I self generated 2 self-signed certificates with openssl for testing purposes using :
$ sudo openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=FR/ST=Charente/L=Mornac/O=Office/CN=api.cockpit.yves" -keyout /usr/local/etc/nginx/ssl/api.cockpit.yves.key -out /usr/local/etc/nginx/ssl/api.cockpit.yves.crt
Generating a 4096 bit RSA private key
..........................................................................++
...................++
writing new private key to '/usr/local/etc/nginx/ssl/api.cockpit.yves.key'
-----
$ sudo openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=FR/ST=Charente/L=Mornac/O=Office/CN=admin.cockpit.yves" -keyout /usr/local/etc/nginx/ssl/admin.cockpit.yves.key -out /usr/local/etc/nginx/ssl/admin.cockpit.yves.crt
Generating a 4096 bit RSA private key
..................................................................................................................................................++
..............................++
writing new private key to '/usr/local/etc/nginx/ssl/admin.cockpit.yves.key'
-----
and in my nginx.conf file , I set up the Https servers with :
server {
listen 8444 ssl;
server_name admin.cockpit.yves;
ssl_certificate ssl/admin.cockpit.yves.crt;
ssl_certificate_key ssl/admin.cockpit.yves.crt;
...
}
server {
listen 8445 ssl;
server_name api.cockpit.yves;
ssl_certificate ssl/api.cockpit.yves.crt;
ssl_certificate_key ssl/api.cockpit.yves.crt;
...
}
however testing the nginx config, I get the following error :
sudo nginx -t
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/etc/nginx/ssl/admin.cockpit.yves.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
what could be wrong ? is it because I try to setup 2 certificates for 2 different subdomains (admin. and api. ) for the same domain cockpit.yves ?
thanks for your feedback
Your key file probably doesn't contain your key.
I had this problem too. In my case, I'd pasted my crt in to my key file (and my actual crt file was correct).
My key files begin with the string: -----BEGIN RSA PRIVATE KEY-----
Then ends with the string: -----END RSA PRIVATE KEY-----
In the comments under the question, Richard Smith actually suggested this as the solution. I'm posting it as an answer to help others later. Props to Richard.
UPDATE
I also experienced this message by pasting a combined cert before the cert in the crt file I fed my nginx server.
Related
So I need to create a self signed certificate for a web page I am making with Apache. I have looked up and followed different sets of instructions but I am missing something. I am a student and have never used ssl or apache. Apache is installed, the localhost page is up and showing the content of the html docs I've edited. OpenSSL is installed. So it's probably me missing something. I keep getting messages like this
C:\Program Files\OpenSSL-Win64\bin>openssl genrsa -des3 -out server.key 1024 genrsa: Can't
open "server.key" for writing, Permission denied
C:\Program Files\OpenSSL-Win64\bin>openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout
mysitename.key -out mysitename.crt
Generating a RSA private key
..........................+++++
...................................+++++
writing new private key to 'mysitename.key'
req: Can't open "mysitename.key" for writing, Permission denied
any suggestions?
You are missing private key creation.
1 Private key creation
openssl genrsa -out server.key 2048
result
$ cat server.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAr2E2AUJ+TbptdBVMxYHmUzRpOflP69SX03NyuKh75XIO4tp6
...
Fhe+gzT7QD7Dg9SdP45eQWy5jtDYu4HIcy/ha0sikBi9+8pSs6qo
-----END RSA PRIVATE KEY-----
2 Certification Signing Request creation with #1's private key
openssl req -new -key server.key -out server.csr
common needs localhost other options are default or your.
Common Name (e.g. server FQDN or YOUR name) []:localhost
result
$ cat server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
...
sDS9gxYfks/7zxvtBzOWR3ZZzjlenpyqqu4aYZyb
-----END CERTIFICATE REQUEST-----
3 Certification creation
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
result
$ cat server.crt
-----BEGIN CERTIFICATE-----
MIIDOTCCAiECFB0jWF04/GTmwfh8Ph1Zqeulb0IuMA0GCSqGSIb3DQEBCwUAMFkx
...
nrp0uU09oePMMMEn5g==
-----END CERTIFICATE-----
4 local server code by python (file name is server.py)
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.end_headers()
self.wfile.write(b'Hello, world!')
