Содержание
- Please tutorial how to fix «error:0909006C:PEM routines:get_name:no start line» with algorithm: «RS256» #642
- Comments
- Description
- Reproduction
- Environment
- This comment has been minimized.
Please tutorial how to fix «error:0909006C:PEM routines:get_name:no start line» with algorithm: «RS256» #642
Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.
Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.
By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.
Description
Provide a clear and concise description of the issue, including what you expected to happen.
Reproduction
Detail the steps taken to reproduce this error, what was expected, and whether this issue can be reproduced consistently or if it is intermittent.
Where applicable, please include:
- Code sample to reproduce the issue
- Log files (redact/remove sensitive information)
- Application settings (redact/remove sensitive information)
- Screenshots
Environment
- Version of this library used:
- Version of the platform or framework used, if applicable:
- Other relevant versions (language, server software, OS, browser):
- Other modules/plugins/libraries that might be involved:
The text was updated successfully, but these errors were encountered:
I have the same issue.
please give me solution if you have
I’ve hidden your suggestion. The point behind using an RS private key is so that noone but you can produce the signatures but everyone with the knowledge of your public key can verify it. HS256 is an HMAC based symmetric key (secret) algorithm and you’d be using the octets of malformed private key as the shared symmetric secret. DON’T DO THAT.
error:0909006C:PEM routines:get_name:no start line
How to fix it? Provide a properly formatted pkcs8 , pkcs1 , or sec1 PEM private key. That’s really it.
Create JWT Token using the command shown here. This most probably will fix the issue.
Also don’t miss the openssl command, it’s important, else you might get an error — #68 (comment)
For us we had this issue while loading a private key from ENV instead of files (because of automated deployment in aws).
We fixed it by replacing n in the env var with real line breaks
process.env.JWT_PRIVATE_KEY.replace(/\n/gm, ‘n’)
Hope this helps someone
Continuing with @derN3rd ‘s answer, I had to approach this slightly differently.
For me, I was storing my private rsa key in a Gitlab CI/CD environment variable, which I was then reading into a file (this file was then read by the code I was testing).
Where I was going wrong was in the echo statement. As you see above, I am surrounding the environment variable with double-quotes. This is significant because by surrounding the variable with double-quotes, it preserves the n character in the private key.
When I was just using the statement echo $MY_PRIV_KEY_ENV_VARIABLE > priv_key.pem , it was adding spaces where the n character was and causing the error mentioned in this issue error:0909006C:PEM
For us we had this issue while loading a private key from ENV instead of files (because of automated deployment in aws).
We fixed it by replacing n in the env var with real line breaks
process.env.JWT_PRIVATE_KEY.replace(/\n/gm, ‘n’)
Hope this helps someone
Very useful, tks.
Just to add a bit of clarification to @derN3rd ‘s solution, which is great btw, adding n s to the env variable is a necessary step, prior to replacing them on the client side.
I also did not use quotes to surround the value.
Something like this:
i mean if we validate the file’s contents with openssl then there must be some other problem going on?
For Windows users with PowerShell and OpenSSL.Light installed who needs to extract everything between —-BEGIN CERTIFICATE—— and —-END CERTIFICATE—— :
I got this because I was accidentally signing with my public key 🤦♀️
For us we had this issue while loading a private key from ENV instead of files (because of automated deployment in aws).
We fixed it by replacing n in the env var with real line breaks
process.env.JWT_PRIVATE_KEY.replace(/\n/gm, ‘n’)
Hope this helps someone
I selected every reaction. This helped me so so so much. THANK YOU @derN3rd
Just to add a bit of clarification to @derN3rd ‘s solution, which is great btw, adding n s to the env variable is a necessary step, prior to replacing them on the client side.
I also did not use quotes to surround the value.
Something like this:
Right, thank you, that clarification helped.
In our case I saved it this way in a Bitbucket repo variable and then was able to create the file in a Bitbucket pipeline since echo -e will interpret the n, i.e.
— echo -e $JWT_KEY > build/keys/server.key
For us we had this issue while loading a private key from ENV instead of files (because of automated deployment in aws).
We fixed it by replacing n in the env var with real line breaks
process.env.JWT_PRIVATE_KEY.replace(/\n/gm, ‘n’)
Hope this helps someone
For me it did not work in Google Cloud Platform Cloud Functions. Deploy works but function crashes with the error code.
I got tired of the error so I use a javascript string litteral and copy pasted my private key there instead of the process.env variable
iconv -c -f UTF8 -t ASCII myprivate.key >> myprivate.key
Converting from utf-8 to ASCII made it work for me 😄
I was placing the key and crt interchangeably. So placing it rightly solve mine.
I accidentally exchanged private key and certificate.
This is the complete solution of the problem.
First to generate SSL certificates, then create a HTTPS server via these certificates, after that implement Secure Web Sockets.
1st:
Generate SSL certificates via OPENSSL.
