NGINX Conf for wildcard certificate from comodo [duplicate] - ssl

I've got 3 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
and also a keystore. How can I create a .pem file out of these? I was trying to put its content to a file called .pem, but nginx says
SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch
Also those file haven't got any attributes. Only -----BEGIN CERTIFICATE----- , key and -----END CERTIFICATE-----.

You are missing a certificate for your domain. After you get it, concatenate all those files together. This is your file to be used in nginx configuration.
cat yourdomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > bundle.crt
Also don't forget to configure path to private key. It is a different file.

Related

MyDomain.com only provides copy-able text for Positive SSL certificate: one for cert and one for key. How do I install this on my nginx web server?

I'm trying to set up a SSL certificate on a site using nginx web server. In the past, I generated SSL certs from Let's Encrypt/Certbot with no issues. This time, I purchased a .com domain and a Positive SSL certificate from MyDomain.com. MyDomain.com doesn't provide a .zip file or ca-bundle file for the cert (i.e., there doesn't appear to be an intermediate certificate or root certificate). Instead, it gives me two plaintext lines of code to manually copy: one for Certificate and one for Key.
The Certificate line contains -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
The Key line contains -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----
I paste each of these lines into its own text editor file (using Atom on Ubuntu 18.0) and save as .crt and .key, respectively. (I was told by MyDomain.com support that the Certificate should be .crt, but who knows?)
I then add these file paths to my nginx site config file as below:
ssl_certificate /etc/ssl/certs/mysite.com.crt;
ssl_certificate_key /etc/ssl/private/mysite.com.key;
However, nginx fails on restart and when I check the config file I get the following:
$ sudo nginx -t
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/ssl/certs/mysite.com.crt") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed
Some things I've tried:
Saving the Certificate as a .pem = same error.
Manually adding the word TRUSTED to the certificate's beginning and ending = same error.
Trying to convert the file based on its encoding:
$ sudo openssl x509 -in /etc/ssl/certs/mysite.com.crt -out /etc/ssl/certs/mysite.com.pem -outform PEM
unable to load certificate
140561005191616:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
$ sudo openssl x509 -in /etc/ssl/certs/mysite.com.crt -inform der -outform pem -out /etc/ssl/certs/mysite.com.pem
unable to load certificate
139831375835584:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
139831375835584:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509
$ sudo openssl x509 -inform DER -in /etc/ssl/certs/mysite.com.crt -out /etc/ssl/certs/mysite.com.pem -text
unable to load certificate
139993835831744:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
139993835831744:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509
I'm not sure what to do from here. Has anyone successfully installed a SSL certificate on nginx using just a .crt file and .key file?
Should anyone see this and feel curious, I had to reach out to MyDomain.com support and ask for the certificate bundle. They got it to me (.crtc bundle as well as individual files for cert and intermediate cert) and now it works just fine on my nginx server. It wasn't going to work without those additional files.

How to generate PEM files to install my own SSL certificate?

I have a SSL-certificate Comodo PositiveSSL.
There are files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
domain.com.key
domain_com.crt
Requirements vendor:
The certificate, private key, and certificate chain must be PEM-encoded
/ssl/test1.bx.key.pem
/ssl/test1.bx.cert.pem
/ssl/test1.bx.ca-chain.cert.pyem
Do I create PEM files correctly?
cat COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > domain.com.ca-chain.cert.pem
cat domain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > domain.com.cert.pem
cat domain.com.key domain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > domain.com.key.pem
Do I create PEM files correctly?
No. The key file should not be the result of concatenated files. I don't know your vendor, but I believe domain.com.key = /ssl/test1.bx.key.pem
What I suppose to be expected from your vendor, but I can't be sure of course
/ssl/test1.bx.cert.pem = domain_com.crt
/ssl/test1.bx.ca-chain.cert.pyem = AddTrustExternalCARoot.crt + COMODORSAAddTrustCA.crt + COMODORSADomainValidationSecureServerCA.crt
To setup certificates in bitrix env you need to do next:
Concatenate the CAbundle and the certificate file which we sent you using next:
1.1. To concatenate the certificate files into single bundle file, first open domainname.crt and domainname.ca-bundle files using any text editor.
1.2 Now copy all the content of domainname.crt and paste it on the top of domainname.ca-bundle file.
1.3 Now save the file name as ‘ssl-bundle.crt’.
Store the bundle and private key in the appropriate nginx ssl folder /etc/nginx/ssl/example_com/
Add this lines to your nginx config:
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/domainname.key;
ssl_prefer_server_ciphers on;
Restart nginx running command systemctl restart nginx.service.
Take a look into Comodo Knowledgebase about certificate installation on nginx. They described step-by-step how to install certificates on different web-servers.

