Expecting trusted certificate error

Nginx SSL Certificate Errors: PEM_read_bio_X509_AUX, PEM_read_bio_X509, SSL_CTX_use_PrivateKey_file

Mattias Geniar, August 13, 2015

Follow me on Twitter as @mattiasgeniar

When configuring your SSL certificates on Nginx, it’s not uncommon to see several errors when you try to reload your Nginx configuration, to activate the SSL Certificates.

This post describes the following type of errors:

Read on for more details.

Nginx PEM_read_bio_X509: ASN1_CHECK_TLEN:wrong tag error

These kind of errors pop up when your certificate file isn’t valid. The entire error looks like this.

You should fix this by beginning to read the SSL certificate info via the CLI. Chances are, OpenSSL will also show you an error, to confirm your SSL certificate isn’t valid.

In the example above, the SSL certificate is in /etc/nginx/ssl/mydomain.tld/certificate.crt , so the following examples continue to use that file.

If that’s your output, you have confirmation: your SSL certificate is corrupt. It’s got unsupported ASCII characters, it’s missing a part, some copy/paste error caused extra data to be present, … Bottom line: your certificate file won’t work.

You can test a few things yourself, like new line issues (linux vs. windows remains a problem). Open the file in binary mode in vi , and if you see ^M at end of every line, you’ve incorrectly got Windows new lines instead of Unix new lines.

Remove all new lines and replace them with “normal” unix new lines ( n instead of rn ).

If your SSL certificate file contains multiple certificates, like intermediate or CA root certificates, it’s important to check each of them separately. You can check this by counting the «-—-BEGIN CERTIFICATE-—-« lines in the file.

If you’ve got multiple certificates, copy/paste each one to a different file and run the openssl example above. Each should give you valid output from the SSL certificate.

The output above shows that the SSL Certificate file contains 3 individual SSL certificates. Copy/paste them all in separate files and validate if they work. If one of them gives you errors, fix that one: find the wrong ASCII characters, fix the new lines, check if you copy/pasted it correctly from your vendor, …

The “nginx: [emerg] PEM_read_bio_X509” error means your Nginx configuration is probably correct, it’s the SSL certificate file itself that is invalid.

Nginx PEM_read_bio_X509_AUX: Expecting: TRUSTED CERTIFICATE

This is an error that is usually resolved very quickly. The certificate file you’re pointing your config to, isn’t a certificate file. At least, not according to Nginx.

This can happen if you’ve accidentally swapped your private key and SSL certificate in either your files, or in the Nginx configuration.

Your Nginx config will contain these kind of lines for its SSL configuration.

Check if the ssl_certificate file is indeed your SSL certificate and if the ssl_certificate_key is indeed your key. It’s not uncommon to mix these up if you’re in a hurry or distracted and save the wrong contents to the wrong file.

Nginx SSL_CTX_use_PrivateKey_file: bad base64 decode error

Another common error in Nginx configurations is the following one.

Note how the Nginx SSL error points to the .key file this time. The problem is with the SSL key, not the SSL certificate.

This error indicates that the private key you pointed your configuration to, doesn’t match the SSL Certificate.

You can validate whether private key and SSL certificate match by calculating their MD5 hash. If they don’t match, you have to find either the right certificate or the right private key file.

One of them is wrong and needs to be replaced. With this error, it’s impossible to know which one is wrong. Your best bet is to read the info from the SSL certificate, determine if that’s the correct SSL certificate (check expiration date, SANs, Common Name, …), and find the matching key (which should have been created when you generated your Certificate Signing Request, CSR).

Источник

«BEGIN TRUSTED CERTIFICATE» is expected #42

Hi, I got this issue:
nginx: [emerg] cannot load certificate «/etc/nginx/ssl/»: PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)

put -trustout into params of le.sh but still no luck.

Can anybody check and maybe update scripts?

The text was updated successfully, but these errors were encountered:

I can’t reproduce the issue. Can you share your compose pls and the part of nginx.conf related to ssl

can it be caused by 2 level domain? I’m trying to certify mydomain.mooo.com provided by freedns.com

Impossible to say without your docker-compose.yaml and nginx configuration. I have multiple domains including the second level ones and have no problems with them.

