I have to add ssl (https) for a website, I was given a SSL.CSR and a SSL.KEY file. I 'dos2unix'ed them (because they have trailing ^M) and copied them to the server(CSR -> mywebsite.crt, KEY -> mywebsite.key). I did the following modification to nginx.conf:

@@ -60,8 +60,13 @@ } server { - listen 80; + listen 443; server_name ...; + ssl on; + ssl_certificate mywebsite.crt; + ssl_certificate_key mywebsite.key; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; # Set the max size for file uploads to 500Mb client_max_body_size 500M; 

Error happens when I restart nginx:

nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/mywebsite.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE) 

I figure it's because the first line of mywebsite.crt file contains 'REQUEST', so I remove 'REQUEST' from the first and last of the lines, and restart nginx again, and hit another error:

nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/mywebsite.crt") failed (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=algorithm, Type=X509_ALGOR error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=signature, Type=X509_CINF error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=cert_info, Type=X509 error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib) 

Any idea?

5

7 Answers

You should never share your private key. You should consider the key you posted here compromised and generate a new key and signing request.

You have a certificate request and not an actual signed certificate. You provide the request ('CSR') to the signing party. They use that request to create a signed certificate ('CRT') which they then make available to you. The key is never disclosed to anyone.

2

FYI, you can validate the keys just calling:

openssl x509 -noout -text -in your.crt openssl rsa -noout -text -in your.key 

In my case this error proved rather subtle: the BEGIN block started with 4 dashes, not 5. ---- vs -----. Sadly the validation tool error messages aren't very specific.

4

I came across this issue while searching online for SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE
I got this error after running:

 nginx -t 

The problem I had was that cert.pem and cert.key was missing

 -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- 
2

The steps on the NGINX site for combining your public certificate with an intermediate certificate use cat to combine the two files. But if your public cert file does not end in a new line, the -----BEGIN CERTIFICATE----- line of the intermediate cert will be appended to the end of the -----END CERTIFICATE----- line of the public certificate, leading to an invalid chained certificate file. Manually separating these two lines can correct the issue.

3

I configured the certificates wrongly in gitlab.rb file. A simple error took long to realize.

nginx['ssl_certificate'] = "/etc/gitlab/ssl/self-ssl.crt" nginx['ssl_certificate'] = "/etc/gitlab/ssl/self-ssl.key" 

Instead of

 nginx['ssl_certificate'] = "/etc/gitlab/ssl/self-ssl.crt" nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/self-ssl.key" 

I had the same problem, the reason was that the lines -----END CERTIFICATE----- of one certificate and -----BEGIN CERTIFICATE----- of another one happened to be on the same line, so basically:

-----END CERTIFICATE----------BEGIN CERTIFICATE----- 

this happened after I merged a few crt files in a bundle through command line and between files there was no newline added, which corrupted the whole crt file.

fixed it by splitting the line

Because I was working in a different structure, I had copied the .crt and .key files from one place to another and then faced the same problem.

Actually, the problem is very simple. Had to set permissions again after copying.

In short, I solved the problem by changing the owner of the file.

sudo chown -R $USER:$USER /path/to/.key/file 

(development only)

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge that you have read and understand our privacy policy and code of conduct.