X509 формата error 0906d06c pem

Recently i was migrating an Apache HTTP Server (httpd) server from one linux machine to another. The problem was, that on the source linux machine Apache HTTP Server (httpd) was a custom compiled 2.4.4 and we were having constant problems when patching the linux machine (openssl libraries etc.). So we decided to replace the custom compiled Apache HTTP Server (httpd) with the RPM version of it but still wanted to stay on 2.4.X version – do not like going back to CentOS/RHEL repository 2.2 Apache HTTP Server versions.

Since all our machines are virtual machines, it is much easier to deploy a new virtual machine from template, install & update the required RPM packages and migrate the apache configuration to the new linux machine – and it is way more cleaner too! 🙂

I built the latest Apache HTTP Server RPM (version 2.4.9) which i also described in THIS how to and started the process of migration – just for additional info, our Apache HTTP Server instance is only used as a proxy server.

So after installing the Apache HTTP Server 2.4.9 from RPM and transfering the Apache HTTP Server configuration from the source machine i tried to start Apache to check if any errors exist (ofcourse small configuration change was inevitable). The Apache HTTP Server would not start, it said FAILED and the error in /var/log/httpd/ssl_error.log was:

[Fri Aug 08 15:40:30.908717 2014] [ssl:emerg] [pid 8242:tid 139656074909504] AH02562: Failed to configure certificate 192.168.1.3:443:0 (with chain), check /etc/httpd/ssl/geekpeek.cer
[Fri Aug 08 15:40:30.908864 2014] [ssl:emerg] [pid 8242:tid 139656074909504] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Fri Aug 08 15:40:30.908888 2014] [ssl:emerg] [pid 8242:tid 139656074909504] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib

Let’s Fix SSL Library Error: error:0906D06C:PEM – Apache Error!

1. Check Certificate With OpenSSL

I started checking certificate key and certificate for errors. After checking certificate /etc/httpd/ssl/geekpeek.cer this is what i got:

[root@geekpeek ~]# openssl x509 -in /etc/httpd/ssl/geekpeek.cer -text -noout
unable to load certificate
140028248876872:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

This “SSL Library Error: error:0906D06C:PEM” error is the same error we get in /var/log/httpd/ssl_error.log.

A bit of googling got me to THIS great webpage which says i quote “If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate  below””. This is good news for us!

2. View DER Encoded Certificate With OpenSSL

By running the following command i confirmed that the certificate was in DER format since the DID NOT exit with “SSL Library Error: error:0906D06C:PEM” error again but showed certificate information:

[root@geekpeek ~]# openssl x509 -in /etc/httpd/ssl/geekpeek.cer -inform der -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 
......

3. Convert DER Certificate To PEM With OpenSSL

For Apache to be able to read the certificate and therefore successfully start we need to convert DER certificate to PEM by running the following command:

[root@geekpeek ~]# openssl x509 -inform der -in /etc/httpd/ssl/geekpeek.cer -out /etc/httpd/ssl/geekpeek.pem

And voila!

Change the Apache configuration to point to the newly created PEM certificate and Apache should start without “SSL Library Error: error:0906D06C:PEM” error!

I’ve been setting up SSL for my domain today, and have struck another issue — I was hoping someone could shed some light on..

I keep receiving the following error messages:

[error] Init: Unable to read server certificate from file /etc/apache2/domain.com.ssl/domain.com.crt/domain.com.crt
[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

I’m running Apache 2.2.16 and Ubuntu 10.10. My .crt file has the Begin and End tags, and has been copied exactly from the confirmation email I received, very frustrating!

Cheers!

Edit >>
When trying to verify the .crt It doesn’t seem to work:

>> openssl x509 -noout -text -in domain.com.crt 
unable to load certificate
16851:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

Also >>

>> openssl x509 -text -inform PEM -in domain.com.crt
unable to load certificate
21321:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

>> openssl x509 -text -inform DER -in domain.com.crt
unable to load certificate
21325:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1316:
21325:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509

Edit>>
(Cheers for the help by the way)

>> grep '^-----' domain.com.crt
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Just emailed the company providing the Certificate, they responded>

I have checked the CSR file that you have provided and I can assure
that this was correctly generated. The error that you are currently
encountering is caused because you are using a wrong command line for
installing the CSR. You will need to modify this domain.com.crt from
your command line with the according name of your domain.

• currently the crt is set up to mysite.com.crt — I’ve used domain.com.crt as an example

I can reproduce this error by trying to use a key or cert file which does not contain correctly encoded data.

For instance. I have a file key.pem which contains

——BEGIN RSA PRIVATE KEY——
MIIEowIBAAKCAQEAsG240gudCfVVcAtFKFOl90xOCnyTam56kx1O4V3dsXWg0k6H
[…..]
ZFQngI7aVAmzgLXAx+8U41Z0bcxsc9HXeJGRRYawHsaLvBRJ05Ge
——END RSA PRIVATE KEY——

If I use the key correctly, the connection works. If I remove the first line “——BEGIN RSA….” and try again, then the same error occurs as you have seen. The error is caused by the PEM parse being unable to find the start line, hence the “no start line” error.

I am surprised that openssl connects correctly but I would advise that you double check you are referencing the correct certificates/keys.

One thing that might be worth trying is:

openssl rsa -text -in

Regards,

—A

On 10 Dec 2014, at 06:38, NizarBlond notifications@github.com wrote:

I’m trying to send push notification to the server using PEM certs that I generated and tested on OPENSSL, but I keep getting exception that crashes my node app.

Certificate Test:

openssl s_client -connect gateway.push.apple.com:2195 -cert certdist.pem -key keydist.pem
CONNECTED(00000003)
Exception

Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Object.exports.createCredentials (crypto.js:129:17)
at apnSocketLegacy (/app/node_modules/apn/lib/socket.js:40:19)
at Connection.initialize.spread.fail.terminated (/app/node_modules/apn/lib/connec

at /app/node_modules/apn/node_modules/q/q.js:1171:26
at _fulfilled (/app/node_modules/apn/node_modules/q/q.js:794:54)
at self.promiseDispatch.done (/app/node_modules/apn/node_modules/q/q.js:823:30)
at Promise.promise.promiseDispatch (/app/node_modules/apn/node_modules/q/q.js:756

at /app/node_modules/apn/node_modules/q/q.js:516:49
at flush (/app/node_modules/apn/node_modules/q/q.js:110:17)

This is happening when called from:

apnConnection.pushNotification(note, tokens);

Ideas?

—
Reply to this email directly or view it on GitHub #234.

Модераторы: Art.i, vasya

Вернуться в Безопасность

Кто сейчас на форуме

Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 0