There wasn’t much changes. Here I just put domain and email.
`version: ‘2’
services:

`user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events <
worker_connections 1024;
>

http <
include /etc/nginx/mime.types;
default_type application/octet-stream;

stream <
include /etc/nginx/stream.d/*.conf;
>
`

i’m sorry there are symbols that brake format

do you see a good-looking certificate in your ./etc/ssl ? I suspect some kind of permission issue for this directory

yes, i see files:
le-key.pem
le-crt.pem
le-chain-crt.pem
dhparams.pem
I can’t open some of them when docker is up. But when it’s down, i can read write them.

Can you show the contents of a ssl-directory? ls -la ssl/ or something like that

I can’t open some of them when docker is up. But when it’s down, I can read write them.

This is an important detail. Does it mean you run this container on windows?

no, i’m trying to make it work on aws linux machine

Can you show the contents of a ssl-directory? ls -la ssl/ or something like that

isn’t it /etc/ssl dir with pem files which i already provided? or you talking about sizes?

[ec2-user@ip ssl]$ ls -la
total 16
drwxr-xr-x 2 root root 86 Sep 22 18:53 .
drwxrwxr-x 3 ec2-user ec2-user 45 Sep 22 18:35 ..
-rw——- 1 root root 424 Sep 22 18:52 dhparams.pem
-rw-r—r— 1 root root 1647 Sep 22 18:53 le-chain-crt.pem
-rw-r—r— 1 root root 3574 Sep 22 18:53 le-crt.pem
-rw——- 1 root root 1704 Sep 22 18:53 le-key.pem

isn’t it /etc/ssl dir with pem files which i already provided? or you talking about sizes?

I wanted to look directory permissions, looks correct.

there is something with your setup we don’t see. I’m not sure what is this, but smth is not right. The fact, you «can’t open some of them when docker is up» is odd. As you container up and running you should be able to read files, at least on linux.

You can try to do docker exec -it nginx cat /etc/nginx/ssl/le-crt.pem to see if cert is even readable/accessible from your container.

Another direction — do you use the latest version of nginx-le? Try to do docker pull umputun/nginx-le:latest or change your compose’s image directive to nginx-le:1.3.0

do you use the latest version of nginx-le

yes, just did docker-compose pull

docker exec -it nginx cat /etc/nginx/ssl/le-crt.pem

there is something with your setup we don’t see

I changed almost nothing, only what was needed — domain, email — that’s all

What exactly «worked fine» means? Did you see the certificate printed and the first line is ——BEGIN CERTIFICATE—— ?
Also, pls confirm — is this correct and repeatable «I can’t open some of them when docker is up. But when it’s down, I can read write to them.»

See, we are guessing here and trying to figure out what the possible reason can be. Whatever it is, this is (most likely) something with your local system. Based on the info you provided my best guess is some sort of special docker configuration or some sort of permissions control. This is why I have asked about «can’t open some of them when docker is up». Another theory is some kind of encoding issue, but I can’t think of any scenario of how it can happen.

Did you see the certificate printed and the first line is ——BEGIN CERTIFICATE—— ?

yes, sure, i meant that.

is this correct and repeatable «I can’t open some of them when docker is up

sorry, that was just matter of sudo. cat le-key.pem and le-chain-crt.pem wasn’t possible, but it works with sudo.

something with your local system

doubt that, because it quite fresh aws machine.

In your working servers there’re no TRUSTED word in header of crt? Isn’t it a config issue?

TRUSTED is not supposed to be in. I just installed a fresh instance (on Digital Ocean) and nginx-le got certs just fine, works with nginx as expected. Neither le-crt.pem or le-chain-crt.pem have TRUSTED in the header.

is this config file you provided the only one you have? Your proxy_pass to http://10.8.0.3:8123/; implies another part you omitted.

To prevent playing ping-ping in this chat, @sergentum can you please post all Nginx configuration in single gist (it can contain multiple files) on gist.github.com?
Also, do I understand correctly that after the message nginx: [emerg] cannot load certificate . in the log nginx stops and the container fails to start? Can you post the complete log of the container start alongside configuration, please?

