NGINX fails to start: x509 certificate routines::key values mismatch

Description

After replacing the certificates, NGINX goes into a crash-loop:

❯ gitlab-ctl restart nginx
ok: run: nginx: (pid 284160) 0s
❯ gitlab-ctl status nginx
down: nginx: 1s, normally up, want up; run: log: (pid 2388) 24751s

And the NGINX error log displays the following message:

❯ tail -1 /var/log/gitlab/nginx/error.log
2025/05/20 13:56:07 [emerg] 286573#0: SSL_CTX_use_PrivateKey("/etc/gitlab/ssl/gitlab.example.com.key") failed (SSL: error:05800074:x509 certificate routines::key values mismatch)

Environment

Impacted offerings:

  • GitLab Self-Managed

Impacted versions:

  • This applies to all GitLab versions.

Solution

Use the private key matching the public certificate.

After the correct public certificate is in place, NGINX should then recover and start up automatically. To confirm this, check that NGINX has started:

❯ gitlab-ctl status nginx
run: nginx: (pid 3976) 83s; run: log: (pid 2358) 537s

If the NGINX status is still down, start NGINX:

❯ gitlab-ctl start nginx

Please consult the OpenSSL examples outlined in the 'Cause' section below to accurately identify the correct key pair.

Cause

The public key in the certificate was not derived from the private key. To verify, calculate a fingerprint of the public keys of both key and certificate. The values must match.
In the example below, the certificate was not derived from the key, leading to the issue outlined in the description:

❯ /opt/gitlab/embedded/bin/openssl pkey -pubout -in /etc/gitlab/ssl/gitlab.example.com.key | /opt/gitlab/embedded/bin/openssl sha256
SHA2-256(stdin)= e4070c9fb2b407441e6f13a1d699f99aa53a03a2bf8e581b651262ecd4bcfa51

❯ /opt/gitlab/embedded/bin/openssl x509 -noout -pubkey -in /etc/gitlab/ssl/gitlab.example.com.crt | /opt/gitlab/embedded/bin/openssl sha256
SHA2-256(stdin)= 75d1fb2c5af592a2d79092b5278955e803f5fe4b91bbc4ad68c2a65e83b3ba41

Related Links

 

On this page...