I'm having the same issue as Jngai1297 here: SSL Configuration Unable to read server.crt file, only I think I've spelled everything correctly.
I am trying to update our ssl certificate. We purchased a cert from startssl.com. I downloaded the ssl.key file, and retrieved my ssl.crt file, I also downloaded sub.class2.server.ca.pem and ca.pem
I ran:
openssl rsa -in ssl.key -out sslnopas.key
cat ssl.crt sub.class2.server.ca.pem ca.pem > concatenated.crt
heroku certs:update concatenated.crt sslnopass.key --app <MYAPPNAME>
with as my actual application name, but I'm getting:
Resolving trust chain... failed
! Unable to read concatenated.crt file
Is there any way I could get a better error message? I'm on the latest version of heroku toolbelt 3.6.0
Figured it out - I misspelled the sslnopass.key file! The concatenated.crt file was fine, and the error message was wrong. Looks like this is Heroku's default error message for just about anything that goes wrong with this call.
Related
After running sudo certbot --nginx -d mydomain.io -d www.mydomain.io
I'm getting:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.io/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.io/privkey.pem
For my app to work, I need private.key and certificate.crt files.
I have tried converting .pem files like so:
openssl x509 -outform der -in /etc/letsencrypt/live/mydomain.io/fullchain.pem -out certificate.crt
openssl rsa -outform der -in /etc/letsencrypt/live/mydomain.io/privkey.pem -out private.key
When trying to run my app, I'm getting this error in the browser dev tools:
WebSocket connection to 'wss://<my-ip>:<my-port>/' failed:
Error in connection establishment: net::ERR_CERT_COMMON_NAME_INVALID
On server I'm getting this error (apparently it means that my app couldn't parse the key file):
mbedtls error: returned -0x7780
So it looks like an issue with the certificate. Can you help me to figure out what I have done wrong? What could be causing this issue? Are there other ways to generate .crt and .key files, so I could double check that I didn't make a mistake?
Turns out my problem wasn't related to generating the keys, I was doing it correctly.
But the client version of my app was trying to connect to wss://<my-ip>:<my-port>/, and instead I was supposed to connect to wss://<my-domain-name>:<my-port>/.
I am running Windows Vista and am attempting to connect via https to upload a file in a multi part form but I am having some trouble with the local issuer certificate. I am just trying to figure out why this isnt working now, and go back to my cURL code later after this is worked out. Im running the command:
openssl s_client -connect connect_to_site.com:443
It gives me an digital certificate from VeriSign, Inc., but also shoots out an error:
Verify return code: 20 (unable to get local issuer certificate)
What is the local issuer certificate? Is that a certificate from my own computer? Is there a way around this? I have tried using -CAfile mozilla.pem file but still gives me same error.
I had the same problem and solved it by passing path to a directory where CA keys are stored. On Ubuntu it was:
openssl s_client -CApath /etc/ssl/certs/ -connect address.com:443
Solution:
You must explicitly add the parameter -CAfile your-ca-file.pem.
Note: I tried also param -CApath mentioned in another answers, but is does not works for me.
Explanation:
Error unable to get local issuer certificate means, that the openssl does not know your root CA cert.
Note: If you have web server with more domains, do not forget to add also -servername your.domain.net parameter. This parameter will "Set TLS extension servername in ClientHello". Without this parameter, the response will always contain the default SSL cert (not certificate, that match to your domain).
This error also happens if you're using a self-signed certificate with a keyUsage missing the value keyCertSign.
Is your server configured for client authentication? If so you need to pass the client certificate while connecting with the server.
I had the same problem on OSX OpenSSL 1.0.1i from Macports, and also had to specify CApath as a workaround (and as mentioned in the Ubuntu bug report, even an invalid CApath will make openssl look in the default directory).
Interestingly, connecting to the same server using PHP's openssl functions (as used in PHPMailer 5) worked fine.
put your CA & root certificate in /usr/share/ca-certificate or /usr/local/share/ca-certificate.
Then
dpkg-reconfigure ca-certificates
or even reinstall ca-certificate package with apt-get.
After doing this your certificate is collected into system's DB:
/etc/ssl/certs/ca-certificates.crt
Then everything should be fine.