I was able to reproduce the issue (by accident). As expected it has nothing to do with «TRUSTED CERTIFICATE». Something went wrong with certificates substitution and I see this inside of nginx config:

@paskal — I think this was yours change to support multiple FQDNs? Could you pls take a look? In my case, it happens with — LE_FQDN=safesecret.info,feedmaster.umputun.com,umputun.com,umputun.feed-master.com

@sergentum — a simple workaround is to change your nginx’s service with the absolute paths to the certificate, i.e.

I have this in service-example.conf

I thought these placeholders will be replaced later.
Looks like example conf wasn’t formed from template to actual config at all.

Here should be relative path isn’t it?
upd, ok i understood that it will be interpreted into docker container so it should be absolute
upd2: finally it works, thanks guys very much for your attention.

Источник

When configuring your SSL certificates on Nginx, it’s not uncommon to see several errors when you try to reload your Nginx configuration, to activate the SSL Certificates.

This post describes the following type of errors:

• PEM_read_bio_X509: ASN1_CHECK_TLEN:wrong tag error
• PEM_read_bio_X509_AUX: Expecting: TRUSTED CERTIFICATE
• SSL_CTX_use_PrivateKey_file: bad base64 decode error

Read on for more details.

Nginx PEM_read_bio_X509: ASN1_CHECK_TLEN:wrong tag error

These kind of errors pop up when your certificate file isn’t valid. The entire error looks like this.

$ service nginx restart

nginx: [emerg] PEM_read_bio_X509("/etc/nginx/ssl/mydomain.tld/certificate.crt") failed (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:Type=X509_CINF error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=cert_info, Type=X509 error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib)

You should fix this by beginning to read the SSL certificate info via the CLI. Chances are, OpenSSL will also show you an error, to confirm your SSL certificate isn’t valid.

In the example above, the SSL certificate is in /etc/nginx/ssl/mydomain.tld/certificate.crt, so the following examples continue to use that file.

$ openssl x509 -text -noout -in /etc/nginx/ssl/mydomain.tld/certificate.crt
unable to load certificate
139894337988424:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:818:

If that’s your output, you have confirmation: your SSL certificate is corrupt. It’s got unsupported ASCII characters, it’s missing a part, some copy/paste error caused extra data to be present, … Bottom line: your certificate file won’t work.

You can test a few things yourself, like new line issues (linux vs. windows remains a problem). Open the file in binary mode in vi, and if you see ^M at end of every line, you’ve incorrectly got Windows new lines instead of Unix new lines.

$ vi -b /etc/nginx/ssl/mydomain.tld/certificate.crt
-----BEGIN CERTIFICATE-----^M
MIIFUjCCBDqgAwIBAgIKYsvzdQAAAAAAzTANBgkqhkiG9w0BAQUFADBOMQswCQYD^M
...

Remove all new lines and replace them with “normal” unix new lines (n instead of rn).

If your SSL certificate file contains multiple certificates, like intermediate or CA root certificates, it’s important to check each of them separately. You can check this by counting the «-—-BEGIN CERTIFICATE-—-« lines in the file.

If you’ve got multiple certificates, copy/paste each one to a different file and run the openssl example above. Each should give you valid output from the SSL certificate.

$ grep 'BEGIN CERTIFICATE' /etc/nginx/ssl/mydomain.tld/certificate.crt
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----

The output above shows that the SSL Certificate file contains 3 individual SSL certificates. Copy/paste them all in separate files and validate if they work. If one of them gives you errors, fix that one: find the wrong ASCII characters, fix the new lines, check if you copy/pasted it correctly from your vendor, …

The “nginx: [emerg] PEM_read_bio_X509” error means your Nginx configuration is probably correct, it’s the SSL certificate file itself that is invalid.

Nginx PEM_read_bio_X509_AUX: Expecting: TRUSTED CERTIFICATE

This is an error that is usually resolved very quickly. The certificate file you’re pointing your config to, isn’t a certificate file. At least, not according to Nginx.

$ service nginx configtest

nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/ssl/mydomain.tld/certificate.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed

This can happen if you’ve accidentally swapped your private key and SSL certificate in either your files, or in the Nginx configuration.

