0

We have generated a certificate via Letsencrypt and trying to use it via nginx, but we get a weird error:

cannot load certificate "/home/path/site.pem": PEM_read_bio_X509_AUX() failed

The solution we found was to add a space infront of the certificate (notice the space infront of the cert) (also note that i have changed the content of the cert for security).

-----BEGIN CERTIFICATE-----
 MIIF8DCCBNigAwIBAgISA08f2YsQTxMkdjKqHcKSZcDEMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMzA2MjgwMDQ0NDNaFw0yMzA5MjYwMDQ0NDJaMBwxGjAYBgNVBAMMESoubGVhcm5kYXNoLnRvZGF5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvrp8IieMP7x5ipbZdJs8EcN0xoxQCWOcBnpaa8zFBpr+TAgLjayVDfQPPFyaYoM+0PFWduJRJDfGBl9VIMsACmX2NlvI6LPolA3Zsg73Ud/Ph2o5KD0cSDNFQfa+HLXVUojaxTrS3bjrz5jSPzNN/S3Vopk/NQqqq3eW0Jho9ljpMbg7JYM9c+cRFCw2gObW8LhqXrXewK9CqaFcvYee4tj1UbpJlOk9C9GrWyKI7rJI8U2DGlqNDcwyUDkRcKDafhHShyFs9sqEN0kbYNo55rcOQRGg1uaX7wd2brk5YpZCK5kh7X7hFC4M/FSY1/xttdF5e3A/5ShSPXW1iGHqxLaoLsqvUwyjdC2KChluZhRLT3/Of9YPCeI1rxfa28g4dhRCFCfLaaNoP8gB8Xcn+QY7nDqcBDFXexz1L4ZDuWyeM6bkPC9NXcju191kEhto1+XaeS47Qil6cK2KM5l1rRICmjefQ85Ab70HhI4dizasQsgYwFxr0QootdCZwY8ClG7OnkwK5VDMCSL9DHmxa1wk0HImDBMHFmFddnOH8drdJZAONPURSOSEjAIBgZngQwBAgEwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYj/rKDmAAAEAwBIMEYCIQCtXVPX7lEJgkDFoLsjAA2pVZ4R3m7uXrm+9Asp5ZFKPAIhAOMtsg4A0G5xoA2Up04IVq+0so36YvXpRU9CBbCtZ7inAHYAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGI/6yg/QAABAMARzBFAiEAsEMA4hxNWAMdrgQBTgQ54XN7psKOHBOpJO36C+q4WogCIAIn8kRkYvJAXaHvVb840XvnTxEFrvbrKWA9Y39NecQOMA0GCSqGSIb3DQEBCwUAA4IBAQBJ3ObgDYzkHAGo3raH2etRUlvlNbF4WAe2OwKVDCPEqsNdhN+phm6frGqcYJMnbqtxafFOwfwp5tsFjV24XUA4I/Q9xasQXQWGylMIngddwzV9ygZBatWQgAxw/VHhc9lGsx9nb+3nN6qfGmZeLyEvjqFIwmCIIlBkv80HY6Rxo1HsrieAGMEuZuzIaiW9pqjZfVquU0b/K0DNeDlHUPeVSngl/XD8WzQeUJqVrNAiaIwgt/q1CRfZkXUSGUO4xAm8fWgjPrvcd8xgBEsU5JTTdQv2NJr4qP58UTgmxw5+aIiZhvzd9uLmYirdn5b3EGib8sGrkDbg9OCCrg6qj6Cf
-----END CERTIFICATE-----

What is wrong with the cert, why does it work after adding a space?

Vikas Singhal
  • 111
  • 3
  • 1
    The space character is not part of base64 should as a non conforming character be completely ignored in a proper PEM parser (RFC 7468) but that also requires that a generator must wrap a base64 encoded line at 64 characters so a single line certificate looks strange to me – HBruijn Jun 28 '23 at 14:12
  • A quick search (from my mobile) suggests that `PEM_read_bio_X509_AUX` is a function associated with reading a private key rather than a certificate ; is your configuration reading your certificate where it should be pointing to a private key ? – HBruijn Jun 28 '23 at 14:25
  • @HBruijn: no, `PEM_read[_bio]_X509_AUX` nominally reads an OpenSSL-modified certificate format labelled 'TRUSTED CERTIFICATE'; it also accepts a standard certificate. It never reads a private key (or a bare public key either). Like all PEM_read routines, it will _skip over_ PEM blocks that aren't the desired type, and some programs put both privatekey and cert in one file, sometimes plus chain cert(s), and then use PEM_read_X509[_AUX] and PEM_read_[type]PrivateKey to read them separately or PEM_X509_INFO_read to read both/all of them. – dave_thompson_085 Jun 29 '23 at 02:38

1 Answers1

1

Without further information it looks like a Copy and Paste issue. Shouldn't the certificate look like

-----BEGIN CERTIFICATE-----
MIIF8DCCBNigAwIBAgISA08f2YsQTxMkdjKqHcKSZcDEMA0GCSqGSIb3DQEBCwUA
...
5b3EGib8sGrkDbg9OCCrg6qj6Cf
-----END CERTIFICATE----

with max. 64 characters in a line?

Whereby the first lines looks quite OK using something like

~/test$ Base64encodedString='MIIF8DCCBNigAwIBAgISA08f2YsQTxMkdjKqHcKSZcDEMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD'
~/test$ echo -n ${Base64encodedString} | base64 --decode | hexdump -C
00000000  30 82 05 f0 30 82 04 d8  a0 03 02 01 02 02 12 03  |0...0...........|
00000010  4f 1f d9 8b 10 4f 13 24  76 32 aa 1d c2 92 65 c0  |O....O.$v2....e.|
00000020  c4 30 0d 06 09 2a 86 48  86 f7 0d 01 01 0b 05 00  |.0...*.H........|
00000030  30 32 31 0b 30 09 06 03  55 04 06 13 02 55 53 31  |021.0...U....US1|
00000040  16 30 14 06 03 55 04 0a  13 0d 4c 65 74 27 73 20  |.0...U....Let's |
00000050  45 6e 63 72 79 70 74 31  0b 30 09 06 03 55 04 03  |Encrypt1.0...U..|
00000060  30 32 31 0b 30 09 06 03  55 04 06 13 02 55 53 31  |021.0...U....US1|
00000070  16 30 14 06 03 55 04 0a  13 0d 4c 65 74 27 73 20  |.0...U....Let's |
00000080  45 6e 63 72 79 70 74 31  0b 30 09 06 03 55 04 03  |Encrypt1.0...U..|
U880D
  • 1,017
  • 2
  • 12
  • 18