SSL Certificate and private key do not match

I purchased a Premium EV SSL Certificate from Go Daddy (Starfield), and then I went to: Server Configuration -> Manage SSL Certificate -> Signing Request

I filled out the form correctly, note that I did not include the www. in server name, since I redirect all www to root, but did try it both ways. Default 2048; tried manual with 2048 also; found this was a bug maybe; but it didn't help.

It gives me two files and two codes: CSR and new private key; now instructions at GD are very unclear as to what I paste in; it ask for CSR at rekey at Go Daddy; using Re-key this certificate; as opposed to Change this certificate's issuing organization; just to be clear; I entered the CSR, if I enter the private key I get Invalid CSR; it will allow me to paste in both codes, or just the CSR, I tried it both ways with no help.

Next I go to New Certificate; and still unclear if I should paste in the bundle or just the CRT, I tried it both ways; again it still fails.

With just the CRT I get this error: Failed to install certificate : Certificate problem detected : Certificate and private key do not match

If I paste in both I get this error: Failed to install certificate : Missing or invalid signed SSL certificate : Line 29 does not look like PEM format

I ran into this last year; gave up and let the host install them; this year they don't want to do that for me; least wise they blow off any questions I had concerning this issue.

I did get this to work a few years in the past, so I know it should work; I just don't know why it isn't right now.

Validate (Validate Virtual Servers) and Re-Check Configuration both pass.

I have DNS setup at GD; added Host and A records, with Nameservers, and it seems to work fine, and setup records in VM as outlined in instructions.

I am hosting at myhosting.com on a VPS account.

Can you update your Instructions to tell us if we should use the bundled crt or the single crt; not sure what to do here.

This is a licensed version of VM.

Status: 
Closed (fixed)

Comments

So normally what happens is you provide just the CSR to GoDaddy, they sign it, and send you a signed cert. You then use the New Certificate tab in Virtualmin to paste in the signed cert - the private key that was generated at the same time as the CSR should already be filled in.

Sounds like I'm doing it right; but for two years now it has not worked; and I'm not sure why; the re-key at GD is straight forward; I re-key it and download it; last year the cert was from another company (Trust); same deal; I guess I'll have to do it from the CML.

If you get your CA to re-issue your cert, that's a different story - in that case you don't need to generate a CSR as normally the CA already has it on file. You just need to take the new signed cert, and use it with your existing private key (which doesn't change).

openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in privateKey.key | openssl md5

Fails; looks like its Go Daddy; I'll contact them; I should have done this test before emailing you; maybe you can add this to your SSL cert troubleshooting guild.

Ok, now I have a cert and private key that pass the test; the only thing I can think I did wrong; was that I didn't wait long enough after re-keying to download it; I waited over a full minute this time; my thinking was that the old file was being pulled down because the new file wasn't finished being created; who knows; but now it passes, and I could not imagine that it was GD that was the problem, seeings how it would effect a lot more people.

I ran it (#4 openssl commands) on the server in question also; yet I still get the error: Certificate and private key do not match

Now I know that I can do it the old fashion way and do it manually; that is what I did last year to get around this issue; but I would still like to do it this way; and I don't see a lot of others having this problem; so my guess is something is wrong in the setup here; this is CentOS release 5.8 (Final) with http://myhosting.com Linux Virtuozzo powered Virtual Private Servers; since I never did like the way it installed on this server from the start, I think I sent you a private post on that, the issue was due to many failures during install; one was due to php; others where worked around; but bottom line is that it wasn't a clean install; and some of that was due to the configuration of the VPS itself; that said; the web interface seems to work fine; and all updates are current.

I have about 50 sites on this VPS account; last time I installed a cert and it went wrong; it took down all the sites; removing the cert and rebooting brought them back up; but I don't want to do that too many times.

And on the other hand; maybe I should do what I did last year and just install it manually and be done with it till next year; and then wonder if it will work then; but by then I may be on a new server; who knows.

Just to clarify -- do you have an existing SSL certificate... and what you're looking to do is add a new SSL cert to this particular domain?

So when you go into Manage SSL Certificate -> New Certificate, are you seeing the contents of an SSL key being included in the textbox at the bottom of the form?

If so -- you'd want to make sure you choose the "Pasted text" option, as it defaults to "Keep existing private key". If it's set to "Keep existing private key", that could cause the error you're seeing.

Don't I feel like a Noobe, I never thought to replace both boxes; and that worked; now I understand my whole problem; it only took two years to get this; but hey; that's me.

My guess is that because its not a New Cert, its replacing the cert that is already there; so it would be less confusing to people like me if you just made a tab called Replace Cert; or something to that effect; and have it use the last signing request key; or you could put more text on this page to explain this better; maybe just add another radio button with the option to use the last signing request; that would be the simplest way to fix this issue.

Thanks