These are the 3 commands
openssl genrsa -out abels-key.pem 2048
openssl req -new -sha256 -key abels-key.pem -out abels-csr.pem
openssl x509 -req -in abels-csr.pem -signkey abels-key.pem -out abels-cert.pem
2nd: Code
const express = require(«express»);
const https = require(«https»);
const fs = require(«fs»);
const WebSocket = require(«ws»);
const app = express();
let cert = fs.readFileSync(«abels-cert.pem»);
let key = fs.readFileSync(«abels-key.pem»);
const options = <
key,
cert,
>;
app.get(«/», async (req, res) => <
res.send(«Server is Running on HTTPs and WSS»);
>);
var server = https.createServer(options, app);
server.listen(443, () => <
console.log(«Server is Running on PORT 443»);
>);
const wss = new WebSocket.Server(< server >);
wss.on(«connection», function connection(ws) <
console.log(«Connection has been established successfully»);
ws.on(«message», function incoming(message) <
console.log(«received: %s», message);
>);
Note:
In Online server you may face 3 problems,
1st PORT
2nd (URL), WSS will not work with IP Address (In my Case new WebSocket(«wss://localhost») its work fine, new WebSocket(«wss://127.0.0.1 or wss://127.0.0.1:443»)) not working as expected.
3rd Certificates issues.
There are some online resources which helps us to validate our certificates
Источник
-
18.10.2020, 20:44
#1
Member
Проблема с SSL сертификатами
ISPmanager Lite 5.267.1
Debian 10при попытке выпустить ssl сертификат получаю такую ошибку:
Возникла ошибка при работе с WWW-доменами. Тест конфигурации web-сервера при сохранении файла ‘/etc/nginx/vhosts/timmy/***.ru.conf’ завершился неудачно: nginx: [emerg] PEM_read_bio_DHparams(«/etc/ssl/certs/dhparam4096.pem») failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: DH PARAMETERS) nginx: configuration file /etc/nginx/nginx.conf test failed
что это значит? как исправить?
ps
ошибка появляется и для самоподписанного и для Let’s EncryptПоследний раз редактировалось Timmy; 18.10.2020 в 20:49.
-
18.10.2020, 20:55
#2
Senior Member
-
18.10.2020, 21:39
#3
Member
Сообщение от dzek
генерируйте файл ключей.
а можно подробнее?
что за файл ключей и как его создать?
-
20.10.2020, 01:07
#4
Senior Member
Сообщение от Timmy
а можно подробнее?
что за файл ключей и как его создать?Как то так:
Код:
openssl dhparam -out /etc/ssl/certs/dhparam4096.pem 4096
И идете курить минут на надцать…
Генерироваться будет долго, время генерации зависит от мощности сервера.Последний раз редактировалось Pegas-x; 20.10.2020 в 01:10.
-
20.10.2020, 02:39
#5
Member
Спасибо! Запустил, подумало пару минут и все ок, ошибка пропала.
Проблема с SSL сертификатами
Сообщение от dzek
#java #http #ssl #tomcat #https
Вопрос:
Я пытался запустить HTTP/2 на сервере tomcat, похоже, я не могу исправить эту ошибку: ошибка:0909006C:процедуры PEM:get_name:нет начальной строки.
Ключ и сертификат, которые я сгенерировал, были созданы с помощью OpenSSL. Они находятся в правильном формате (начинается с ——НАЧИНАЕТСЯ). Мне не нужно преобразовывать их в .pem.
Это мое server.xml:
lt;Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" gt; lt;UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /gt; lt;SSLHostConfiggt; lt;Certificate certificateKeyFile="conf/ssl/cert.key" certificateFile="conf/ssl/cert.crt" type="RSA" /gt; lt;/SSLHostConfiggt; lt;/Connectorgt; А это мой файл журнала:
12-Nov-2021 09:33:51.072 WARNING [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Error initializing SSL context java.lang.Exception: Unable to load certificate key /opt/LCM/LCM-AppServer/tomcat/conf/ssl/cert.key (error:0909006C:PEM routines:get_name:no start line) at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) at org.apache.tomcat.util.net.openssl.OpenSSLContext.addCertificate(OpenSSLContext.java:380) at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:250) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) at org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:397) at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:363) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:533) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:584) at org.apache.catalina.startup.Catalina.load(Catalina.java:607) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473) 12-Nov-2021 09:33:51.122 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [5,748] milliseconds 12-Nov-2021 09:39:38.507 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [345,824] milliseconds Мой коллега попытался запустить точно мою конфигурацию, используя те же файлы сертификатов/ключей на win10, и для них это работает. Мой кот работает на виртуальной машине Ubuntu.
У меня есть эти зависимости:
sudo apt-get install libapr1-dev libssl-dev И извлеченные и скомпилированные bin/tomcat-native.tar.gz.
Я не могу подключиться к tomcat из-за ошибки, упомянутой выше, chrome выдает мне эту ошибку: ERR_SSL_PROTOCOL_ERROR.
Любая помощь будет признательна. Спасибо!
Комментарии:
1. Не могли бы вы проверить формат файла? Есть ли пустые строки вверху? Может быть, также откройте его с помощью Notepad и отредактируйте —gt; Преобразование EOL —gt;gt; Unix
2. @SusanMustafa OpenSSL (который использует tcnative/APR) игнорирует «дополнительные» строки (пустые или нет) перед начальной строкой и обрабатывает оба EOL. Однако его путают пробелы или невидимые символы в одной и той же обычно первой строке , такие как BOM (популярная, если какая-либо программа Windows когда-либо касалась файла), ZWJ/ZWNJ или BiDi. Звуковой сигнал: попробуйте
cat -vETилиod -cв своем файле, чтобы точно увидеть, что в нем.3. Оказалось, после каждого ./shutdown.sh и ./startup.sh файлы .cert и .key были повреждены. Оба файла в конечном счете были в порядке. Мне показалось, что, когда я понял, что файлы были повреждены после каждого перезапуска tomcat, он просто внезапно исправился.