Friday, November 11, 2022

 SSL Certificate for domain name validation. 

Problem statement: Recently, the certificate for a website I host by name https://booksonsoftware.com/algorithms had expired. When the certificate was renewed, it could not be used as the earlier ones as the error encountered from the nodeJs application stated: 

Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch 

    at Error (native) 

    at Object.createSecureContext (_tls_common.js:85:17) 

    at Server (_tls_wrap.js:775:25) 

    at new Server (https.js:26:14) 

    at Object.exports.createServer (https.js:47:10) 

    at Object.<anonymous> (/home/ravi/myapp/algorithms/booksonsoftware/app.js:140:25) 

    at Module._compile (module.js:577:32) 

    at Object.Module._extensions..js (module.js:586:10) 

    at Module.load (module.js:494:32) 

    at tryModuleLoad (module.js:453:12) 

This article explains the resolution for this error. 

Solution: The certificate was already renewed from the cloud service portal by using the same private key as earlier. 

This was then exported from the Portal and uploaded to the host machine where the site was hosted. 

The certificate was in the pfx format so this required the following commands to export the certificate and private key 

  1. openssl pkcs12 -in ravirajamanikeyvault-booksonsoftwared9e73889-3e5d-485b-81c7-28227725e796-20221108.pfx -nocerts -out booksonsoftware-private-key.pem -nodes 

to extract the private key. 

  1. openssl pkcs12 -in ravirajamanikeyvault-booksonsoftwared9e73889-3e5d-485b-81c7-28227725e796-20221108.pfx -nokeys -out booksonsoftware-cacert.pem  
    to extract the certificate 

with this the app.js file can specify the certificate as: 

var https_options = { 

    key: fs.readFileSync('booksonsoftware-private-key.pem','utf8'), 

    cert: fs.readFileSync('booksonsoftware-cacert.pem', 'utf8') 

}; 

And 

The server can be started with: 

var httpsServer = https.createServer(https_options, app).listen(8083, function(){ 

  console.log('Express server listening on port 8083 '); 

}); 

Express server listening on port 8083 

Typical port values for https are 8443 but in this case, I wanted to use this port. 

When the key-values for the cert and the private key don’t match, the certificate may need to be rekeyed. 

Rekeying a certificate generates a new key and certificate with the same name and expiration date as a previously purchased certificate. This is performed at no charge by the cloud service provider that issued the certificate request. It is usually done when the keys are lost or compromised. 

It is easy to check if the private key and the certificate match with the following commands to display the hash: 

  • openssl pkey -pubout -in <private-key-name> | openssl sha256 

  • openssl x509 -pubkey -in <certificate-name> -noout | openssl sha256 

If the hash values don’t agree, then there is a mismatch. 

One of the reasons for the mismatch has been found to be the presence of chained certificates in the certificate file extracted from the pfx. If we edit this to just retain the contents between ----BEGIN CERTIFICATE---- and ----END CERTIFICATE----, the error disappears. 

 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)