Monitor invalid SSL certificates

It shouldn’t happen, but as often, it can still happen. Sometimes SSL certificates aren’t created properly. The result of it can be a nasty error message like this:

certificate routines:X509_check_private_key:key values mismatch

In my case it was reported by nginx with this:

Apr 27 05:30:51 localhost nginx-rc[3120]: nginx: [emerg] SSL_CTX_use_PrivateKey(“/etc/nginx-rc/conf.d/my-server.d/server.key”) failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

As you can see, it is reported as “emerg” which means nginx won’t be happy about this. In my case this problem caused other vhosts to fail as nginx couldn’t reload the configuration and thus couldn’t reload the new letsencrypt certificates.

Since I was a bit in a rush I just rebooted the server, but that made it even worse. nginx didn’t start at all and I had to look at the log files a bit closer. Recreating the certificate that wasn’t created correctly was all it took, but knowing that you have to do that, is what’s tricky.

Get telegram message if a certificate is invalid

If you haven’t sent a message to telegram from your command line, check this article: https://www.marcodena.it/blog/telegram-logging-handler-for-python-java-bash/

In short:

  • You befriend the botfather
  • You issue a command /newbot, enter a name and you’ll get token
  • You start a conversation with your bot and use that chat id in your script

We can use openssl to get the modulus of the key as well as the certificate. They both have to match, otherwise the certificate is all it takes. My script is used with runcloud, but just adjust the path in the loop to get it working in your environment:

#!/bin/bash
TELEGRAM_TOKEN=<token from telegram>
TELEGRAM_CHAT_ID=<chat id from telegram>

URL="https://api.telegram.org/bot$TELEGRAM_TOKEN/sendMessage"

shopt -s globstar

for keyFile in /etc/nginx-rc/conf.d/*/server.key; do
   crtFile="${keyFile::-3}crt"
   keyFileModulus=$(openssl x509 -noout -modulus -in $crtFile)
   crtFileModulus=$(openssl rsa -noout -modulus -in $keyFile)
   if [ "$crtFileModulus" != "$keyFileModulus" ]; then
      curl -s -X POST $URL -d chat_id=$TELEGRAM_CHAT_ID -d text="SSL certificate is invalid, recreate $keyFile" > /dev/null
   fi
done



No Comments


You can leave the first : )



Leave a Reply

Your email address will not be published.