httpd = HTTPServer(('localhost', 4443), SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket,
keyfile="./server.key",
certfile='./server.crt', server_side=True)
httpd.serve_forever()
5 local server test
python server.py
AH02579: Init: Private key not found
I have
ubuntu
root
www-data
users
my root and ubuntu can access the key file
nano /etc/letsencrypt/live/server.x.com/fullchain.pem
And when i do
sudo service apache2 restart
my website gave 521 and acpache logs show
AH02564: Failed to configure encrypted (?) private key$
AH00016: Configuration Failed
[Mon May 25 17:19:12.374354 2020] [ssl:error] [pid 4962:tid 140701433358208] AH02579: Init: Private key not found
I have done
sudo chmod 700 /etc/letsencrypt/live/server.x.com/
sudo chmod 400 /etc/letsencrypt/live/server.x.com/fullchain.pem
But still apache can not find key
Update
Hey i think this is something that can help answering
I do have 2 pem files
And when i go to previous private key and do
ubuntu#ip-172:/etc/letsencrypt/live/app.x.com$ openssl rsa -in privkey.pem -noout -check
RSA key ok
and if i use this then server is running fine
But when i add my other subdomain and created certificate for it then
ubuntu#ip-172:/etc/letsencrypt/live/server.x.com$ openssl rsa -in privkey.pem -noout -check
Error opening Private Key privkey.pem
140659156387480:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('privkey.pem','r')
140659156387480:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load Private Key
And when i load this in .conf file then apache2 give error
ubuntu#ip-172:/etc/letsencrypt/live/server.x.com$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
After running this command
Generating a 4096 bit RSA private key
...........................................................................................................................................................................................................................................................................++
..........++
unable to write 'random state'
writing new private key to 'key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:X
Locality Name (eg, city) []:Phillaur
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:server
Common Name (e.g. server FQDN or YOUR name) []:rajanlagah
Email Address []:rajanlagah#gmail.com
And
ls
cert.pem key.pem
And
ubuntu#ip-172:/etc/letsencrypt/live/server.x.com$ openssl rsa -in cert.pem
unable to load Private Key
140670293214872:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
Check if SSLCertificateKeyFile is pointing to a file containing a private key.i.e
# openssl rsa -in /opt/localhost.key -noout -check
RSA key ok
create a self sign certificate using openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365.
I am using collider (https://github.com/webrtc/apprtc/tree/master/src/collider -a websockets server in go) and I am trying to add SSL/TLS support. For which I generated self-signed certificates:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:testwebsite.com
Organizational Unit Name (eg, section) []:Engineering
Common Name (e.g. server FQDN or YOUR name) []:www.testwebsite.com
Email Address []:testwebsite#gmail.com
When I run the collider, I see this error:
2017/06/05 21:25:50 Error Run: crypto/tls: failed to parse private key
When I generate using (based on http://www.kaihag.com/https-and-go/):
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
I get this error:
2017/06/05 22:11:31 http: TLS handshake error from <some-ip>:1082: remote error: unknown certificate
How to fix this?
Note: collider uses golang.org/x/net/websocket
I ended up obtaining the certs from: https://certbot.eff.org/#ubuntuxenial-other
certbot certonly --standalone -d example.com -d www.example.com
I had to use fullchain.pem instead of cert.pem for this collider to work:
https://github.com/webrtc/apprtc/issues/442
I've installed HAPRoxy 1.5-dev19, adn I am trying to bind using SSL.
I generated openssl certs in /etc/ssl/certs keys and validated that they are there and look good, and updated haproxy.cfg as below:
openssl req -nodes -x509 -newkey rsa:2048 -keyout /etc/ssl/certs/private.key -out /etc/ssl/certs/cert.pem -days 2000
frontend XRE
bind *:9045 ssl crt /etc/ssl/certs/private.key
But I still get:
parsing [/etc/haproxy/haproxy.cfg:48] : 'bind :443' : unable to load SSL certificate from PEM file '/etc/ssl/certs/private.key'.
Proxy 'haproxyLoopback': no SSL certificate specified for bind ':443' at [/etc/haproxy/haproxy.cfg:48] (use 'crt').
Your help is appreciated,
Many thanks,
Charlie
You are pointing the wrong file. It should be like this:
frontend XRE bind *:9045 ssl crt /etc/ssl/certs/cert.pem
I want to generate the CSR file for requesting SSL (wildcard) certificate. This certificate and private key will be used on multiple machines with both Apache and Nginx.
RapitSSL states the following commands for the different setups:
Nginx
$ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Apache Mod SSL
$ openssl genrsa -des3 -out <private key file name>.key 2048
Apache-SSL
$ openssl genrsa -des3 -out www.yourdomain-example.com.key 2048
Is there a way to generate a CSR that works with both Apache and Nginx?
Apache Mod SSL
$ openssl genrsa -des3 -out < private key file name>.key 2048
Apache-SSL
$ openssl genrsa -des3 -out www.yourdomain-example.com.key 2048
These two are obviously the exact same command, with a different way of writing the example name. They just generate the key pair, you'd need an additional req command to generate a CSR too.
genrsa generates a key pair, and req generates a CSR. However, req can perform both operations at once when using -newkey.
See OpenSSL req example documentation:
Create a private key and then generate a certificate request from it:
openssl genrsa -out key.pem 1024
openssl req -new -key key.pem -out req.pem
The same but just using req:
openssl req -newkey rsa:1024 -keyout key.pem -out req.pem
How to generate CSR for SSL that works with Nginx & Apache ...
Is there a way to generate a CSR that works with both Apache and Nginx?
A quick answer to the questions to clarify things... Nginx and Apache don't consume CSRs. They use certificates and private keys.
Perhaps you meant to say something about a self-signed certificate? If so, add the -x509 option to the openssl req command. That creates a self signed certificate rather than a signing request.
There's a lot more to self-signed certificates (and server certificates in general). See, for example, How to create a self-signed certificate with openssl?