48

I have to add ssl (https) for a website, I was given a SSL.CSR and a SSL.KEY file. I 'dos2unix'ed them (because they have trailing ^M) and copied them to the server(CSR -> mywebsite.crt, KEY -> mywebsite.key). I did the following modification to nginx.conf:

@@ -60,8 +60,13 @@
        }

     server {
-       listen       80;
+       listen       443;
         server_name  ...;
+       ssl                 on;
+       ssl_certificate     mywebsite.crt;
+       ssl_certificate_key mywebsite.key;
+       ssl_session_cache   shared:SSL:10m;
+       ssl_session_timeout 10m;
        # Set the max size for file uploads to 500Mb

        client_max_body_size 500M;

Error happens when I restart nginx:

nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/mywebsite.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

I figure it's because the first line of mywebsite.crt file contains 'REQUEST', so I remove 'REQUEST' from the first and last of the lines, and restart nginx again, and hit another error:

nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/mywebsite.crt") failed (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=algorithm, Type=X509_ALGOR error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=signature, Type=X509_CINF error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=cert_info, Type=X509 error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib)

Any idea?

tobias47n9e
  • 2,233
  • 3
  • 28
  • 54
Romstar
  • 1,139
  • 3
  • 14
  • 21
  • 6
    You can get free Class 1 Server certificates from [StartCom](https://www.startcom.org/). Submit the CSR, and get a CRT back (signed certificate). Convert the CRT to PEM, and concatenate StartCom's [Class 1 Server Intermediate](https://www.startssl.com/certs/) certificate to the file with the PEM encoded certificate you just converted. And as Mark said, throw away that key. – jww Feb 19 '14 at 06:10
  • 3
    By the way, `openssl req -in mycsr.csr -noout -text` prints the CSR. Your CSR is malformed - since it has a Common Name (CN), the same host name needs to be listed as a Subject Alt Name (SAN). CN is deprecated, and you should just list *.example.net as a SAN (and omit the CN). See the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates from the CA/Browser forums. – jww Feb 19 '14 at 06:36
  • @noloader Thanks for your answer! Actually I used the wrong file, I was given a CertB64.cer file which is accepted by nginx. Now I have another two problems: 1) Firefox complains the certificate has no 'issuer chain' 2) all the pics (hosted on asset.bbb.aaa.mywebsite.com) can't be loaded because Chrome and IE complain the certificate (issued for \*.aaa.mywebsite.com) is not for asset.bbb.aaa.mywebsite.com, pics can only be opened if I manually open pic URL and confirm security exception. I guess I need to get another certificate issued for *.*.aaa.mywebsite.com with issuer chain included? – Romstar Feb 19 '14 at 07:42
  • 1
    I hit this problem on macOS. By mistake I exported the `Public Key` of each Certificate in my Chain instead of the Certificate files. Once I exported the Cert files (as PEM files) and chained them together, it all worked. – rustyMagnet Mar 18 '20 at 13:52
  • See https://github.com/debauchee/barrier/issues/126 – Gilbert Feb 04 '22 at 16:31

7 Answers7

40

You should never share your private key. You should consider the key you posted here compromised and generate a new key and signing request.

You have a certificate request and not an actual signed certificate. You provide the request ('CSR') to the signing party. They use that request to create a signed certificate ('CRT') which they then make available to you. The key is never disclosed to anyone.

Mark Sturgill
  • 637
  • 7
  • 6
29

FYI, you can validate the keys just calling:

openssl x509 -noout -text -in your.crt
openssl rsa -noout -text -in your.key

In my case this error proved rather subtle: the BEGIN block started with 4 dashes, not 5. ---- vs -----. Sadly the validation tool error messages aren't very specific.

Joseph Lust
  • 19,340
  • 7
  • 85
  • 83
16

I came across this issue while searching online for SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE
I got this error after running:

    nginx -t

The problem I had was that cert.pem and cert.key was missing

    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
Christie
  • 233
  • 2
  • 9
  • `nginx -t` let me know that the format of the .crt I was working with wasn't correct. I double checked and during import (I was installing the certificate using an external service) the .crt file was getting mangled. Thanks man. – Djave Nov 30 '16 at 17:55
  • same case here . – jirarium Aug 06 '19 at 11:20
8

The steps on the NGINX site for combining your public certificate with an intermediate certificate use cat to combine the two files. But if your public cert file does not end in a new line, the -----BEGIN CERTIFICATE----- line of the intermediate cert will be appended to the end of the -----END CERTIFICATE----- line of the public certificate, leading to an invalid chained certificate file. Manually separating these two lines can correct the issue.

MikeOnline
  • 994
  • 11
  • 18
  • 1
    Thanks a bunch, was pulling my hair for half an hour :) – Maksim Satsikau Sep 14 '19 at 19:15
  • all it was for me was a typo in the initial cert generation. i just had to redo the cert. – Robot70 Dec 18 '19 at 22:12
  • For me the command `cat` to concatenate the two certificates was somehow creating repetitive content in the merged `.crt` file. So I manually concatenated the two certificates to create the `.crt` file and then Nginx stopped complaining. – Souvik Ray Apr 29 '21 at 21:25
4

I configured the certificates wrongly in gitlab.rb file. A simple error took long to realize.

nginx['ssl_certificate'] = "/etc/gitlab/ssl/self-ssl.crt"
nginx['ssl_certificate'] = "/etc/gitlab/ssl/self-ssl.key"

Instead of


nginx['ssl_certificate'] = "/etc/gitlab/ssl/self-ssl.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/self-ssl.key"
Murmel
  • 5,402
  • 47
  • 53
Ershad Ahmad
  • 41
  • 3
2

I had the same problem, the reason was that the lines -----END CERTIFICATE----- of one certificate and -----BEGIN CERTIFICATE----- of another one happened to be on the same line, so basically:

-----END CERTIFICATE----------BEGIN CERTIFICATE-----

this happened after I merged a few crt files in a bundle through command line and between files there was no newline added, which corrupted the whole crt file.

fixed it by splitting the line

Waddah
  • 2,459
  • 1
  • 14
  • 5
0

Because I was working in a different structure, I had copied the .crt and .key files from one place to another and then faced the same problem.

Actually, the problem is very simple. Had to set permissions again after copying.

In short, I solved the problem by changing the owner of the file.

sudo chown -R $USER:$USER /path/to/.key/file

(development only)

sha'an
  • 1,032
  • 1
  • 11
  • 24