With client authentication:
openssl s_client -cert ./client-cert.pem -key ./client-key.key -CApath /etc/ssl/certs/ -connect foo.example.com:443
Create the certificate chain file with the intermediate and root ca.
cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem
Then verfify
openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \
intermediate/certs/www.example.com.cert.pem
www.example.com.cert.pem: OK
Deploy the certific
I faced the same issue,
It got fixed after keeping issuer subject value in the certificate as it is as subject of issuer certificate.
so please check "issuer subject value in the certificate(cert.pem) == subject of issuer (CA.pem)"
openssl verify -CAfile CA.pem cert.pem
cert.pem: OK
I got this problem when my NGINX server did not have a complete certificate chain in the certificate file it was configured with.
My solution was to find a similar server and extract the certificates from that server with something like:
openssl s_client -showcerts -CAfile my_local_issuer_CA.cer -connect my.example.com:443 > output.txt
Then I added the ASCII armoured certificates from that 'output.txt' file (except the machine-certificate) to a copy of my machines certificate-file and pointed NGINX at that copied file instead and the error went away.
this error messages means that
CABundle is not given by (-CAfile ...)
OR
the CABundle file is not closed by a self-signed root certificate.
Don't worry. The connection to server will work even
you get theis message from openssl s_client ...
(assumed you dont take other mistake too)
I would update #user1462586 answer by doing the following:
I think it is more suitable to use update-ca-certificates command, included in the ca-certificates package than dpkg-reconfigure.
So basically, I would change its useful answer to this:
Retrieve the certificate (from this stackoverflow answer and write it in the right directory:
# let's say we call it my-own-cert.crt
openssl s_client -CApath /etc/ssl/certs/ -connect <hostname.domain.tld>:<port> 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/share/ca-certificates/my-own-cert.crt
Repeat the operation if you need other certificates.
For example, if you need CA certs for ldaps/starttls with Active Directory, see here for how to process this + use openssl to convert it in pem/crt:
openssl x509 -inform der -in LdapSecure.cer -out my-own-ca.pem
#and copy it in the right directory...
cp my-own-ca.pem /usr/share/ca-certificates/my-own-ca.crt
Add this certificates to the /etc/ca-certificates.conf configuration file:
echo "my-own-cert.crt" >> /etc/ca-certificates.conf
echo "my-own-ca.crt" >> /etc/ca-certificates.conf
Update /etc/ssl/certs directory:
update-ca-certificate
Enjoy
Note that if you use private domain name machines, instead of legitimate public domain names, you may need to edit your /etc/hosts file to be able to have the corresponding FQDN.
This is due to SNI Certificate binding issue on the Vserver or server itself
I'm going to install SSL using OpenSSL on WAMPServer. The processes which I've been through are as follows:
I have installed apache, configured it and activated ssl module,
Added a new system variable OPENSSL_CONF:
Variable name: OPENSSL_CONF
Variable value: A:\wamp\bin\apache\apache2.4.9\conf\openssl.cnf
Restarted windows and made sure I saw the following line among the environment variables using command-line set | more command:
OPENSSL_CONF=A:\wamp\bin\apache\apache2.4.9\conf\openssl.cnf
Installed openSSL1.01Light(x64) on A:\OpenSSL and in its bin folder I have generated a key using command line command:
openssl req -new > webserver.csr
(Note that openSSL installation directory by default ain't have webserver.csr and I had to copy it from A:\wamp\bin\apache\apache2.4.9\bin directory)
The command ran and prompted me to enter a PEM pass phrase and verify it. I entered a pass phrase and verified it.
I entered information that would be incorporated into my certificate request.
I ran the following command:
openssl rsa -in privkey.pem -out webserver.key
I was prompted for the pass phrase from the previous step. The RSA key was written and the file webserver.key was then available in the folder.
Now I was going to covert the certificate into a signed one using the following command:
openssl x509 -in webserver.csr -out webserver.cert -req -signkey webserver.key -days 365
I got stock in this level that error occured with the following message:
5336:error:0906D06C:PEM routiness:PEM read bin:no start line:.\crypto\pem\pem_lib.c:703:Expecting: CERTIFICATE REQUEST
error in x509
How do I overcome this issue? Any idea? Thanks...
I followed this tutorial by rapidssl.com how to set up their SSL certificate. I did everything according to the article, but when I try to restart nginx, I get following error:
Restarting nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/certs/website.co.private.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
I have in the /etc/nginx/certs/ directory 2 files - website.co.crt and website.co.private.key.