Your Nginx config will contain these kind of lines for its SSL configuration.

ssl_certificate             /etc/nginx/ssl/mydomain.tld/certificate.crt;
ssl_certificate_key         /etc/nginx/ssl/mydomain.tld/certificate.key;

Check if the ssl_certificate file is indeed your SSL certificate and if the ssl_certificate_key is indeed your key. It’s not uncommon to mix these up if you’re in a hurry or distracted and save the wrong contents to the wrong file.

Nginx SSL_CTX_use_PrivateKey_file: bad base64 decode error

Another common error in Nginx configurations is the following one.

$ service nginx configtest

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mydomain.tld/certificate.key") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
nginx: configuration file /etc/nginx/nginx.conf test failed

Note how the Nginx SSL error points to the .key file this time. The problem is with the SSL key, not the SSL certificate.

This error indicates that the private key you pointed your configuration to, doesn’t match the SSL Certificate.

You can validate whether private key and SSL certificate match by calculating their MD5 hash. If they don’t match, you have to find either the right certificate or the right private key file.

One of them is wrong and needs to be replaced. With this error, it’s impossible to know which one is wrong. Your best bet is to read the info from the SSL certificate, determine if that’s the correct SSL certificate (check expiration date, SANs, Common Name, …), and find the matching key (which should have been created when you generated your Certificate Signing Request, CSR).

Recently i was migrating an Apache HTTP Server (httpd) server from one linux machine to another. The problem was, that on the source linux machine Apache HTTP Server (httpd) was a custom compiled 2.4.4 and we were having constant problems when patching the linux machine (openssl libraries etc.). So we decided to replace the custom compiled Apache HTTP Server (httpd) with the RPM version of it but still wanted to stay on 2.4.X version – do not like going back to CentOS/RHEL repository 2.2 Apache HTTP Server versions.

Since all our machines are virtual machines, it is much easier to deploy a new virtual machine from template, install & update the required RPM packages and migrate the apache configuration to the new linux machine – and it is way more cleaner too! 🙂

I built the latest Apache HTTP Server RPM (version 2.4.9) which i also described in THIS how to and started the process of migration – just for additional info, our Apache HTTP Server instance is only used as a proxy server.

So after installing the Apache HTTP Server 2.4.9 from RPM and transfering the Apache HTTP Server configuration from the source machine i tried to start Apache to check if any errors exist (ofcourse small configuration change was inevitable). The Apache HTTP Server would not start, it said FAILED and the error in /var/log/httpd/ssl_error.log was:

[Fri Aug 08 15:40:30.908717 2014] [ssl:emerg] [pid 8242:tid 139656074909504] AH02562: Failed to configure certificate 192.168.1.3:443:0 (with chain), check /etc/httpd/ssl/geekpeek.cer
[Fri Aug 08 15:40:30.908864 2014] [ssl:emerg] [pid 8242:tid 139656074909504] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Aug 08 15:40:30.908888 2014] [ssl:emerg] [pid 8242:tid 139656074909504] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib

Let’s Fix SSL Library Error: error:0906D06C:PEM – Apache Error!

1. Check Certificate With OpenSSL

I started checking certificate key and certificate for errors. After checking certificate /etc/httpd/ssl/geekpeek.cer this is what i got:

[root@geekpeek ~]# openssl x509 -in /etc/httpd/ssl/geekpeek.cer -text -noout
unable to load certificate
140028248876872:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

This “SSL Library Error: error:0906D06C:PEM” error is the same error we get in /var/log/httpd/ssl_error.log.

A bit of googling got me to THIS great webpage which says i quote “If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate  below””. This is good news for us!

2. View DER Encoded Certificate With OpenSSL

By running the following command i confirmed that the certificate was in DER format since the DID NOT exit with “SSL Library Error: error:0906D06C:PEM” error again but showed certificate information:

[root@geekpeek ~]# openssl x509 -in /etc/httpd/ssl/geekpeek.cer -inform der -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 
......

3. Convert DER Certificate To PEM With OpenSSL

For Apache to be able to read the certificate and therefore successfully start we need to convert DER certificate to PEM by running the following command:

[root@geekpeek ~]# openssl x509 -inform der -in /etc/httpd/ssl/geekpeek.cer -out /etc/httpd/ssl/geekpeek.pem

And voila!

Change the Apache configuration to point to the newly created PEM certificate and Apache should start without “SSL Library Error: error:0906D06C:PEM” error!