Let's encrypt renewal of certificates gives key and cert match errors

ItsOnlyMe

ItsOnlyMe

Verified User
Joined
Apr 3, 2009
Messages
126
Location
Netherlands
Hi,

We have a issue that is playing a long time now and this is starting to be a big issue.

We are using the newest version of letsencrypt.sh but every now and then when renewals are being done for these certificates and, if that fails for whatever reason the private key and certificate do not match anymore what is causing apache to go down and not start anymore until we remove the certificate at the domein and disable SSL for it.

Code: 
[Thu Aug 10 12:20:08.025213 2017] [ssl:emerg] [pid 936489:tid 140409571129472] AH02565: Certificate and private key yyy-zzzz.xxx:443:0 from /usr/local/directadmin/data/users/XXXXXXXX/domains/yyy-zzzz.xxx.cert and /usr/local/directadmin/data/users/XXXXXXXX/domains/yyy-zzzz.xxx.key do not match

[Thu Aug 10 12:21:02.026850 2017] [ssl:emerg] [pid 937141:tid 139909666437248] AH02565: Certificate and private key yyy-zzzz.xxx:443:0 from /usr/local/directadmin/data/users/XXXXXXXX/domains/yyy-zzzz.xxx.cert and /usr/local/directadmin/data/users/XXXXXXXX/domains/yyy-zzzz.xxx.key do not match

[Thu Aug 10 12:21:08.022860 2017] [ssl:emerg] [pid 937266:tid 139632756832384] AH02565: Certificate and private key yyy-zzzz.xxx:443:0 from /usr/local/directadmin/data/users/XXXXXXXX/domains/yyy-zzzz.xxx.cert and /usr/local/directadmin/data/users/XXXXXXXX/domains/yyy-zzzz.xxx.key do not match

Now i could make a script for this to filter out the httpd.conf for users if this trows a error but that's not a solution i would recommend to implement in a production environment. Can this be fixed by Directadmin or are we forced to solve this our self?

Kind regards,
 
Let's Encrypt checks if there is a match of public/private key. Please let us know the output of:
Code: 
openssl rsa -noout -modulus -in /usr/local/directadmin/data/users/XXXXXXXX/domains/yyy-zzzz.xxx.key | openssl md5
openssl x509 -noout -modulus -in /usr/local/directadmin/data/users/XXXXXXXX/domains/yyy-zzzz.xxx.cert | openssl md5

And the content of /usr/local/directadmin/data/users/XXXXXXXX/domains/yyy-zzzz.xxx.cacert.

Thank you!
 
Hi smtalk,

Thanks for your response!

See below:
openssl rsa -noout -modulus -in /usr/local/directadmin/data/users/XXXXXXXX/domains/yyy-zzzz.xxx.key | openssl md5
Code: 
(stdin)= 28eddd7887acd2a1568cf09c7d0a0dc5

openssl x509 -noout -modulus -in /usr/local/directadmin/data/users/XXXXXXXX/domains/yyy-zzzz.xxx.cert | openssl md5
Code: 
(stdin)= 308836ea3dec828a8901710dd498bba6

/usr/local/directadmin/data/users/XXXXXXXX/domains/yyy-zzzz.xxx.cacert
Code: 
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhM***MxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

Thanks
 
And what's the version of letsencrypt.sh ?

Latest version has the following code, which should prevent cases like that:
Code: 
echo -n "Checking Certificate Private key match... "
CHECKPRIVPUBRES=`checkPrivPubMatch ${KEY}.new ${CERT}.new`
if [ $CHECKPRIVPUBRES -ne 1 ]; then
        echo "Match!"
else
        echo "!!!Certificate mismatch"
        exit 1
fi

You might also try to change:
Code: 
if [ $CHECKPRIVPUBRES -ne 1 ]; then

To:
Code: 
if [ $CHECKPRIVPUBRES -eq 0 ]; then

To see if that helps.
 
Hi smtalk,

Thanks for your suggestions! We use version 1.0.12 from letsencrypt.

I have made a few changes in the script also. I will report back next week if its solved or not. If so, ill post my changes here.
 
So,

Normally we would have had several downtime's already due to the mismatch error in certificates. After the change from last week we havent had a single downtime due to this error.
Here are the changes i made:

Starting on line 119 - 133 old code:
Code: 
checkPrivPubMatch() {
        PRIV="${1}"
        PUB="${2}"
        if [ -f "${PRIV}" ] && [ -f "{$PUB}" ]; then 
                MD5SUMPRIVMOD=`openssl rsa -noout -modulus -in ${PRIV}| openssl md5`
                MD5SUMPUBMOD=`openssl x509 -noout -modulus -in ${PUB} | openssl md5`
                if [ "${MD5SUMPRIVMOD}" = "${MD5SUMPUBMOD}" ]; then 
                        echo 0  
                else    
                        echo 1  
                fi      
        else    
                echo 2  
        fi      
}


Starting on line 119 - 133 changed code:
Code: 
checkPrivPubMatch() {
        PRIV="${1}"
        PUB="${2}"
        if [ -f "${PRIV}" ] && [ -f "{$PUB}" ]; then
                MD5SUMPRIVMOD=$(openssl rsa -noout -modulus -in ${PRIV}| openssl md5)
                MD5SUMPUBMOD=$(openssl x509 -noout -modulus -in ${PUB} | openssl md5)
                if [ "$MD5SUMPRIVMOD" == "$MD5SUMPUBMOD" ]; then
                        echo 0
                else
                        echo 1
                fi
        else
                echo 2
        fi
}

Starting on line 599 - 606 old code:
Code: 
echo -n "Checking Certificate Private key match... "
CHECKPRIVPUBRES=`checkPrivPubMatch ${KEY}.new ${CERT}.new`
if [ $CHECKPRIVPUBRES -ne 1 ]; then
        echo "Match!"
else
        echo "!!!Certificate mismatch"
        exit 1
fi

Starting on line 599 - 606 changed code:
Code: 
echo -n "Checking Certificate Private key match... "
CHECKPRIVPUBRES=`checkPrivPubMatch ${KEY}.new ${CERT}.new`
if [ $CHECKPRIVPUBRES -eq 1 ]; then
        echo "!!!Certificate mismatch"
        exit 1
else
        echo "Match!"
fi

Let me know what u think about the little change in there. It has at least solved our downtime's on certificate mismatch errors since this was happening on a daily basis.
 
I'd be hard to say why you are not having problems anymore, but the script logics is wrong now. In first replaced part there are no major changes, and in second part you've changed "not equal" to "equals" (-ne to -eq), so it returns "certificate mismatch" error when there is a match. So, it might be that it's just not updating your certs at all after the changes.
 
I have been testing this on a few domains that have letsencrypt enabled, but i think your wrong.

On a domain it was valid until 9 October 2017. I have been renewing this certificate and it says now its valid untill the 14th of november 2017 and the time to auto renewal has been reset in directadmin it self. The certificate it self is also still valid in browsers and not giving any certificate errors. So definitely some changes need to be made to letsencrypt.sh. For +- 1 week now no httpd downtimes due to certificate mismatch errors.
 
Please try 1.0.13 version of letsencrypt.sh. It might fix your problems.
 
You must log in or register to reply here.
Back
Top