500 OOPS: SSL: cannot load RSA private key vsftpd
Solution 1
I had a similar problem today on a NetScaler (BSD-based networking appliance with an older version of openssl than I created the key on), although not with vsftpd, and I can say that mysql also suffers from it.
Your private key format is perhaps in a different format than expected. Try the following:
mv /etc/vsftpd/private/vsftpd2.key{,.old}
openssl rsa -in /etc/vsftpd/private/vsftpd2.key.old -out /etc/vsftpd/private/vsftpd2.key
diff /etc/vsftpd/private/vsftpd2.key{.old,}
You may find that the first and last lines are noticably different (eg. BEGIN RSA PRIVATE KEY may change to something like BEGIN RSA KEY or similar).
Other similar things to check (for other pieces of software)
- Do you have native line-endings in your private key file?
- Do you perhaps need to remove the trailing newline?
Another common fault (quite applicable to you perhaps) is that vsftpd may change user after starting; some software will read the key after this happens (eg. mysql), while others will read it before (eg. httpd). Strace can be very informative here if you want to really dig into it.
Solution 2
It seems I have found the root of the issue
I have run strace with your config
stat("/etc/vsftpd/vsftpd.conf", {st_mode=S_IFREG|0600, st_size=791, ...}) = 0
getuid() = 0
getuid() = 0
open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3
fstat(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
poll([{fd=3, events=POLLIN}], 1, 10) = 1 ([{fd=3, revents=POLLIN}])
read(3, "\225\f\312\271\276\215\201=\200\237A\337u7\237\201\2001GC\352\371\363\334GT\36/\37\f\33\257"..., 48) = 48
close(3) = 0
getuid() = 0
open("/etc/vsftpd/certificado/vsftpd.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
fcntl(0, F_GETFL) = 0x8402 (flags O_RDWR|O_APPEND|O_LARGEFILE)
fcntl(0, F_SETFL, O_RDWR|O_APPEND|O_NONBLOCK|O_LARGEFILE) = 0
write(0, "500 OOPS: ", 10500 OOPS: ) = 10
write(0, "SSL: cannot load RSA certificate", 32SSL: cannot load RSA certificate) = 32
write(0, "\r\n", 2
) = 2
exit_group(1) = ?
+++ exited with 1 +++
As you can see vsftpd can't found ssl certificate - /etc/vsftpd/certificado/vsftpd.pem.
open("/etc/vsftpd/certificado/vsftpd.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
It's because when the certificate was generated you have used a different name
-out /etc/vsftpd/certificado/vsfptd3.pem
Correct file name for certificate (rsa_cert_file) in your vsftpd.conf
500 OOPS: SSL: cannot load RSA private key
Also check path and name to you private key
P.S. you can always debug vsftpd with strace utility
# strace /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
Solution 3
In my case I changed the command from this:
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd.pem -out /etc/vsftpd.pem
TO:
openssl req -x509 -nodes -days 720 -newkey rsa:2048 -keyout /etc/vsftpd.key -out /etc/vsftpd.pem
I get the tip on: https://askubuntu.com/questions/412070/vsftpd-will-not-start-with-ssl-enabled
Then worked!!!
Related videos on Youtube
masegaloeh
Updated on September 18, 2022Comments
-
masegaloeh over 1 year
I'm configuring vsfptd on debian 7.3, I'm trying to use ssl. I generate the certficates using this command:
openssl req -x509 -nodes -days 1925 -newkey rsa:2048 -keyout /etc/vsftpd/private/vsftpd2.key -out /etc/vsftpd/certificado/vsfptd3.pem
And my vsftpd.conf is this:
listen=YES anonymous_enable=YES local_enable=YES write_enable=YES #anon_upload_enable=YES anon_mkdir_write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=NO #chown_uploads=YES #chown_username=whoever # chroot_local_user=YES chroot_local_user=YES chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=ftp-ssl rsa_cert_file=/etc/vsftpd/certificado/vsftpd.pem rsa_private_key_file=/etc/vsftpd/private/vsftpd2.key anon_root=/srv/ftp/anonimo chown_upload_mode=757 anon_upload_enable=YES ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO listen_port=990 ssl_ciphers=HIGH require_ssl_reuse=NO
But every time I try to start vsftpd I get this error message:
500 OOPS: SSL: cannot load RSA private key
I've checked the permissions are well configured, I don`t know what to do to fix this. Any help, please?
-
Phib3r Optix almost 4 yearsThanks much because you have helped me prove there's a bug in the latest software. MY problem, today, isn't the same as yours, but your tip of using strace helped prove that the key file(s) are being read, just not accepted, for who knows what reason...
-
Phib3r Optix almost 4 yearsUnfortunately it didn't work for me but I appreciate the suggestion. I didn't give you an up-vote because I don't want to encourage others to also try what didn't work. Simply leaving this comment here may help others, as we'll try whatever when we have nothing working!