Used to work
I bought a Rapid SSL from name.com and used the below command to generate the .csr and .key files:
sudo openssl req -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.csr
I answered all questions which this command asked. I then provided the .csr to name.com and successfully generated the server/intermediate certificates. I then followed the steps mentioned at https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO17664 and installed this certificate at my nginx server. I was able to open the HTTPS version of my site as well.
PrivKey overwritten by mistake
Then, to try something else, I ran the command (sudo openssl req... ) again with different answers this time and generated a new server.key file. Unfortunately, I didn't save the first server.key file.
Post modification of nginx .conf file, when I tried to restart the server, I got the below error:
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/server.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
Seeing this error, I realized I have overwritten the server.key file. I tried to generate the key again with same answers I gave for the first time but still the key mismatch error is coming.
nginx is still running.
My nginx server is still running and I am able to access the HTTPS version of the site but my life is in trouble without the private key. I have gone through the below links but still stuck:
- https://stackoverflow.com/questions/26191463/ssl-error0b080074x509-certificate-routinesx509-check-private-keykey-values
- nginx ssl certificate issue key values mismatch
PrivKey modulus != PubKey modulus
I confirmed by running the below commands that my certificate (issued by name.com) and private keys don't match:
openssl x509 -noout -modulus -in server_orig.cert | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
Any hope?
Is there anything which I can do to find out the private key since Nginx is still up and running? In case not, should I get the certificate re-issued by Geotrust?
Any help would be deeply appreciated.
Talk to cert vendor
Depending on your vendor, they may either insist on re-payment, or just do this free of charge.
I would not spend time looking for the cert in nginx's RAM. Sure, if https still works, then the privkey must still be there, and extraction from RAM is possible, but if you have never done this before, then just buying another cert is the quicker option.
@AAgg, Just reissue the certificate from your cert provider with new CSR and Key.
I have done that several times without having any issues.