SSL Private Key error

Hi,
I copied my privacy.pem and full chain.pem keys from docker for safe copy because it was generated in a docker container. When I try to use them I get this err
cannot load certificate key "/etc/letsencrypt/live/tcwlmd.com/privkey.pem": PEM_read_bio_PrivateKey() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: ANY PRIVATE KEY)

I checked the keys on Certificate Decoder - Decode certificates to view their contents and it's valid

 listen 443 ssl; # managed by Certbot
 server_name tcwlmd.com www.tcwlmd.com dev.tcwlmd.com;
 ssl_certificate /etc/letsencrypt/live/tcwlmd.com/fullchain.pem; # managed by Certbot
 ssl_certificate_key /etc/letsencrypt/live/tcwlmd.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

Hi @molayodecker

check that file with an editor.

First line should look like

-----BEGIN EC PRIVATE KEY-----

or RSA instead of EC.

The last line should look like

-----End EC PRIVATE KEY-----

(or RSA).

1 Like

You mean you've uploaded your private keys to a WEBSERVICE?!?

Great. Now you can revoke the corresponding certificates and issue new ones with a different key, as the private key now isn't private any longer.

1 Like

Yeah at this point I need to create a new one anyways. I was desperate
I didn't know I could use openssl rsa -noout -check -in /etc/letsencrypt/live/yourdomain.tld/privkey.pem

Just for correctness, it's now:

-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----

not:

-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----


Can be tested with:

<?php

$configargs = ["digest_alg" => "sha256", "curve_name" => "prime256v1", "private_key_type" => OPENSSL_KEYTYPE_EC];

$privateKeyResource = openssl_pkey_new($configargs);

openssl_pkey_export($privateKeyResource, $privateKeyPEM);

echo "<pre>", $privateKeyPEM, "</pre>";

echo "<br>";

$configargs = ["digest_alg" => "sha256", "private_key_bits" => 2048, "private_key_type" => OPENSSL_KEYTYPE_RSA];

$privateKeyResource = openssl_pkey_new($configargs);

openssl_pkey_export($privateKeyResource, $privateKeyPEM);

echo "<pre>", $privateKeyPEM, "</pre>";

?>

here:

https://extendsclass.com/php.html

1 Like

This is the error I got
unable to load Private Key
4573642412:error:0DFFF0A8:asn1 encoding routines:CRYPTO_internal:wrong tag:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/crypto/asn1/tasn_dec.c:1144:
4573642412:error:0DFFF03A:asn1 encoding routines:CRYPTO_internal:nested asn1 error:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/crypto/asn1/tasn_dec.c:717:
4573642412:error:0DFFF03A:asn1 encoding routines:CRYPTO_internal:nested asn1 error:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/crypto/asn1/tasn_dec.c:646:Field=version, Type=PKCS8_PRIV_KEY_INFO
4573642412:error:09FFF00D:PEM routines:CRYPTO_internal:ASN1 lib:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/crypto/pem/pem_pkey.c:143:

I'm not exactly sure what you ran and where.

1 Like

Agreed.
@molayodecker, you need to provide the complete command used so that we can try to replicate the problem and/or troubleshoot /research it further.

1 Like

The only "solution" I can find online, thus far, is weird but so is this problem.
It says to make sure the file ends with "\n" [a "newline"].
So I would edit the .pem type file and simply append an "enter" at the very end; so that it adds the new blank line and then just exit saving the .pem type file.

If the file is not of .pem type then this modification should not be attempted.

From the "--- begin" and "--- end" seen above I suspect you are dealing with a .pem type file.
But you never know who might read this down the road :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.