nginx config fails with SSL key/pem (unique case)
Solution 1
check here
I hope you've copy-pasted with the following lines:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
Solution 2
A different solution that may work for others:
use the .pem
file for both ssl_certificate
and ssl_certificate_key
That is:
...
ssl on;
ssl_certificate conf.d/cert.pem;
ssl_certificate_key conf.d/cert.pem;
...
Solution 3
I got the same problem(from /var/log/nginx/error.log)
2019/03/20 01:25:41 [emerg] 2509#0: SSL_CTX_use_PrivateKey_file("/etc/nginx/conf.d/sslcert/mm.merchantspring.com.au.key") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
then I found my key file need also to be chained with certificate. After update key file, restart nginx , it works.
My Env:
Nginx config file is like this:
ssl_certificate /etc/nginx/conf.d/sslcert/mywebsite.pem;
ssl_certificate_key /etc/nginx/conf.d/sslcert/mywebsite.key;
mywebsite.pem(chained, 4 certificates totally. cat mywebsite.crt intermediate.crt > mywebsite.pem):
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
mywebsite.key:(chained with crt and key)
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
I got the key file from godaddy website, instead of creating it by openssl. But I do think it will be better if doing this with openssl.
Solution 4
FYI, make sure your BEGIN block is identical to the expected block, character for character. Mine started with 4 dashes, not 5. ----
vs -----
. The validation tooling error messages aren't very specific when you make this error.
Related videos on Youtube
Fredow
Updated on September 18, 2022Comments
-
Fredow over 1 year
I am trying to install SSL on my nginx reverse proxy with certified ssl keys but i get this message when i try to restart server:
Restarting nginx: [emerg]: SSL_CTX_use_PrivateKey_file("/etc/nginx/conf.d/cert.key") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib) configuration file /etc/nginx/nginx.conf test failed
everyfiles are root:root with 600 permissions i've tested the certificats and they are validated with this website: http://ssltools.com/cert_key_match
there are no trailing weird caracters in my keys, and has 64 caracter per line
here is my config file
server { listen 443; server_name my.domain.com; ssl on; ssl_certificate conf.d/cert.pem; ssl_certificate_key conf.d/cert.key; location / { proxy_pass http://upstream1; proxy_redirect off; proxy_buffering off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }
}
Any ideas? Thank you
-
Admin over 10 yearsAre you using a chained certificate? If so, you should follow the instructions at the certificate authority. You need to include the chained certificate as well. Alsom, I strongly discourage you from uploading your certificates to a random website. If they're saving what's uploaded your cert has already been compromised. You can do the verification with openssl directly yourself.
-
Fredow over 10 yearsyes i am. in my cert.pem i start with the root cert, then in the same file there is the intermediate cert. Now on my cert.key file there is two cert where the second one starts with -----BEGIN RSA PRIVATE KEY-----
-
-
Fredow over 10 yearsthe cert.pem in that exemple acts as ssl_certificate or ssl_certificate_key ?
-
Ilja over 10 yearsextention .pem always acts as certificate.
-
Fredow over 10 yearsYeah i had it already done. I have 4 keys in those 2 files, ill post the content of my keys here (this formatting is too good...): cert.pem :
-----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----
cert.key-----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY-----
-
Ilja over 10 yearscert.key MUST contain only key: -----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY-----
-
Fredow over 10 yearsMy vendor (ssl.com) sent me my private cert file which includes 2 keys. I still tryed to remove the other cert but i get same error.
-
Ilja over 10 yearslook, standard way of buying new SSL certificate: 1. you decide for what domain you want to by SSL cert. for example: www.mysite.com 2. you generating CSR for you domain and sing it by your private key(on the server or online on the provider page). Filling the form with info about owner on new domain. 3. Sending you CSR to SSL vendor(in your case it is ssl.com) 4. They are "checking" your CSR and issue new SSL certificate(.pem) for www.mysite.com. And provide you with .pem file(certificate) and ca-bundle - additional for your cert. Now ANY key or keys!
-
Fredow over 10 yearsIve resolved locally my issue. The formatting of the keys are different with nginx vs apache, and the bundle key has 3 certificats inside it, not two. Thankx for your help IIja, it's much apreciated.