diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index bd11f975f7..85c2d1b999 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1378,6 +1378,22 @@ static APR_INLINE int modssl_DH_bits(DH *dh)
 #endif
 }
 
+/* SSL_CTX_use_PrivateKey_file() can fail either because the private
+ * key was encrypted, or due to a mismatch between an already-loaded
+ * cert and the key - a common misconfiguration - from calling
+ * X509_check_private_key().  This macro is passed the last error code
+ * off the OpenSSL stack and evaluates to true only for the first
+ * case.  With OpenSSL < 3 the second case is identifiable by the
+ * function code, but function codes are not used from 3.0. */
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
+#else
+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509            \
+                                 || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
+                                     && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
+                                     && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE))
+#endif
+
 static apr_status_t ssl_init_server_certs(server_rec *s,
                                           apr_pool_t *p,
                                           apr_pool_t *ptemp,
@@ -1483,8 +1499,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
         }
         else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
                                               SSL_FILETYPE_PEM) < 1)
-                 && (ERR_GET_FUNC(ERR_peek_last_error())
-                     != X509_F_X509_CHECK_PRIVATE_KEY)) {
+                 && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) {
             ssl_asn1_t *asn1;
             const unsigned char *ptr;
 
diff --git a/test/travis_run_linux.sh b/test/travis_run_linux.sh
index 6f29fd01a1..cd0d13480a 100755
--- a/test/travis_run_linux.sh
+++ b/test/travis_run_linux.sh
@@ -113,7 +113,14 @@ if ! test -v SKIP_TESTING; then
     
     if test -v TEST_SSL -a $RV -eq 0; then
         pushd test/perl-framework
+            # Test loading encrypted private keys
+            ./t/TEST -defines "TEST_SSL_DES3_KEY TEST_SSL_PASSPHRASE_EXEC" t/ssl
+            RV=$?
+
+            # Test various session cache backends
             for cache in shmcb redis:localhost:6379 memcache:localhost:11211; do
+                test $RV -eq 0 || break
+
                 SSL_SESSCACHE=$cache ./t/TEST -sslproto TLSv1.2 -defines TEST_SSL_SESSCACHE -start
                 ./t/TEST t/ssl
                 RV=$?
@@ -129,7 +136,6 @@ if ! test -v SKIP_TESTING; then
                 if test $RV -eq 0 -a $SRV -ne 0; then
                     RV=$SRV
                 fi
-                test $RV -eq 0 || break
             done
         popd
     fi