15

I am trying to install SSL on my nginx reverse proxy with certified ssl keys but i get this message when i try to restart server:

Restarting nginx: [emerg]: SSL_CTX_use_PrivateKey_file("/etc/nginx/conf.d/cert.key") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib) configuration file /etc/nginx/nginx.conf test failed

everyfiles are root:root with 600 permissions i've tested the certificats and they are validated with this website: http://ssltools.com/cert_key_match

there are no trailing weird caracters in my keys, and has 64 caracter per line

here is my config file

server { listen 443; server_name my.domain.com; ssl on; ssl_certificate conf.d/cert.pem; ssl_certificate_key conf.d/cert.key; location / { proxy_pass http://upstream1; proxy_redirect off; proxy_buffering off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }

}

Any ideas? Thank you

Improve this question
2
  • 1
    Are you using a chained certificate? If so, you should follow the instructions at the certificate authority. You need to include the chained certificate as well. Alsom, I strongly discourage you from uploading your certificates to a random website. If they're saving what's uploaded your cert has already been compromised. You can do the verification with openssl directly yourself. Commented Jan 31, 2014 at 19:43
  • yes i am. in my cert.pem i start with the root cert, then in the same file there is the intermediate cert. Now on my cert.key file there is two cert where the second one starts with -----BEGIN RSA PRIVATE KEY----- Commented Feb 3, 2014 at 5:15

6 Answers 6

Reset to default
6

check here

I hope you've copy-pasted with the following lines:

-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
Improve this answer
7
  • the cert.pem in that exemple acts as ssl_certificate or ssl_certificate_key ? Commented Feb 3, 2014 at 5:15
  • extention .pem always acts as certificate. Commented Feb 3, 2014 at 8:06
  • Yeah i had it already done. I have 4 keys in those 2 files, ill post the content of my keys here (this formatting is too good...): cert.pem : -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- cert.key -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY----- Commented Feb 3, 2014 at 14:38
  • 1
    cert.key MUST contain only key: -----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY----- Commented Feb 3, 2014 at 15:51
  • 1
    Ive resolved locally my issue. The formatting of the keys are different with nginx vs apache, and the bundle key has 3 certificats inside it, not two. Thankx for your help IIja, it's much apreciated. Commented Feb 6, 2014 at 19:59
3

A different solution that may work for others:

use the .pem file for both ssl_certificate and ssl_certificate_key

That is:

... ssl on; ssl_certificate conf.d/cert.pem; ssl_certificate_key conf.d/cert.pem; ...
Improve this answer
2

FYI, make sure your BEGIN block is identical to the expected block, character for character. Mine started with 4 dashes, not 5. ---- vs -----. The validation tooling error messages aren't very specific when you make this error.

Improve this answer
2

I got the same problem(from /var/log/nginx/error.log)

2019/03/20 01:25:41 [emerg] 2509#0: SSL_CTX_use_PrivateKey_file("/etc/nginx/conf.d/sslcert/mm.merchantspring.com.au.key") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)

then I found my key file need also to be chained with certificate. After update key file, restart nginx , it works.

My Env:

Nginx config file is like this:

 ssl_certificate /etc/nginx/conf.d/sslcert/mywebsite.pem; ssl_certificate_key /etc/nginx/conf.d/sslcert/mywebsite.key;

mywebsite.pem(chained, 4 certificates totally. cat mywebsite.crt intermediate.crt > mywebsite.pem):

-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----

mywebsite.key:(chained with crt and key)

-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----

I got the key file from godaddy website, instead of creating it by openssl. But I do think it will be better if doing this with openssl.

Improve this answer
1

I got this error because I accidentally used the .cer file instead of the .key file in the ssl_certificate_key directive.

Improve this answer
0

VirtualHost *:80> ServerName dnstv.top SSLEngine on SSLCertificateFile /path/to/certificate.crt SSLCertificateKeyFile /path/to/private.key

DocumentRoot "/var/www/html"
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.