Can't use Cloudflare Origin SSL with NGINX

I’ve been using Origin SSL with Apache for months now, and now that I’m trying to switch the NGINX some issues are coming up. Whenever I test NGINX I get the following error.

nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/cloudflare/private_key.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

I had no issues on Apache. I have tried:

  • Generating a new certificate
  • Reinstalling the certificate
  • Adding the Origin CA root certificates (kind of… not 100% sure how to do this)
  • Checked file permissions etc, all the usual suspects on Linux

nginx version: nginx/1.18.0 (Ubuntu)
Ubuntu 20.04

May I ask, I assume you test your configuration files using the nginx -t command, right?

May I also ask did you followed the steps from below article due to generating an Cloudflare CA Origin certificate for your domain/website?:

Or you are trying to install Cloudflare CA Root certificate?

Or you tried combining origin + root certificate into a “bundle”?

Maybe missing some CA certificates? If so, how about ca-certificates package? Can you check if you have ca-certificates installed and updated?

The error “values mismatch” would mean that you have a mismatch between your key and certificate, somehow?

While copy-paste from Cloudflare, are you sure you copied the whole from —BEGIN----- to the —END— part?

I hope you’ve correctly copy-pasted with the following lines (watch out for whitespaces! which could be added before the “dash-lines”):

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
  • sometimes just the “click” does not select and copy all the content …
  • make sure your certificate and Key are PEM format. If not then convert them using openssl command

The values from Cloudflare should be just saved as .crt (the certificate part) and as .key (the key part). No need to add CA root as a bundle or combine it within - at least I didn’t had to.
If you were adding as a bundle, maybe in the wrong order?

May I also ask what is your output of running openssl version -a and which openssl ?

That’s correct

Yes

Quite sure, yes.

They are

OpenSSL 1.1.1f  31 Mar 2020
built on: Wed Apr 28 00:37:28 2021 UTC
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-olnknv/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific
/usr/bin/openssl

Never mind, found the issue. Changed the key file but not the certificate file after copy pasting :man_facepalming:. Nginx just wasn’t smart enough to show me which file the issue was in.

1 Like