Modulus of private key and cert differ, but ELB still works?

[gdhbashton]

Hi,

Many thanks for this lovely bit of software - I've been hacking on it to solve #4 since I have the same use case. I was delighted to be able to spit out the private key and chain cert so I could wrap Puppet around it (I hope to release a Puppet module for it).

At the end of this process, Nginx refused to start, and complained about mismatched keys. After some further digging, I found that the modulus of the private key did not match that of the generated certificate.

I immediately went back to your pristine sources and was able to update an ELB without problem, but again the modulus of the private key and certificate (after downloading it using openssl s_client ..... -showcerts) were different - yet the ELB was able to successfully negotiate a TLS 1.2 connection.

Does any of this sound familiar? I didn't want to paste a torrent of output if there was a simple step that I missed! :)

Cheers,
Gavin.

[alex]

Hi Gavin, I haven't seen this issue before; can you share the code you're working with? If the key/cert have different moduluses that definitely sounds like a bug, and yet I can't imagine how it would occur.

[gdhbashton]

Ah good news.

I reviewed the code again and became unsure of the generate_rsa_private_key function - I'd assumed the ACME key was also used as the private key for any certificates generated, but in update_elb there is a new private key generated for each certificate, unrelated to the ACME one. Is that expected?

Hence I updated the code to output not only the ACME key (from the register operation) but also the private key from the update-certificates operation. Finally, after swapping the certificate order (chain then cert as opposed to cert then chain, the moduluses matched)

I've put the code I'm using in this fork - note that it was from before you refactored a couple of weeks ago - I found the older structure much easier to comprehend.

https://github.com/gdhbashton/letsencrypt-aws/tree/feature/ec2-autoregister

Can you comment on the ACME private key vs. cert private key - should they be different?

[alex]

Yes, that's intentional, the ACME private key is for communicating with the
Let's Encrypt servers, a new private key is generated for use in your TLS
server on every certificate issuance.

On Tue, Apr 5, 2016 at 6:20 AM, Gavin Hamill notifications@github.com
wrote:

Ah good news.

I reviewed the code again and became unsure of the
generate_rsa_private_key function - I'd assumed the ACME key was also
used as the private key for any certificates generated, but in update_elb
there is a new private key generated for each certificate, unrelated to the
ACME one. Is that expected?

Hence I updated the code to output not only the ACME key (from the
register operation) but also the private key from the update-certificates
operation. Finally, after swapping the certificate order (chain then cert
as opposed to cert then chain, the moduluses matched)

I've put the code I'm using in this fork - note that it was from before
you refactored a couple of weeks ago - I found the older structure much
easier to comprehend.

https://github.com/gdhbashton/letsencrypt-aws/tree/feature/ec2-autoregister

Can you comment on the ACME private key vs. cert private key - should
they be different?

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHub
#40 (comment)

"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6

[gdhbashton]

Ah cool - I'm actually quite pleased that I simply misunderstood the operation of LE itself and that the script is working fine :) I'll close this issue - thank you for your responses!