SOLVED Cannot sign CSR by external CA

hansch · Jan 9, 2021

Hi,

My certificate (signed by Sectico / Comodo) cannot be installed.
I issued a CSR and pasted the certificate in the web interface. (Last time I did this was 2 years ago, several updates ago.)
Version 12.2 U8 (latest 12.2).

Error:
Private key does not match certificate: [('x509 certificate routines', 'X509_check_private_key', 'key values mismatch')]

The CSR stays at "external - signature pending"

When I check the old certificate it shows the private key is the same, so it does not change.
The corresponding files (private.key etc.) are created as it should in the directory /etc/certificates.

I Googled a lot, some say it has to do with intermediate certificates, which I added, and which does not help.
I created a CSR 3 times, tried adding or removing root and intermediate.
I even tried this on a duplicate system (which is used for replication), same error. So it seems to be a bug?

I found these pages that do not seem to be an exact match for this problem:

https://redmine.ixsystems.com/issues/26281

Apache error: X509_check_private_key:key values mismatch - SSL Certificates - Namecheap.com

Learn more about Apache error: X509_check_private_key:key values mismatch. Find your answers at Namecheap Knowledge Base.

www.namecheap.com

Reddit - Dive into anything

www.reddit.com

At the moment, I have no clue how to solve this...

jgreco · Jan 9, 2021

You cannot just issue a CSR and then paste your old certificate in.

The CSR and certificate are both intimately tied to the key, which the system is telling you, is different.

You seem to have already rolled a new key, and generated a CSR from it.

Take your new CSR, go over to Comodo or whoever, and have them sign the new CSR. They will give you a new certificate. Import the new certificate (and maybe some intermediate chain certificates) and it should be fine.

You will not be able to use your old certificate with a new key. It may be possible to import the old key, I don't know offhand, because I don't use FreeNAS for certificate authority operations.

hansch · Jan 9, 2021

Nope of course not!
I created a new CSR and bought a new Sectigo certificate.

My certificate (signed by Sectico / Comodo) cannot be installed.
I issued a CSR and pasted the certificate in the web interface.

(I've installed certificates tens of times, most of the time on Linux and Windows webservers...) And several times on Freenas servers.

What I mean is that the last time I installed a certificate it was 2 years ago and was succesful.

The problem is exactly that it is NOT fine. It should work and be very easy.

FreeNAS is not a CA, it is a bought, issued certificate as I mentioned.
It is meant for minio. I have been using the (old) certificate for 2 years now. IT is expired. That's why I have a new certificate.

I expect this is a new bug that nobody has discovered yet, it must have been introduced by one of the updates. It breaks the whole purpose of this NAS in my case. I've spent hours troubleshooting but as this is a new problem, nobody has solved it yet.

jgreco · Jan 9, 2021

Yes, it should work and be very easy, but very low level bits of OpenSSL are saying that the certificate you are installing doesn't match the key that the system has.

Speaking as someone who has designed and maintains a number of enterprise certificate authorities, this generally suggests a problem with the certificate rather than a bug in the software.

Take your three bits of data, the key, the CSR, and the certificate, and write each of them into separate files.

Do:

# openssl x509 -in mycert.crt -noout -modulus | md5

The modulus numbers these days are quite big, so I suggest running it through "md5" to get something that doesn't scroll off the screen when you do it three times.

Now compare that to the modulus of the CSR:

# openssl req -in mycert.csr -noout -modulus | md5

And that of the key

# openssl rsa -in mycert.key -noout -modulus | md5

The error you are getting indicates that one of these results is different, i.e. that they are not all using the same key. You can leave off the "| md5" if you want to look at the actual data.

hansch · Jan 9, 2021

You were right! THANKS A LOT!

Sectigo issued a wrong certificate!
Bastards. Took me hours.
I now have a Globalsign certificate. (It cost 20 euro instead of 8 euro.)

jgreco · Jan 9, 2021

hansch said:
You were right! THANKS A LOT!

Sectigo issued a wrong certificate!
Bastards. Took me hours.
I now have a Globalsign certificate. (It cost 20 euro instead of 8 euro.)

Great.

If you go and re-read your initial post, you will hopefully come to understand why it looked to me like you were doing something funky with the issued certificate, especially since you said you generated multiple CSR's. The end result is very similar, if you try to use a cert that's not a match for your key, well, it just doesn't work.

SSL is a bit more complex than I'd like.

Ericloewe · Jan 9, 2021

hansch said:
You were right! THANKS A LOT!

Sectigo issued a wrong certificate!
Bastards. Took me hours.
I now have a Globalsign certificate. (It cost 20 euro instead of 8 euro.)

Silly question, but would you not have them fix it before paying someone else all over again? Although, for 20 bucks, I see the appeal of not bothering...

hansch · Jan 10, 2021

Well then you assume wrongly that I would not do so :)
They will hear it on monday. And I will ask those 8 Euros and 4 hours troubleshooting back ;)

danb35 · Jan 10, 2021

Why are you paying for a cert at all? Let's Encrypt has been giving them away for free for years.

hansch · Jan 10, 2021

Why? Because I don't know Let's encrypt, and what I know of it is that these are short lived certificates that need to (automatically) be refreshed.
Setting up is (usually lol) more complicated than using CSR and a bought certificate. Until now, it was easy that way.

But this incident may make things different.

danb35 · Jan 11, 2021

hansch said:
Setting up is (usually lol) more complicated than using CSR and a bought certificate.

That's why you automate it.

Let's Encrypt with FreeNAS 11.1 and later

Integrating Let’s Encrypt TLS Certificates with FreeNAS FreeNAS has long had the ability to use HTTPS for the web GUI, but that has usually meant dealing with self-signed certificates and the associated headaches, or paying for a commercial...

www.truenas.com

hansch · Jan 12, 2021

They say the certificate was OK and I made a mistake. They say I used the bundle instead of the certificate. They say I used a new certificate with an old CSR etc. etc.
Fact is I started with only the certificate, and with the 1st certificate I got. I don't want to spend more time with that nonsense.
Now that it works I'll look at Let's encrypt next year ;)

hansch · Nov 2, 2022

This is incredible... AGAIN.. but now a different problem.

I cannot paste a certificate into the appropriate part of the website. It is grayed out.

(Using a Let's encrypt cert is not an easy option now bc it involves creating that ACME DNS account, which involves making an Amazon user, and key pair or whatever, way too complicated bc this is a testing machine that I upgraded from v. 12 to v. 13). Seems like the certificate signing system is broken because of that.

I already have a signed certificate!)

Important Announcement for the TrueNAS Community.

SOLVED Cannot sign CSR by external CA

hansch

Explorer

Apache error: X509_check_private_key:key values mismatch - SSL Certificates - Namecheap.com

Reddit - Dive into anything

jgreco

Resident Grinch

hansch

Explorer

jgreco

Resident Grinch

hansch

Explorer

jgreco

Resident Grinch

Ericloewe

Server Wrangler

hansch

Explorer

danb35

Hall of Famer

hansch

Explorer

danb35

Hall of Famer

Let's Encrypt with FreeNAS 11.1 and later

hansch

Explorer

hansch

Explorer

Attachments

Similar threads