4

I have installed ssl key in the past on my lighttpd and I've documented the steps I did to make sure that I can replicate it in the future. Well, I haven't touched the server for a while and I need to create a new web server with lighttpd that will support ssl. Follow all my steps in my note and it gave me this error

SSL: couldn't read X509 certificate from PEM file

I'm not sure what I missed in my steps but if someone could please take a look at my steps and perhaps suggest what I missed, I'd really appreciate it.

This is my environment

CentOS 6.4 64 bit
lighttpd/1.4.35 (ssl) - a light and fast webserver

My ssl certificate is from startcom company

Here are my steps

Generate my csr

openssl req -new -newkey rsa:4096 -nodes -out myserver.csr -keyout myserver_privatekey.key -subj "/C=us/ST=State/L=City/O=MyCompany/OU=Productions/CN=myserver.mycompany.net"

Send the csr to Startcom and get this ssl save it as 

myserver.crt

Create the final PEM file 

cat myserver_privatekey.key myserver.crt > myserver.pem

Got these 2 files from startcom

ca.pem 
sub.class1.server.ca.pem

Unified those 2 files

cat ca.pem sub.class1.server.ca.pem >> ca-certs.crt

Move the crt and pem file to myssl directory

Here is my lighttpd configuration:

$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable"
        ssl.ca-file = "/etc/lighttpd/myssl/ca-certs.crt"
        ssl.pemfile = "/etc/lighttpd/myssl/myserver.pem"

}

$SERVER["socket"] == "[::]:443" {
        ssl.engine  = "enable"
        ssl.ca-file = "/etc/lighttpd/myssl/ca-certs.crt"
        ssl.pemfile = "/etc/lighttpd/myssl/myserver.pem"

}

$HTTP["host"] =~ "^(myserver\.)?mycompany\.net$" {
        ssl.ca-file = "/etc/lighttpd/myssl/ca-certs.crt"
        ssl.pemfile = "/etc/lighttpd/myssl/myserver.pem"
    server.document-root = "/var/www/lighttpd/mywebsite"

}

So when I'm done, I restarted my lighttpd and this is the error I got.

Starting lighttpd: 2015-09-20 15:58:32: (network.c.543) SSL: couldn't read X509 certificate from '/etc/lighttpd/myssl/myserver.pem'

I've either never or haven't seen that error in the past so I'm not quite sure how to move forward from there. Can anyone give me your 2 cents on what I missed? Please help?

Le Dude
  • 381
  • 2
  • 6
  • 14
  • Could it be a permissions issue? – womble Sep 21 '15 at 02:37
  • shouldn't be. Because it has the same ownership like the lighttpd. But just for the heck of it, I tried to change it to the apps ownership and the error is still the same. – Le Dude Sep 21 '15 at 03:57
  • What does `openssl x509 -noout -text -inform PEM -in /etc/lighttpd/myssl/myserver.pem` show? If that doesn't work, try changing `-inform PEM` to `-inform DER`. – Castaglia Feb 14 '16 at 21:04
  • This post (http://serverfault.com/questions/316907/ssl-error-unable-to-read-server-certificate-from-file) talks about another possible culprit that affects apache, and might happen for `nginx` as well. – Castaglia Feb 15 '16 at 00:30

1 Answers1

2

For me, putting a new line in between the key and crt in the PEM file solved this.

cat my_server.key <(echo) my_server.crt > my_server.pem
user620380
  • 21
  • 2