Why is HAProxy unable to load certificates generated by letsencrypt?

HAProxy is unable to load .pem files generated by letsencrypt, why is this?
The error I'm seeing is:
parsing [/haproxy.cfg:37] : 'bind :443' : unable to load SSL private key from PEM file '/certs/cert0.pem'.
The contents of the PEM file is:
-----BEGIN CERTIFICATE-----
MIIFCjCCA/KgAwIBAgISATGh2D5ZMcKNqpIqViwd5EZOMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMTcwOTIyMDBaFw0x
NjAzMTYwOTIyMDBaMB4xHDAaBgNVBAMTE3N0YWdpbmcubXV6aGFjay5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrV1XqamfHm6tbDYAbnbjRxBw8
pxM/wPdO9RLUk5EmPnYy0XmPrbge93M5hh4qzMA7IGRxRa4xXjmj2nl4y6oLmRzF
nqHRBznh0D3u27dOmxk9vgWEGFO423T4W4DW5T6ukw+i2V5zxdtiu9tP7s8qsN7P
IxKQ8tPx8NB0PYXTg+DWhPQMZkX3Q63YEJrl6pR1kQ+shOg1WRw08/gfl8YCH0bj
AtbSPwwSNzNVylgA2IZX6mTrBYnbXJ5N63Ee/p1e+vw9fqxha4B4qPpNoByvgR27
cIGFjEoBzeS76awPzBnZLWNaVqM3E0YL9riQnAAgYPrqBIofV65GELBjwVRFAgMB
AAGjggIUMIICEDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFC5MVU7RKuD07ZwP6kGT
49qPO2tFMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUF
BwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgxLmxldHNlbmNy
eXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14MS5sZXRzZW5j
cnlwdC5vcmcvMB4GA1UdEQQXMBWCE3N0YWdpbmcubXV6aGFjay5jb20wgf4GA1Ud
IASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtU
aGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlp
bmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRp
ZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9y
ZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAmcF6jtx6QWAOQtRLhnuDyViJ
9ISP2mw8Ueq5p3L/oBMebCAjS1qv7bCcHP5RyeaqsGrHclpv090JY44rCppj5oOh
OFzzsNqZ5dwLp8vNbPls1Y7ohThVxk5PfMGpfkDwpuZGxUkizB7qQtknjBr6lX2B
XX2/IknJnABU2ssh2q77aqeVkHYVWXYG8iNMETUcIys1/Mb7X/FdL1DGRhkS1kN0
geL/+e7pmusHijkSoOP7IXFgTfcnw1DiIPctXmH2/ETcQ5deWVTgOpCTBk0M1+d2
oFFNaePdQXk4iRYlJNrswoZCSgdqqUybvEcJDKvL+ogi6GwZpJCIn/Rc2PWhGQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB
BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg
PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG
dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1
gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4
4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy
BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j
b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv
ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ
MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH
AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw
MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM
LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3
pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd
v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd
ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW
ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk
6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj
f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk=
-----END CERTIFICATE-----
The problem is that I was using the fullchain.pem file generated by letsencrypt. Instead, one should concatenate it together with 'privkey.pem' (also generated by letsencrypt) into a single .pem file.
I could only fix this by using cert.pem instead of fullchain.pem when concatenating.
cat cert.pem key.pem > haproxy_cert.pem
Taken from https://www.haproxy.com/blog/haproxy-ssl-termination/:
frontend www.mysite.com
bind 10.0.0.3:80
bind 10.0.0.3:443 ssl crt /etc/ssl/certs/mysite.pem
default_backend web_servers
The ssl parameter enables SSL termination for this listener. The crt parameter identifies the location of the PEM-formatted SSL certificate.
This certificate should contain both the public certificate and private key.
To be honest, according with my experience on deploying HA Proxy with TLS/SSL end-to-end with minimum 2 nodes as Backend servers, this statement is somewhat true. In fact, HA Proxy requires fullchain.pem (instead of cert.pem) + privkey.pem as a single file. Not using fullchain.pem will lead to messages on Systemd like unable to load cert or things like that.
In a nutshell, you shall do:
$ cat fullchain.pem privkey.pem > /etc/haproxy/mydomain_certs/mydomain.pem
And not:
$ cat cert.pem privkey.pem > /etc/haproxy/mydomain_certs/mydomain.pem
This artile has a valuable example.
Just adding the issue that I encountered. The cat command generated concatenated the files without a newline between them. I manually inserted a new line (using vim) and it worked.
Also in my case I got three files from the registrar: crt, ca-bundle, and p7b. I just want to add that all I needed was the private key file and the crt file (so ca-bundle and p7b were not used).

