Failed to install certificate

I have installed many SSL certificates without problems, however this time I’m getting the following error:

“Failed to install certificate : Certificate problem detected : Certificate and private key do not match”

Shy of starting the process over and requesting another certificate, is there anything I can check to try to correct this.

BTW - I have not generated another CSR - the key is the one that should match.

Brian

Howdy,

Well, if that happens – Virtualmin really does think that the private SSL key it sees there doesn’t match the SSL cert that’s been installed.

Why that would happen, I’m not sure… but SSL providers offer a way to handle that, called “re-keying”. You should be able to generate a new private key, and be given a new SSL cert to match that key,

The only other alternative is to find where the correct matching SSL key is on your system, but re-keying your cert is likely simpler

-Eric

I see… When I generated the CSR, I saved the CSR and Key in a text file. I can see that the key VM is using is the same as what I saved when generating the CSR.

Could it be that Globalsign issued a faulty cert?

While it’s possible that you were issued a faulty key, it seems more likely that there’s some sort of mixup with the cert/key on your server.

What you could try doing is go into your homedir, and find the ssl.cert and ssl.key files – and replace those with what you know to be the good copies of the SSL cert and private key.

Then, restart Apache and Virtualmin, and see if that works.

-Eric

Eric,

When I did that, Apache failed to restart.

Brian

You can review the Apache logs in /var/log/httpd/error_log or /var/log/apache2/error_log to see what error Apache is throwing when you attempt to restart it.

-Eric

Here’s the error:

One of the places that error is documented is here:

http://www.linuxdoc.org/HOWTO/SSL-RedHat-HOWTO-5.html

That’s saying that the SSL cert isn’t matching the key, and it’s preventing Apache from starting up.

So, what you’d likely need to do is perform the re-keying mentioned above… that should help you get a working cert and key.

-Eric

Thanks Eric, I followed the instruction to compare the modulus and exponent and they both appear identical, however something is mismatched, so looks like re-keying is in order.

Is re-keying simply generating and submitting a new CSR to my CA?

Since this is a wildcard cert, should I be using *.domain.com for the server name?

Brian

I take it back… I inadvertently just compared the self-signed crt and key, which of course matched. This is not the case with the new key and cert from the CA.

Not only does the modulus not match but the crt is 2048 bit and key is 1024 bit.

If Apache still isn’t starting – you can always disable the SSL feature in Virtualmin just to get Apache started in the meantime while you work out all these details.

For a wildcard certificate, you would indeed set the “Server Name” field to *.domain.tld when generating your CSR.

-Eric

Thanks for the info. I had apache restarted right away as the server has a couple hundred sites on it, so being down unnecessarily is not an option. The CA has given me permission to resubmit.

I’m waiting for the new cert, but maybe now is a good time to mention that I have noticed that when generating a CSR, if I use the default 2048 bit, it comes out as 1024 bit. I have to use the second box and manually enter 2048.

Mmm, that sounds like a bug!

Is there any chance you could post this as a bug report using the Support link above?

Jamie could then take a look at that and get it fixed up. Thanks!

-Eric

The 2nd cert worked fine. Maybe my client monkeyed around in there and clicked the generate CSR button after I made the request.

I filed a bug report on the 2048Bit CSR.