500 OOPS: SSL: cannot load RSA private key vsftpd

Solution 1

I had a similar problem today on a NetScaler (BSD-based networking appliance with an older version of openssl than I created the key on), although not with vsftpd, and I can say that mysql also suffers from it.

Your private key format is perhaps in a different format than expected. Try the following:

mv /etc/vsftpd/private/vsftpd2.key{,.old}
openssl rsa -in /etc/vsftpd/private/vsftpd2.key.old -out /etc/vsftpd/private/vsftpd2.key
diff /etc/vsftpd/private/vsftpd2.key{.old,}

You may find that the first and last lines are noticably different (eg. BEGIN RSA PRIVATE KEY may change to something like BEGIN RSA KEY or similar).

Other similar things to check (for other pieces of software)

• Do you have native line-endings in your private key file?
• Do you perhaps need to remove the trailing newline?

Another common fault (quite applicable to you perhaps) is that vsftpd may change user after starting; some software will read the key after this happens (eg. mysql), while others will read it before (eg. httpd). Strace can be very informative here if you want to really dig into it.

Solution 2

It seems I have found the root of the issue

I have run strace with your config

stat("/etc/vsftpd/vsftpd.conf", {st_mode=S_IFREG|0600, st_size=791, ...}) = 0
getuid()                                = 0
getuid()                                = 0
open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3
fstat(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
poll([{fd=3, events=POLLIN}], 1, 10)    = 1 ([{fd=3, revents=POLLIN}])
read(3, "\225\f\312\271\276\215\201=\200\237A\337u7\237\201\2001GC\352\371\363\334GT\36/\37\f\33\257"..., 48) = 48
close(3)                                = 0
getuid()                                = 0
open("/etc/vsftpd/certificado/vsftpd.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
fcntl(0, F_GETFL)                       = 0x8402 (flags O_RDWR|O_APPEND|O_LARGEFILE)
fcntl(0, F_SETFL, O_RDWR|O_APPEND|O_NONBLOCK|O_LARGEFILE) = 0
write(0, "500 OOPS: ", 10500 OOPS: )              = 10
write(0, "SSL: cannot load RSA certificate", 32SSL: cannot load RSA certificate) = 32
write(0, "\r\n", 2
)                     = 2
exit_group(1)                           = ?
+++ exited with 1 +++

As you can see vsftpd can't found ssl certificate - /etc/vsftpd/certificado/vsftpd.pem.

open("/etc/vsftpd/certificado/vsftpd.pem", O_RDONLY) = -1 ENOENT (No such file or directory)

It's because when the certificate was generated you have used a different name

-out /etc/vsftpd/certificado/vsfptd3.pem

Correct file name for certificate (rsa_cert_file) in your vsftpd.conf

500 OOPS: SSL: cannot load RSA private key

Also check path and name to you private key

P.S. you can always debug vsftpd with strace utility

# strace /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

Solution 3

In my case I changed the command from this:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd.pem -out /etc/vsftpd.pem

TO:

openssl req -x509 -nodes -days 720 -newkey rsa:2048 -keyout /etc/vsftpd.key -out /etc/vsftpd.pem

I get the tip on: https://askubuntu.com/questions/412070/vsftpd-will-not-start-with-ssl-enabled

Then worked!!!

Related videos on Youtube

23 : 58

Securing FTP over SSL (VSFTPD) [Linux]

OsbornePro TV

306

04 : 05

DevOps & SysAdmins: 500 OOPS: SSL: cannot load RSA private key vsftpd (3 Solutions!!)

Roel Van de Paar

100

03 : 07

DevOps & SysAdmins: 500 OOPS: SSL: cannot load RSA private key

Roel Van de Paar

19

02 : 05

vsftp has a bug with Fedora 32 - how do I report it: 500 OOPS: SSL: cannot load RSA private key...

Roel Van de Paar

2

08 : 42

FTP Server - Part 4 - How to Install Secure VSFTPD with TLS/SSL on CentOS 8/7

Happy Ghost

1

Author by

masegaloeh

Updated on September 18, 2022