Node/Express server: PEM_read_bio:no start line

Hello. Many thanks to you for the great service.

I have a problem with reading fullchain.pem or privkey.pem (not sure) via fs.readFileSync . I tried both standalone and webroot versions. I am using Express with Node on Ubuntu 16.

This is the error I am receiving:
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line

I am using symlinks from live folder, so it is not the reason…

fullchain.pem or privkey.pem structures look fine…

This is what I have in the log:
2017-08-29 12:13:45,793:DEBUG:certbot.main:certbot version: 0.17.0
2017-08-29 12:13:45,793:DEBUG:certbot.main:Arguments: [’-q’]
2017-08-29 12:13:45,793:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-08-29 12:13:45,807:DEBUG:certbot.log:Root logging level set at 30
2017-08-29 12:13:45,808:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-08-29 12:13:45,819:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f7704578390> and installer <certbot.cli._Default object at 0x7f7704578390>
2017-08-29 12:13:45,819:DEBUG:certbot.cli:Default Detector is Namespace(account=<certbot.cli._Default object at 0x7f77045c36d0>, agree_dev_preview=None, allow_subset_of_names=<certbot.cli._Default object at 0x7$
2017-08-29 12:13:45,832:INFO:certbot.renewal:Cert not yet due for renewal
2017-08-29 12:13:45,832:DEBUG:certbot.renewal:no renewal failures

Please fill out the fields below so we can help you better.

My domain is:

I ran this command: ./letsencrypt-auto certonly --standalone --email -d
and I also tried with webroot

It produced this output:
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for
Waiting for verification…
Cleaning up challenges


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2017-11-27. To obtain a new or tweaked
    version of this certificate in the future, simply run
    letsencrypt-auto again. To non-interactively renew all of your
    certificates, run “letsencrypt-auto renew”

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt:
    Donating to EFF:

My web server is (include version): I am using Node 7.10.1 with Express 4.13.3

The operating system my web server runs on is (include version): Ubuntu 16

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Hi @Badbreaddead,

From the Certbot logs you shared it seems like your certificate was issued successfully.

Can you share the code that you're using to read the certificates or the configuration for the Express/Node server? I suspect that's where the problem lies.

Hi, @cpu
Yes, of course

const hskey = fs.readFileSync(’/etc/letsencrypt/live/’, ‘utf8’);
const hscert = fs.readFileSync(’/etc/letsencrypt/live/’, ‘utf8’);

const serverOptions = {
key: hskey,
cert: hscert

const httpsPort = process.env.PORT || 443;
const httpPort = process.env.PORT2 || 80;
const host = ‘’;

const app = express();

const httpServer = http.createServer(app);
const httpsServer = https.createServer(serverOptions, app);

.on(‘error’, console.log)
.on(‘disconnected’, connect)
.once(‘open’, listen);

function connect() {
const options = {server: {socketOptions: {keepAlive: 1}}};
return mongoose.connect(‘mongodb://bot:bot@’).connection;

function listen() {
if (app.get(‘env’) === ‘test’) return;
httpServer.listen(httpPort, host);
httpsServer.listen(httpsPort, host);
console.log('Express app started on ports: https - ’ + httpsPort + ’ and http - ’ + httpPort);

Hi @Badbreaddead,

Have you checked what values are being read in hskey and hscert? I’m not a Node developer but based on the error you’re seeing it seems like perhaps the PEM content of either the certificate or key are not being read correctly.

I’m going to update the title of this issue to try and draw some input from other Node developers who likely know more about express and this error than I do.

Node doesn’t like the chain and certificate served in one file.

Try this instead:

const hskey = fs.readFileSync('/etc/letsencrypt/live/', 'utf8');
const hscert = fs.readFileSync('/etc/letsencrypt/live/', 'utf8');
const hschain = fs.readFileSync('/etc/letsencrypt/live/', 'utf8');

const serverOptions = {
  key: hskey,
  cert: hscert,
  ca: [hschain]

Thank you. This helped


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.