tls_build

Diagnostic `nanook::admin::tls_build`

Summary

rustls rejected the cert + key pair

Help

the certificate and private key likely do not match

Details

When this fires

rustls accepted both files individually but rejected them as a pair. The certificate's public key does not match the private key, so a TLS handshake using this material would fail at the Finished message anyway.

What to check

Confirm the cert and key are halves of the same pair:

openssl x509 -in "$cert" -noout -pubkey | openssl pkey -pubin -outform der | sha256sum
openssl pkey -in "$key"  -pubout    | openssl pkey -pubin -outform der | sha256sum

The two hashes must match. If they don't, you have a swap or copy-paste error somewhere in the cert provisioning pipeline.

If you regenerated only one half, regenerate both together (e.g. re-run certbot renew --force-renewal for the matching domain).