Error when install SSL certificate on MediaTemple GS server

Here is what happened:

I generate the CSR via the MediaTemple site (that is the only way to do it. since a GS is a share server). Send it over the namecheap.com (its signed by RapidSSL).

When I got back the certificate and CA. Tried to import it back the media temple. I get the

"Key do not match" error.

Contact both support. They just keep pushing the blame to the other. namecheap.com say there is an RSA key generate (which I do not have access to). And media temple just blame other people outright without even trying to explain what could have gone wrong.

My question is:

  1. Anyone has the same problem?

  2. What could be the cause of this error?

Thanks


Solution 1:

I have similar issue pretty often but that is because I'm generating a lot of certificates manually and singing them with an internal CA.

The cause of the issue is pretty straightforward: the private key that your server has kept doesn't match the public key embedded within your certificate.

The most common cause of this error is, by far, an operator error, sometimes made worth by poorly designed software. Basically, what often happens is that you generate a key pair and a CSR (Certificate Signing Request), send the CSR and then re-generate a new key pair. If the software is too dumb to remember more than one key, then it will lose the previously generated private key.

The solution for these kind of issues, if you're unwilling to simply outsource the job to the server operator. is to generate everything locally (using OpenSSL is the best option) and be careful about the private key you generate (I use a local Mercurial repository for this, which allows me to keep track of what was generated when and, if necessary, go back in time). Once you have the signed certificate, you it, along with the private key, to the server.

Solution 2:

Joel Chu, I don't know if this helps you but maybe, and I hope to help other MediaTemple users. I spent all day long trying to config a certbot-generated certificate on a MediaTemple GridServer shared host, but this should work with Acme PHP and other generators as well:

The solution, undocumented as far I can tell:
1. paste the fist certificate generated on fullchain.pem on the Certificate field.
2. paste the second certificate generated on fullchain.pem on the CA /Chain certificate field.
3. paste the key generated on privatekey.pen but with a detail on first and last lines.
They MUST have the RSA keyword:

Replace the existing -----BEGIN PRIVATE KEY----- (or whatever is in the file)

with:

-----BEGIN RSA PRIVATE KEY-----

You must do the same for the last line. It should read:

-----END RSA PRIVATE KEY-----

After that I was able to add a certificate to my domain, and it is accepted by MT.

Hope this helps