The content of the website.co.private.key file is the key that is generatet from the command
sudo openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
In the website.co.crt file is the certificate that I received by email by SSLRapid.com + Bundled CA Version (PEM) - so basically, there are 3 blocks of certificates.
What am I missing or what could be wrong? I've create the directory /etc/nginx/certs/ as sudo mkdir, I did it also in my previous project and it was working, but not in here.
It's causing me headache, I am fighting with this issue 2nd day already and no result so far. I'll be grateful for every help.
Thank you
Check the order that you add the parts to the bundle. Getting the wrong order will cause the error you are seeing.
This is the correct order:
cat yourdomain_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt >
yourdomain.com.pem
I’m using the below snipped for setting the certificate and key for client authentication.
curl_easy_setopt(curl,CURLOPT_SSLCERT,"clientCert.pem");
curl_easy_setopt(curl,CURLOPT_SSLCERTPASSWD,"changeit");
curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"PEM");
curl_easy_setopt(curl,CURLOPT_SSLKEY,"privateKey.pem");
curl_easy_setopt(curl,CURLOPT_SSLKEYPASSWD,"changeit");
curl_easy_setopt(curl,CURLOPT_SSLKEYTYPE,"PEM");
The certificate doesn’t have a password, I don’t know why on earth the option SSLCERTPASSWD exists, I just provided a dummy value.
When I run the program on Linux I get an error code of 58 and an error message
unable to set private key file: 'privateKey.pem' type PEM
On Windows however I get
unable to use client certificate (no key found or wrong pass phrase?)
It seems to suggest the certificate and the key don’t match but I don’t know how. I have extracted both the cert and the key from a p12 file using openssl commands.
The command I used to extract the key is
openssl.exe pkcs12 -in client.p12 -nocerts -out privateKey.pem
and the command used to extract the cert is
openssl.exe pkcs12 -in client.p12 -nokeys -out clientCert.pem
The p12 file has been successfully used in a browser to access the client authentication url.
Please help before I shoot myself.
Edit:
Here is proof that the private key and the certificate correspond to each other:
[debugbld#nagara ~/curlm]$ openssl x509 -noout -modulus -in clientCert.pem | openssl md5
d7207cf82b771251471672dd54c59927
[debugbld#nagara ~/curlm]$ openssl rsa -noout -modulus -in privateKey.pem | openssl md5
Enter pass phrase for privateKey.pem:
d7207cf82b771251471672dd54c59927
So why can’t it work?
Using the command line curl, I've got the same error using a .pem file that was also obtained with openssl from a p12 file, The p12 was also able to working properly doing client authentication when imported in a browser. Just like you described, I think.
My problem was caused because the .pem file was not listing the certificates in the proper order: seems that each certificate in the file has to be followed by its issuer certificate. I edited the file and changed the order of the sections and curl was happy.
For the record, my original .p12 file was obtained by backing up a certificate from Firefox.
Also note that in my case, I was not getting prompted for the password and was getting the
curl: (58) unable to set private key file: 'alice.pem' type PEM
before the password prompt
I was facing similar issues, I found out the problem was related to file permissions of the certificate and private key files. The process running PHP did not have read access to those files.
One thing you can try (and that helped me figuring this out) is to run the following code:
$result=openssl_get_privatekey('file://path/to/private/key.pem','password');
and check if the returned value is not false and there are no errors. I was getting:
file_get_contents(/path/to/private/key.pem): failed to open stream: Permission denied
Thanks Hugh for the thread and raugfer for the openssl hint. The later: both helpful and misleading. ;-)
Actually, I solved the problem by making sure that the path of the key file is correct. And here is why the openssl hint was misleading, dispite helping me to check if my PEM file was ok:
cURL needs the complete path, but without 'file://' prefix. While fopen is happy with a relative path, cURL is not. So, all my tests to open the key file had been successful, while cURL was not.
Btw.:
curl_easy_setopt(curl,CURLOPT_SSLCERTPASSWD,"changeit");
curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"PEM");
curl_easy_setopt(curl,CURLOPT_SSLKEYTYPE,"PEM");
are not needed, as the password is only used to decrypt the private key and PEM is the default.