51

I have to add ssl (https) for a website, I was given a SSL.CSR and a SSL.KEY file. I 'dos2unix'ed them (because they have trailing ^M) and copied them to the server(CSR -> mywebsite.crt, KEY -> mywebsite.key). I did the following modification to nginx.conf:

@@ -60,8 +60,13 @@
        }

     server {
-       listen       80;
+       listen       443;
         server_name  ...;
+       ssl                 on;
+       ssl_certificate     mywebsite.crt;
+       ssl_certificate_key mywebsite.key;
+       ssl_session_cache   shared:SSL:10m;
+       ssl_session_timeout 10m;
        # Set the max size for file uploads to 500Mb

        client_max_body_size 500M;

Error happens when I restart nginx:

nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/mywebsite.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

I figure it's because the first line of mywebsite.crt file contains 'REQUEST', so I remove 'REQUEST' from the first and last of the lines, and restart nginx again, and hit another error:

nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/mywebsite.crt") failed (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=algorithm, Type=X509_ALGOR error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=signature, Type=X509_CINF error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=cert_info, Type=X509 error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib)

Any idea?

Improve this question
5
  • 6
    You can get free Class 1 Server certificates from StartCom. Submit the CSR, and get a CRT back (signed certificate). Convert the CRT to PEM, and concatenate StartCom's Class 1 Server Intermediate certificate to the file with the PEM encoded certificate you just converted. And as Mark said, throw away that key.
    – jww
    Commented Feb 19, 2014 at 6:10
  • 3
    By the way, openssl req -in mycsr.csr -noout -text prints the CSR. Your CSR is malformed - since it has a Common Name (CN), the same host name needs to be listed as a Subject Alt Name (SAN). CN is deprecated, and you should just list *.example.net as a SAN (and omit the CN). See the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates from the CA/Browser forums.
    – jww
    Commented Feb 19, 2014 at 6:36
  • @noloader Thanks for your answer! Actually I used the wrong file, I was given a CertB64.cer file which is accepted by nginx. Now I have another two problems: 1) Firefox complains the certificate has no 'issuer chain' 2) all the pics (hosted on asset.bbb.aaa.mywebsite.com) can't be loaded because Chrome and IE complain the certificate (issued for *.aaa.mywebsite.com) is not for asset.bbb.aaa.mywebsite.com, pics can only be opened if I manually open pic URL and confirm security exception. I guess I need to get another certificate issued for ..aaa.mywebsite.com with issuer chain included?
    – Romstar
    Commented Feb 19, 2014 at 7:42
  • 1
    I hit this problem on macOS. By mistake I exported the Public Key of each Certificate in my Chain instead of the Certificate files. Once I exported the Cert files (as PEM files) and chained them together, it all worked.
    – rustyMagnet
    Commented Mar 18, 2020 at 13:52
  • See github.com/debauchee/barrier/issues/126
    – Gilbert
    Commented Feb 4, 2022 at 16:31

7 Answers 7

Reset to default
45

You should never share your private key. You should consider the key you posted here compromised and generate a new key and signing request.

You have a certificate request and not an actual signed certificate. You provide the request ('CSR') to the signing party. They use that request to create a signed certificate ('CRT') which they then make available to you. The key is never disclosed to anyone.

Improve this answer
2
  • 4
    And how do I get a CSR? I was given a CRT and a KEY file.
    – Paul Kenjora
    Commented Nov 3, 2017 at 0:23
  • @PaulKenjora CSR can be generated by self using openssl
    – Bhargav Nanekalva
    Commented May 31, 2021 at 11:02
29

FYI, you can validate the keys just calling:

openssl x509 -noout -text -in your.crt
openssl rsa -noout -text -in your.key

In my case this error proved rather subtle: the BEGIN block started with 4 dashes, not 5. ---- vs -----. Sadly the validation tool error messages aren't very specific.

Improve this answer
4
  • In my case the newlines after BEGIN and before END dashed lines were lost and I had to add them back.
    – angularsen
    Commented Aug 5, 2017 at 22:53
  • Thank you @joseph-lust, I was able to pin point the issue using this. I had generated my .crt file from .pem using openssl and openssl wasn't able to validate it.
    – Roydon D' Souza
    Commented Dec 27, 2018 at 12:55
  • In my case i got extra spaces in beginning of each line while copy-paste.
    – user3132194
    Commented Jun 3, 2019 at 11:02
  • in my case, the files were sent to me via slack which converted ----- into ——
    – Snapey
    Commented Feb 5, 2021 at 14:54
16

I came across this issue while searching online for SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE
I got this error after running:

    nginx -t

The problem I had was that cert.pem and cert.key was missing

    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
Improve this answer
2
  • nginx -t let me know that the format of the .crt I was working with wasn't correct. I double checked and during import (I was installing the certificate using an external service) the .crt file was getting mangled. Thanks man.
    – Djave
    Commented Nov 30, 2016 at 17:55
  • same case here .
    – jirarium
    Commented Aug 6, 2019 at 11:20
9

The steps on the NGINX site for combining your public certificate with an intermediate certificate use cat to combine the two files. But if your public cert file does not end in a new line, the -----BEGIN CERTIFICATE----- line of the intermediate cert will be appended to the end of the -----END CERTIFICATE----- line of the public certificate, leading to an invalid chained certificate file. Manually separating these two lines can correct the issue.

Improve this answer
3
  • 1
    Thanks a bunch, was pulling my hair for half an hour :)
    – Maksim Satsikau
    Commented Sep 14, 2019 at 19:15
  • all it was for me was a typo in the initial cert generation. i just had to redo the cert.
    – Robot70
    Commented Dec 18, 2019 at 22:12
  • For me the command cat to concatenate the two certificates was somehow creating repetitive content in the merged .crt file. So I manually concatenated the two certificates to create the .crt file and then Nginx stopped complaining.
    – Souvik Ray
    Commented Apr 29, 2021 at 21:25
5

I configured the certificates wrongly in gitlab.rb file. A simple error took long to realize.

nginx['ssl_certificate'] = "/etc/gitlab/ssl/self-ssl.crt"
nginx['ssl_certificate'] = "/etc/gitlab/ssl/self-ssl.key"

Instead of


nginx['ssl_certificate'] = "/etc/gitlab/ssl/self-ssl.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/self-ssl.key"
Improve this answer
3

I had the same problem, the reason was that the lines -----END CERTIFICATE----- of one certificate and -----BEGIN CERTIFICATE----- of another one happened to be on the same line, so basically:

-----END CERTIFICATE----------BEGIN CERTIFICATE-----

this happened after I merged a few crt files in a bundle through command line and between files there was no newline added, which corrupted the whole crt file.

fixed it by splitting the line

Improve this answer
0

Because I was working in a different structure, I had copied the .crt and .key files from one place to another and then faced the same problem.

Actually, the problem is very simple. Had to set permissions again after copying.

In short, I solved the problem by changing the owner of the file.

sudo chown -R $USER:$USER /path/to/.key/file

(development only)

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.