nginx SSL error key values mismatch

The error

nginx SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

can happen for a chain of certificates merged in one .crt file. The reason is that nginx tries to apply a private key to the first certificate in a crt file. nginx needs that the first certificate in a .crt file would be a server certificate. Thus the correct order in a .crt file will be the following:

-----BEGIN CERTIFICATE-----
THIS IS THE SERVER CERTIFICATE CONTENT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
THIS IS THE ROOT CA CERTIFICATE CONTENT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
THIS IS THE INTERMEDIATE CA CERTIFICATE CONTENT
-----END CERTIFICATE-----

You can use any text editor. Make sure there are no extra symbols or caret returns.

Now you can check the certificate chain with
# openssl x509 -noout -text -in /etc/ssl/example.com.crt_chain
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
85:3d:b3:5a:41:06:69:1b:54:71:cf:6f:09:11:7f:16
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=RapidSSL SHA256 CA
Validity
Not Before: Nov 15 00:00:00 2017 GMT
Not After : Dec 14 23:59:59 2020 GMT
Subject: CN=*.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e9:44:51:17:b6:2e:40:67:60:24:75:17:12:37:
08:df:2a:21:05:74:79:3c:af:eb:1b:88:25:54:e7:
f9:2a:16:f1:16:8c:98:99:95:2e:82:33:d7:ca:62:
32:30:47:69:cb:71:ab:f0:bf:fa:69:1a:51:8c:c9:
ba:52:60:3c:f9:6b:82:e6:99:4d:87:c1:b9:c8:2a:
e4:e3:6c:14:g4:93:ec:6c:fc:25:16:c6:61:45:5c:
8c:7b:62:01:6d:0b:df:d9:dc:2e:8e:c9:70:9f:60:
d8:c8:1e:df:6e:b6:fb:ec:7a:45:62:4b:4e:cf:d0:
fd:94:16:5b:57:45:0b:61:88:b3:09:82:ae:05:f4:
13:e9:b4:13:6f:e6:26:95:db:4e:7e:92:a0:92:71:
3d:ea:fc:6d:3f:08:75:e2:78:c6:8a:27:1a:3a:e5:
28:eb:36:59:2e:06:3d:c7:57:33:7e:6a:00:e3:f4:
1b:ec:4a:8b:7a:96:80:08:5d:ad:06:47:42:f7:7f:
fa:a8:f2:ca:09:ba:98:c2:73:10:b1:f9:fe:89:64:
88:07:5a:74:d8:29:aa:41:5e:e3:77:22:c5:6e:ad:
cd:9f:70:be:ba:6c:2a:38:c4:18:15:c9:ed:dd:86:
d9:4f:f7:57:4c:7f:99:5c:91:c2:5a:0b:93:9c:2f:
ed:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.example.com, DNS:example.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 CRL Distribution Points:
...

You can see that Subject field matches your domain and CA field is False.

openssl verify utility will not be happy:
# openssl verify /etc/ssl/example.com.crt_chain
/etc/ssl/example.com.crt_chain: CN = *.example.com
error 20 at 0 depth lookup:unable to get local issuer certificate

but this should not confuse you in case of nginx.

Please also check How to convert pfx certificate to crt article.

Want me to do this for you? Drop me a line: itgalaxyzzz {at} gmail [dot] com