TLS: private key does not match public key

Hello guys and hope you have a great day,

I’m using Caddy version 1 and I’m trying to manually load my SSL certificate into it.

I’m running command line ‘caddy -validate’ and receive the error:

Error during parsing: Unable to load certificate and key files for ‘mysubdomain.mydomain.com’: tls: private key does not match public key

My configuration file looks like this:

mysubdomain.mydomain.com {
	tls ./pem/cert.pem ./pem/key.pem
	redir {
		if {path} is /
		/ https://mysubdomain.mydomain.com/web
	}			  
	proxy / https://127.0.0.1:50443 {
		insecure_skip_verify
	}
}

cert.pem file is a concatenation of two files I received from CA:

  • Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt (first for concatenation)
  • USERTrust_RSA_Certification_Authority.crt (second for concatenation)

And looks like this:

-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
(more lines)
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
(more lines)
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----

And the key.pem file is simply the key:

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC46eugHdiDs0uB
(more lines)
ECuqcD2I87uSatffvQpKoz8=
-----END PRIVATE KEY-----

Can anybody help or hint me in a good direction? Did I do something wrong? Do I need to convert the files to something else?

Thank you for the community and the great software,
Abscon

When you have a certificate issued, this is the general process:

  • You generate a key pair (a private key, and its derived public key)
  • You make a CSR (Certificate Signing Request) from the key pair, which basically says “hey signing authority, here’s my public key, along with some information about me and the domain I want a certificate for”
  • The authority takes the CSR, extracts the public key and the information you provided, puts that information into a certificate, then signs that certificate with THEIR private key.
  • They then give you back the certificate chain with your signed certificate

So here, Caddy is checking that the public key inside the certificate matches the public component of your key (public keys can be derived from a private key, by doing some fancy math, depends on the type of key how this is done).

I don’t know what exactly is wrong in your files. It might be that you’re not using the same key that was used when issuing the certificates. You can’t mix and match certificates and keys.

I like using https://lapo.it/asn1js/ when trying to debug issues with certificates and keys. You can paste your key and certificate, and you can compare whether they public keys inside match. ASN.1 is the underlying encoding format inside of PEM files (which are just base64 encoded DER… and DER is just the binary representation of an ASN.1 tree)

2 Likes

Hello Francis,

Thank you for your clear explanations. I might have a hint on what I am doing wrong.

You said that the CA signs the certificate with their private key. Inside Caddy, I am using the key the CSR was created with. Do I need the key the CA emits?

Best regards,
Abscon

No, you should provide Caddy with the certificate you received from the CA in conjunction with the private key associated with the CSR.

2 Likes

Hello guys and thank you for your replies.

The problem was that I was using the CA bundles for certificate, instead of the certificate issued to the domain. This was because the CA was sending me a corrupted .zip where this one file was missing, but other two not, and got me confused.

Best regards,
Abscon

2 Likes

Nice!

I assume you contacted your CA to get help with that?

Yes. I was actually buying through a hosting intermediare Hosterion. I contacted Sectigo directly.

Thanks you Francis for helping out.

Abscon

1 Like