BER: residual data after 'constructed data'

Krischu · July 31, 2025, 9:17am

When entering the fullchain.pem certs, I'm getting

BER: residual data after 'constructed' data

That's in the GUI of the Communigate Mail Server. This used to work flawlessly in the past, but this seems to be an error preventing me from
fullfilling the cert update. Any ideas?

petercooperjr · July 31, 2025, 10:11am

This sounds like you're doing some sort of manual process, which already means you're doing something out of the ordinary. Can you be a lot more specific about what actions you're taking?

My wild guess is that whatever backwards system you're using that requires some manual intervention to install a certificate is backwards enough to only support RSA certificates, and you're now requesting an ECDSA one for some reason. But that's just a wild guess.

Krischu · July 31, 2025, 3:03pm

Thanks. Yes, I'm doing a manual process using the GUI to import one after the other, the privkey.pem, cert.pem and finally the fullchain.pem into the mailserver environment.

From where do you conclude that it's an ECDSA (whatever that is) I'm now requesting? Is it the
text BER: residual data after 'constructed' data leading to that?

BTW, the server works with the new certs. The fullchain.pem got accepted. So just a "glitch" that can be ignored?

petercooperjr · July 31, 2025, 3:16pm

It was just a random guess, since sometimes systems that only expect RSA keys to exist give weird messages when they can't parse other kinds of keys.

BER is the encoding format used for most certificate files, so an error with not understanding the BER data means that it doesn't understand something. Though maybe it's not understanding that the certificate doesn't have a OCSP URL embedded anymore. Again, just wild guesses, it's hard to know what your system is meaning with so little to go on.

mcpherrinm · July 31, 2025, 3:59pm

This does suggest some sort of certificate parsing error within Communigate, but that error alone isn't enough information to know what it's unhappy about.

I think you will have to talk to the authors of Communigate to figure out where that error comes from.

webprofusion · August 1, 2025, 1:21am

If you are uploading cert.pem and privkey.pem you may be confusing it by uploading fullchain.pembecause that will also include your cert, plus intermediates. For the CA bundle you perhaps just want chain.pem.

Check that your private KEY is RSA because googling their docs suggest they only talk about RSA keys.

[Edit: some software also relies on the presence of Common Name CN in the certificate structure, but that's deprecated and in some cases removed, so check that's there]

system · August 31, 2025, 1:22am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ECDSA certificate issuance failure in both staging and production Help	14	3103	August 29, 2016
Error parsing certificate request. Extensions in the CSR marked critical can cause this error Help	12	8899	November 21, 2016
Certificate authority no longer accepted in chrome Help	6	1806	December 13, 2015
Error unmarshaling certificate request Client dev	4	3797	December 30, 2015
Error parsing certificate request RESOLVED Help	6	6752	September 11, 2017

BER: residual data after 'constructed data'

Related topics