How to configure pem file for nginx?

I've got 3 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
and also a keystore. How can I create a .pem file out of these? I was trying to put its content to a file called .pem, but nginx says
SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch
Also those file haven't got any attributes. Only -----BEGIN CERTIFICATE----- , key and -----END CERTIFICATE-----.
You are missing a certificate for your domain. After you get it, concatenate all those files together. This is your file to be used in nginx configuration.
cat yourdomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > bundle.crt
Also don't forget to configure path to private key. It is a different file.

nginx fails to load ssl certificate

I have to add ssl (https) for a website, I was given a SSL.CSR and a SSL.KEY file. I 'dos2unix'ed them (because they have trailing ^M) and copied them to the server(CSR -> mywebsite.crt, KEY -> mywebsite.key). I did the following modification to nginx.conf:
## -60,8 +60,13 ##
}
server {
- listen 80;
+ listen 443;
server_name ...;
+ ssl on;
+ ssl_certificate mywebsite.crt;
+ ssl_certificate_key mywebsite.key;
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_timeout 10m;
# Set the max size for file uploads to 500Mb
client_max_body_size 500M;
Error happens when I restart nginx:
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/mywebsite.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
I figure it's because the first line of mywebsite.crt file contains 'REQUEST', so I remove 'REQUEST' from the first and last of the lines, and restart nginx again, and hit another error:
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/mywebsite.crt") failed (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=algorithm, Type=X509_ALGOR error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=signature, Type=X509_CINF error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=cert_info, Type=X509 error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib)
Any idea?
You should never share your private key. You should consider the key you posted here compromised and generate a new key and signing request.
You have a certificate request and not an actual signed certificate. You provide the request ('CSR') to the signing party. They use that request to create a signed certificate ('CRT') which they then make available to you. The key is never disclosed to anyone.
FYI, you can validate the keys just calling:
openssl x509 -noout -text -in your.crt
openssl rsa -noout -text -in your.key
In my case this error proved rather subtle: the BEGIN block started with 4 dashes, not 5. ---- vs -----. Sadly the validation tool error messages aren't very specific.
I came across this issue while searching online for SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE
I got this error after running:
nginx -t
The problem I had was that cert.pem and cert.key was missing
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
The steps on the NGINX site for combining your public certificate with an intermediate certificate use cat to combine the two files. But if your public cert file does not end in a new line, the -----BEGIN CERTIFICATE----- line of the intermediate cert will be appended to the end of the -----END CERTIFICATE----- line of the public certificate, leading to an invalid chained certificate file. Manually separating these two lines can correct the issue.
I configured the certificates wrongly in gitlab.rb file.
A simple error took long to realize.
nginx['ssl_certificate'] = "/etc/gitlab/ssl/self-ssl.crt"
nginx['ssl_certificate'] = "/etc/gitlab/ssl/self-ssl.key"
Instead of
nginx['ssl_certificate'] = "/etc/gitlab/ssl/self-ssl.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/self-ssl.key"
I had the same problem, the reason was that the lines -----END CERTIFICATE----- of one certificate and -----BEGIN CERTIFICATE----- of another one happened to be on the same line, so basically:
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
this happened after I merged a few crt files in a bundle through command line and between files there was no newline added, which corrupted the whole crt file.
fixed it by splitting the line
Because I was working in a different structure, I had copied the .crt and .key files from one place to another and then faced the same problem.
Actually, the problem is very simple. Had to set permissions again after copying.
In short, I solved the problem by changing the owner of the file.
sudo chown -R $USER:$USER /path/to/.key/file
(development only)