(SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

So i’m still figuring out all this and i did accidentally request one to many certificates trying to fix this issue thinking it was a certificate issue. Now I only have the one because I can’t request any more. I have ctw set up through my subdomain sonarr.mydomain.com through cloudflare dns. Cert authority is set as Let’s Encrypt (staging mode is turned off). CSR Signing Al is set to RSA 2048. Run a test everything connects fine with cloud flare. I have deployments set up for Auto. Task set to deploy to nginx. file path for cert - path/to/cert/SonarrCertificate.pem
file path for key - path/to/key/Sonarrkey.pem
file path for fullchain - path/to/fullchain/SonnarrFullChain.pem.
In the Nginx config i have the cert pointed to the fullchain.pem and the key pointed to the Sonarrkey.pem. CTW is exported everything but is giving me that error when I try to reload nginx. After exporting the keys and certs through openssl i found that the MD5 hash of the modulus for the certificate’s full chain: and the MD5 hash of the modulus for the private key: found that After comparing them, we can see that they are different. This indicates that there is indeed a mismatch between the key in the certificate and the private key. But I don’t know how to fix that or what I am doing wrong in CTW because all its doing is exporting from the certificate. Any help would be greatly appreciated I worked on this for 8 hours after work last night

I even just created a different subdmain in cloud flare and ran the exact same set up and still got mismatching keys so i don’t know any more my brain is going to explode.


That’s an odd one! I’d suggest exporting to a completely different location (you could even use a different task to do that so your original task goes unchanged), the run that task. Then compare the file output.

During certificate export all that really happens is the PFX file we have stored at the last renewal gets read and split into the component certificate parts.

Where you could expect some variation is if you have selected to re-use the same private key between renewals or used a custom CSR?

Note also that if you are perfecting your task configuration you don’t need to click Request Certificate and perform a whole new renewal, you just add your task, save the Manage Certificate changes then run the task you have added/modified and it will re-use the existing certificate for the task run.