1

Here is what happened:

I generate the CSR via the MediaTemple site (that is the only way to do it. since a GS is a share server). Send it over the namecheap.com (its signed by RapidSSL).

When I got back the certificate and CA. Tried to import it back the media temple. I get the

"Key do not match" error.

Contact both support. They just keep pushing the blame to the other. namecheap.com say there is an RSA key generate (which I do not have access to). And media temple just blame other people outright without even trying to explain what could have gone wrong.

My question is:

  1. Anyone has the same problem?

  2. What could be the cause of this error?

Thanks

Joel Chu
  • 203

3 Answers3

6

Joel Chu, I don't know if this helps you but maybe, and I hope to help other MediaTemple users. I spent all day long trying to config a certbot-generated certificate on a MediaTemple GridServer shared host, but this should work with Acme PHP and other generators as well:

The solution, undocumented as far I can tell:
1. paste the fist certificate generated on fullchain.pem on the Certificate field.
2. paste the second certificate generated on fullchain.pem on the CA /Chain certificate field.
3. paste the key generated on privatekey.pen but with a detail on first and last lines.
They MUST have the RSA keyword:

Replace the existing -----BEGIN PRIVATE KEY----- (or whatever is in the file)

with:

-----BEGIN RSA PRIVATE KEY-----

You must do the same for the last line. It should read:

-----END RSA PRIVATE KEY-----

After that I was able to add a certificate to my domain, and it is accepted by MT.

Hope this helps

jmorganmartin
  • 105
ramjamx
  • 61
2

I have similar issue pretty often but that is because I'm generating a lot of certificates manually and singing them with an internal CA.

The cause of the issue is pretty straightforward: the private key that your server has kept doesn't match the public key embedded within your certificate.

The most common cause of this error is, by far, an operator error, sometimes made worth by poorly designed software. Basically, what often happens is that you generate a key pair and a CSR (Certificate Signing Request), send the CSR and then re-generate a new key pair. If the software is too dumb to remember more than one key, then it will lose the previously generated private key.

The solution for these kind of issues, if you're unwilling to simply outsource the job to the server operator. is to generate everything locally (using OpenSSL is the best option) and be careful about the private key you generate (I use a local Mercurial repository for this, which allows me to keep track of what was generated when and, if necessary, go back in time). Once you have the signed certificate, you it, along with the private key, to the server.

openai_sucks
  • 105
Stephane
  • 6,482
0

I had the same problem and solved it by re-issuing the certificate and being careful to not close the mediatemple tab that I had used to generate the CSR request. Once I received my new certificate, I used that same tab to navigate back and import the certificate.

The first time I did it (and got this error) I had closed the mediatemple CSR tab, (and possibly even reloaded it before doing so) which might have caused the mediatemple software to generate a new key causing the key mismatch.

floatingpoint
  • 101