Error in chain.pem and fullchain.pem file

Environment:

  • certbot 0.31.0
  • Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux
  • self-hosted CA (Nexus CM)

With my server I create a request via certbot to get a new certificate. This succeeds without any problems. If I then want to call “certbot certificates”, I get the following error.

acme@ACME-Client:/etc/letsencrypt$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
verifying the signature of the cert located at /etc/letsencrypt/live/acme-client.domain.com/cert.pem has failed.                 Details: Unable to load certificate. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 237, in verify_renewable_cert_sig
    chain = x509.load_pem_x509_certificate(chain_file.read(), default_backend())
  File "/usr/lib/python3/dist-packages/cryptography/x509/base.py", line 50, in load_pem_x509_certificate
    return backend.load_pem_x509_certificate(data)
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 1170, in load_pem_x509_certificate
    "Unable to load certificate. See https://cryptography.io/en/la"
ValueError: Unable to load certificate. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.
Renewal configuration file /etc/letsencrypt/renewal/acme-client.domain.com.conf produced an unexpected error: verifying the signature of the cert located at /etc/letsencrypt/live/acme-client.domain.com/cert.pem has failed.                 Details: Unable to load certificate. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.. Skipping.

When I checked the chain.pem file, I found out why the error occurred. This file (also also fullchain.pem) was not created in the correct format according to RFC1421. The header is incomplete and the individual lines do not consist of exactly 64 characters (except the last one).
It starts with ICATE----- followed by one line with the base64 data and the third and last line -----END CERTIFICATE-----
Once I customize the file to -----BEGIN CERTIFICATE-----, the command works fine. The file cert.pem is correctly formated.

Hi @artido, welcome to the community forum :wave:

Are you certain that this isn’t a bug with your self-hosted Nexus CM instead of Certbot? I don’t know for certain but I suspect Certbot does minimal processing of the certificate chain returned from the RFC 8555 order certificate URL.

If you think it was Certbot that mishandled the PEM headers I think opening an issue on the Certbot github page with as much information as you can provide will be the best path to a solution.

Bug reported in github.
Thanks

1 Like