我不知道你想要实现什么。看起来您更换了/etc/nginx/ssl/mywebsite.com.key中的密钥,原始证书/etc/nginx/ssl/mywebsite.com.crt保持不变(mywebsite.com.crt证书仍然绑定到原始密钥 - 您无法更改 - 公钥是X509证书的组成部分)。这正是openssl试图告诉你的 - 你正在尝试使用一个原始创建的不同私钥的证书。
BTW: I also have no idea why you created a certificate request (along with the new key) and then left it unused (without actually using it to create new certificate).
顺便说一句:我也不知道为什么你创建了一个证书请求(连同新密钥),然后把它保留为未使用(没有实际使用它来创建新证书)。
#1
I have no idea what you are trying to achieve. It looks like you replaced the key in /etc/nginx/ssl/mywebsite.com.key, leaving the original certificate /etc/nginx/ssl/mywebsite.com.crt unchanged (the mywebsite.com.crt certificate is still bound to the original key - and you cannot change that - public key is an integral part of X509 certificate). This is exactly what openssl is trying to tell you - you are trying to use a certificate with different private key that was originaly created with.
我不知道你想要实现什么。看起来您更换了/etc/nginx/ssl/mywebsite.com.key中的密钥,原始证书/etc/nginx/ssl/mywebsite.com.crt保持不变(mywebsite.com.crt证书仍然绑定到原始密钥 - 您无法更改 - 公钥是X509证书的组成部分)。这正是openssl试图告诉你的 - 你正在尝试使用一个原始创建的不同私钥的证书。
BTW: I also have no idea why you created a certificate request (along with the new key) and then left it unused (without actually using it to create new certificate).
顺便说一句:我也不知道为什么你创建了一个证书请求(连同新密钥),然后把它保留为未使用(没有实际使用它来创建新证书)。