Error 0906D06C PEM routines:PEM_read_bio no start line

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

This is supposed to be the title, but the dad-blamed thing says "can't have more than one emoji in the titile. THERE ARE NO STINKING EMOJIs IN THE TITLE. I don't use emojs, my IQ is higher than room temperature in Alaska in February.

error:0906D06C:PEM routines:PEM_read_bio:no start line

DISCLAIMER--I was asked last night to help a friend who's got a antique (SuSE 11.4) mail server. Our short term plan is to replace the server with something more modern, but his domestic tranquility and stress levels will be greatly enhanced if we can get SSL working on the IMAP server so his peeps can check their email without pain. So yeah, we're out of date and we know it and it'll be fixed shortly. In the mean time...

My domain is: mail.rcousins.com

I ran this command:

grep start /var/log/mail

It produced this output:
Jul 20 21:13:31 colo7 imapd-ssl: couriertls: /etc/ssl/postfix/mail.rcousins.com.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line

But before that I ran:
./getssl mail.rcousins.com

and it produced:
-rw-r--r-- 1 root root 2.5K Jul 20 20:50 mail.rcousins.com.crt
-rw-r--r-- 1 root root 1.7K Jul 20 20:50 ca_cert.crt

in the /etc/ssl/postfix directory and:

x:~/.getssl/mail.rcousins.com/archive/2018_07_20_20_50 # ls -lthr
total 24K
-rw------- 1 root root 2.5K Jul 20 20:50 mail.rcousins.com.crt
-rw------- 1 root root 1.6K Jul 20 20:50 mail.rcousins.com.csr
-rw------- 1 root root 3.2K Jul 20 20:50 mail.rcousins.com.key
-rw------- 1 root root 1.7K Jul 20 20:50 chain.crt
-rw------- 1 root root 4.1K Jul 20 20:50 fullchain.crt

in, well, you see the path.

My -web-server- IMAP server is (include version):
Courier-imapd-ssl, version "ancient"...err...4.8

The operating system my IMAP server runs on is (include version):
SuSE 11.4

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know):
Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Control panel? I've heard of those things...Is that like a GUI all those kids are using today? Bah. new fangled nonsense if you ask me. GET OFF MY LAWN.

As indicated above, I'm using the getssl script I found on github because fighting my way through the python dependencies on a 8 year old box is not something I really wanted to do on a friday night (10:30 and I'm still NOT DRINKING WHAT IS WRONG HERE!).

I used the CA="https://acme-staging.api.letsencrypt.org" for testing, then switched to:
CA="https://acme-v01.api.letsencrypt.org"

Here's the top level getssl.conf:
grep -v "^#" ../getssl.cfg | sed '/^$/d'
CA="https://acme-v01.api.letsencrypt.org"
ACCOUNT_EMAIL="petro@(censored)"
ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY="/root/.getssl/account.key"
PRIVATE_KEY_ALG="rsa"
REUSE_PRIVATE_KEY="true"
RENEW_ALLOW="30"
SERVER_TYPE="https"
CHECK_REMOTE="true"

and the getssl.conf in the mail.rcousins.com directory is:
grep -v "^#" getssl.cfg | sed '/^$/d'
SANS=""
ACL=('/srv/www/htdocs/.well-known/acme-challenge')
USE_SINGLE_ACL="true"
DOMAIN_CERT_LOCATION="/etc/ssl/postfix/mail.rcousins.com.crt"
DOMAIN_KEY_LOCATION="/etc/ssl/postfix/mail.rcousins.com.key"
CA_CERT_LOCATION="/etc/ssl/postfix/ca_cert.crt"
RELOAD_CMD="service courier-imap-ssl restart"
SERVER_TYPE="imaps"
CHECK_REMOTE="true"

The certificates appear to have generated fine, "openssl x509 -in mail.rcousins.com.crt -text" and "openssl x509 -in ca_cert.crt -text" produce stuff that looks right to my eye (which is NOT a practiced eye).

However when I point courier IMAPD at them:

TLS_CERTFILE=/etc/ssl/postfix/mail.rcousins.com.crt
TLS_TRUSTCERTS=/etc/ssl/postfix/ca_cert.crt

and then restart the daemon I get:
Jul 20 21:13:31 colo7 imapd-ssl: couriertls: /etc/ssl/postfix/mail.rcousins.com.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line
in /var/log/mail

and no one can connect to the imapd server.

What did I screw up?

Edited to add: I did do a DuckDuckGo search for the error message, but was long on actions specific to the generator used, and short on generic "here's where you messed up". Please tell me where I messed up so I can learn from this.

Hi @petrocc,

Taking a few of these things in order:

• The emoji thing seems to be a Discourse-specific problem about the special meaning of colons to delimit emoji, like (written :duck:). I’ll try to find out if there’s a workaround or if we could disable emoji in forum subjects. WIthin a Discourse post, you can suppress formatting by enclosing something in backticks `like this`.

• According to other sources, the TLS_CERTFILE needs to include your private key as well as the certificate (it would be the result of cat mail.rcousins.com.crt mail.rcousins.com.key, rather than just mail.rcousins.com.crt). This is the most likely explanation for the error. (Unlike most server applications, Courier doesn’t appear to have a separate configuration option to let you supply a file containing the TLS private key, so you might notice that there’s nowhere that you’ve supplied it to Courier in your existing configuration.)

• This is apparently a peculiarity of Courier and the TLS_CERTFILE option could probably be more usefully named. In turn, all of the Let’s Encrypt clients need to have better documentation and/or installer plugins for installing certificates in something other than a web server. We’re gradually working on this in Certbot but we don’t currently have any useful stuff ready for Courier users. So, there’s nothing that you particularly missed or flubbed, just an unusual configuration option in the particular server software that you were using, and a lack of great existing Let’s Encrypt client integration with it. And also the error message is quite unhelpful because instead of giving the low-level nondescript OpenSSL message about a missing PEM object, Courier could just say “I expected to load a private key from this file, but couldn’t”!

Sorry for the inconvenience; I hope this helps.

Ah!

• The thing about the emojis is mostly just annoying. Being a grumpy old admin I’m not fond of them to begin with.
• THANK YOU VERY MUCH!!! (5 exclamation points…the sign of a diseased mind…)
• I bet it’s documented somewhere in the Courier literature. I bet I knew that 15 years ago when I was running a courier server for my email. >sigh< the more you learn the more you forget.

Seriously, thanks for answering that on a Friday night

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.