Connectrix SANnav: Proxy Service Not Starting after Replaced SSL Certificate with CA Signed

[VMware] root@olsannav.kba.de /opt/sannav/Portal_2.4.0_bld249/bin # sh ./replace-sannav-certificates.sh

Enter the path for the chained CA certificate including the file name (If you have an intermediate certificate chain the same with root and provide the path including file name.) :
/tmp/ca-chain.crt

Enter the path for the private key including the file name :
/tmp/olsannav.kba.de.key

Enter the password for private key (/tmp/olsannav.kba.de.key). If the private key is not password protected, press Enter :

Enter the path for the SSL certificate to be installed on olsannav.kba.de including the file name. Ensure that the Common Name of the certificate matches the FQDN of the host olsannav.kba.de.
/tmp/olsannav.kba.de.crt
No extensions in certificate

Successfully validated the certificate and the private key.
Stopping the SANnav Management Portal server to apply the certificates.
Stopped the SANnav Management Portal server to apply the certificates.
Starting SANnav Management Portal services.
Services have been started.
Waiting and checking for SANnav server to be ready. This may take a few minutes.
[|]
Some services are still not up. Run the script (/opt/sannav/Portal_2.4.0_bld249/bin/check-sannav-status.sh) to check SANnav startup status.
If all services are not up after an additional 15 minutes, run the troubleshooting script (/opt/sannav/Portal_2.4.0_bld249/bin/troubleshooting-sannav.sh) to resolve any reported issues and restart SANnav.

Docker container for the proxy service shows the following error:

/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up

2025/05/30 11:43:59 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1

2025/05/30 11:43:59 [emerg] 1#1: SSL_CTX_use_PrivateKey("/etc/nginx/sannav-cert.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/nginx/sannav-cert.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

Verified the Common name (CN) of CA certificate and SANnav server signed certificate are the same:

openssl x509 -in /tmp/olsannav.kba.de.crt -noout -subject
subject=O=KBA, OU=146-SSL-Server, OU=SAN, CN=olsannav.kba.de

[VMware ] root@olsannav.kba.de /opt/sannav # hostname
olsannav.kba.de

Also verified the certificates:

# openssl rsa -noout -modulus -in olsannav.kba.de.key | openssl md5
MD5(stdin)= 3de4b148f281980ec2e9ad827b7ca257

# openssl x509 -noout -modulus -in olsannav.kba.de.crt | openssl md5
MD5(stdin)= 3de4b148f281980ec2e9ad827b7ca257

# openssl verify -CAfile /tmp/ca-chain.crt /tmp/olsannav.kba.de.crt
/tmp/olsannav.kba.de.crt: OK

The errors suggest that the key may have an incorrect value or have been password protected at some point. In this case, the certificate was in the wrong format. 

Convert the certificate from DER to PEM format and follow the instructions below to start proxy service.

1. Launch the Linux console to the SANnav server.
2. Go to the location <SANnav_Home>/conf/nginx and take the backup of the file sannav-cert.pem and sannav-cert.Key and move it outside of the SANnav home location.
3. Validate the original certificate and keys:
   1. These two commands print md5 checksums of the certificate and key; the checksums can be compared to verify the certificate and key match:

openssl x509 -noout -modulus -in server.pem | openssl md5

openssl rsa -noout -modulus -in server.key | openssl md5

2. Verify the certificate chain:

openssl verify -CAfile chain.pem server.pem

3. Validate key:

openssl rsa -check -noout -in server.key

4. Check certificate and return information about it (signing authority, expiration date, so on):

openssl x509 -in server.pem -noout -text
openssl x509 -in chain.pem -noout -text

4. Copy the correct certificate and chain to the location <SANnav_Home>/conf/nginx
   1. In <~location original certificates received from the CA> do:

cat <server_cert.pem> <chained_cert.pem> >> sannav-cert.pem

cat <server_key.key> >> sannav-cert.key

2. Copy <~location original key>/sannav-cert.key <SANnav_Home>/conf/nginx/sannav-cert.key
3. Copy <~location original pem>/sannav-cert.pem <SANnav_Home>/conf/nginx/sannav-cert.pem

5. Restart the nginx service by following the below steps:
   1. Perform the below commands to get the proxy service ID:

[root@sannav4321 bin]# docker service ls | grep proxy
ypaxcuueqlbb   dcm_2_2_0_proxy

replicated   0/1        10.1xx.4x.8x:5000/proxy-local:sann2.2.0        

2. Scale down the proxy service by using the below command:

[root@sannav4321 bin]# docker service scale dcm_2_2_0_proxy=0
ypaxcuueqlbb scaled to 0
overall progress: 0 out of 0 tasks
verify: Service converged

3. Wait for 10-15 seconds and then Scale up the proxy service by using the below command:

[root@sannav4321 bin]# docker service scale dcm_2_2_0_proxy=1
ypaxcuueqlbb scaled to 1
overall progress: 1 out of 1 tasks
1/1: running   [==================================================>]
verify: Service converged

4. Confirm whether the proxy service is up and running "1/1"or not by using the below command:

[root@sannav4321 bin]# docker service ls | grep proxy
ypaxcuueqlbb   dcm_2_2_0_proxy                                  replicated   1/1        10.155.43.87:5000/proxy-local:sann2.2.0          
[root@sannav4321 bin]#

6. Verify the SANnav services status, whether the nginx proxy service is up and running or not by using the script check-sannav-status.sh.
7. Run the script replace-sannav-certificates again after the proxy has started and apply the key, certificate, and chain again to apply the correct certificate to the KAFKA container. Follow the procedure from the replace-sannav-certificates script.