nginx config fails with SSL key/pem (unique case)

nginx ssl web-server reverse-proxy configuration

83,700

Solution 1

check here

I hope you've copy-pasted with the following lines:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Solution 2

A different solution that may work for others:

use the .pem file for both ssl_certificate and ssl_certificate_key

That is:

...
ssl on;
ssl_certificate      conf.d/cert.pem;
ssl_certificate_key  conf.d/cert.pem;
...

Solution 3

I got the same problem(from /var/log/nginx/error.log)

2019/03/20 01:25:41 [emerg] 2509#0: SSL_CTX_use_PrivateKey_file("/etc/nginx/conf.d/sslcert/mm.merchantspring.com.au.key") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)

then I found my key file need also to be chained with certificate. After update key file, restart nginx , it works.

My Env:

Nginx config file is like this:

    ssl_certificate /etc/nginx/conf.d/sslcert/mywebsite.pem;
    ssl_certificate_key /etc/nginx/conf.d/sslcert/mywebsite.key;

mywebsite.pem(chained, 4 certificates totally. cat mywebsite.crt intermediate.crt > mywebsite.pem):

-----BEGIN CERTIFICATE-----
...

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...

-----END CERTIFICATE-----

mywebsite.key:(chained with crt and key)

-----BEGIN CERTIFICATE-----
 ...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

I got the key file from godaddy website, instead of creating it by openssl. But I do think it will be better if doing this with openssl.

Solution 4

FYI, make sure your BEGIN block is identical to the expected block, character for character. Mine started with 4 dashes, not 5. ---- vs -----. The validation tooling error messages aren't very specific when you make this error.

View more solutions

83,700

Fredow

Updated on September 18, 2022

Comments

Fredow over 1 year
I am trying to install SSL on my nginx reverse proxy with certified ssl keys but i get this message when i try to restart server:
```
Restarting nginx: [emerg]: SSL_CTX_use_PrivateKey_file("/etc/nginx/conf.d/cert.key") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
configuration file /etc/nginx/nginx.conf test failed
```
everyfiles are root:root with 600 permissions i've tested the certificats and they are validated with this website: http://ssltools.com/cert_key_match

there are no trailing weird caracters in my keys, and has 64 caracter per line

here is my config file
```
server {
    listen   443;
    server_name     my.domain.com;
    ssl on;
    ssl_certificate      conf.d/cert.pem;
    ssl_certificate_key  conf.d/cert.key;

    location / {
         proxy_pass         http://upstream1;
         proxy_redirect     off;
         proxy_buffering    off;
         proxy_set_header        Host            $host;
         proxy_set_header        X-Real-IP       $remote_addr;
         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    }
```
}

Any ideas? Thank you
- Admin over 10 years
  
  Are you using a chained certificate? If so, you should follow the instructions at the certificate authority. You need to include the chained certificate as well. Alsom, I strongly discourage you from uploading your certificates to a random website. If they're saving what's uploaded your cert has already been compromised. You can do the verification with openssl directly yourself.
- Fredow over 10 years
  
  yes i am. in my cert.pem i start with the root cert, then in the same file there is the intermediate cert. Now on my cert.key file there is two cert where the second one starts with -----BEGIN RSA PRIVATE KEY-----
Fredow over 10 years

the cert.pem in that exemple acts as ssl_certificate or ssl_certificate_key ?
Ilja over 10 years

extention .pem always acts as certificate.
Fredow over 10 years

Yeah i had it already done. I have 4 keys in those 2 files, ill post the content of my keys here (this formatting is too good...): cert.pem : -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- cert.key -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY-----
Ilja over 10 years

cert.key MUST contain only key: -----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY-----
Fredow over 10 years

My vendor (ssl.com) sent me my private cert file which includes 2 keys. I still tryed to remove the other cert but i get same error.
Ilja over 10 years

look, standard way of buying new SSL certificate: 1. you decide for what domain you want to by SSL cert. for example: www.mysite.com 2. you generating CSR for you domain and sing it by your private key(on the server or online on the provider page). Filling the form with info about owner on new domain. 3. Sending you CSR to SSL vendor(in your case it is ssl.com) 4. They are "checking" your CSR and issue new SSL certificate(.pem) for www.mysite.com. And provide you with .pem file(certificate) and ca-bundle - additional for your cert. Now ANY key or keys!
Fredow over 10 years

Ive resolved locally my issue. The formatting of the keys are different with nginx vs apache, and the bundle key has 3 certificats inside it, not two. Thankx for your help IIja, it's much apreciated.