So, I have recently changed the hosting of my website to Amazon EC2 and am using the key and certificates which I purchased from Godaddy. So this certificate was already being used for my another website domain which is hosted in Godaddy itself. As I was allowed to add other domains to this existing certificate - I did so and then downloaded the .zip of the certificates.
I copied the private key from the Godaddy Hosting (cpanel), after adding these new domains.
Now, I copied the bundle certificate and the key to my EC2 instance and pointed the path fom nginx to the .crt and privatekey file.
I see that the ssl works fine in chrome but it doesn't in Safari.
As per my research - its my Server i.e. EC2 instance, where the private key is created and I shouldn't use the private key from the Godaddy Cpanel and expect it to be trusted.
So, to fix this I created a Private key file and a CSR file on my server to rekey the certificates and then redid the process above this time using this new privatekey in nginx but the same doesn't seem to work and throws the following error:
Dec 14 16:13:00 ip-172-31-42-11 systemd[1]: Starting A high performance web server and a reverse proxy server...
Dec 14 16:13:00 ip-172-31-42-11 nginx[820704]: Enter PEM pass phrase:
Dec 14 16:13:00 ip-172-31-42-11 nginx[820704]: Enter PEM pass phrase:
Dec 14 16:13:00 ip-172-31-42-11 nginx[820704]: nginx: [emerg] cannot load certificate key "/var/www/sslnew/openssl/PRIVATEKEY.key": PEM_read_bio_PrivateKey() failed (SSL: >
Dec 14 16:13:00 ip-172-31-42-11 nginx[820704]: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 14 16:13:00 ip-172-31-42-11 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Dec 14 16:13:00 ip-172-31-42-11 systemd[1]: nginx.service: Failed with result 'exit-code'.
Dec 14 16:13:00 ip-172-31-42-11 systemd[1]: Failed to start A high performance web server and a reverse proxy server
This is how my nginx configuration for ssl looks like :
server {
root /var/www/html;
index index.php;
server_name xxx.in www.xxx.in;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}
location ~ /\.ht {
deny all;
}
listen 443 ssl;
ssl_certificate /var/www/sslnew/openssl/gd_bundle.crt;
ssl_certificate_key /var/www/sslnew/openssl/newkey.key;
}
---Edit---
So, now I have removed the passphrase from the privatekey file using
openssl rsa -in key.pem -out newkey.pem
and now I am getting the following error :
Dec 14 16:56:16 ip-172-31-42-11 systemd[1]: Starting A high performance web server and a reverse proxy server...
Dec 14 16:56:16 ip-172-31-42-11 nginx[820971]: nginx: [emerg] SSL_CTX_use_PrivateKey("/var/www/sslnew/openssl/newkey.key") failed (SSL: error:05800074:x509 certificate routines::key values mismatch)
Dec 14 16:56:16 ip-172-31-42-11 nginx[820971]: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 14 16:56:16 ip-172-31-42-11 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Dec 14 16:56:16 ip-172-31-42-11 systemd[1]: nginx.service: Failed with result 'exit-code'.
Dec 14 16:56:16 ip-172-31-42-11 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Does it mean I need to redo the CSR process also with Godaddy now or just removing the passphrase from the private key was enough ?
