I've been setting up SSL for my domain today, and have struck another issue - I was hoping someone could shed some light on..
I'm getting a few error messages
[error] Init: Unable to read server certificate from file /etc/apache2/domain.com.ssl/domain.com.crt/domain.com.crt [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
I'm running Apache 2.2.16 and Ubuntu 10.10. My .crt file has the Begin and End tags, and has been copied exactly from the confirmation email I received, very frustrating!
Edit >> When trying to verify the .crt It doesn't seem to work:
>> openssl x509 -noout -text -in domain.com.crt unable to load certificate 16851:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
>> openssl x509 -text -inform PEM -in domain.com.crt unable to load certificate 21321:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
>> openssl x509 -text -inform DER -in domain.com.crt unable to load certificate 21325:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1316: 21325:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
Edit>> (Cheers for the help by the way)
>> grep '^-----' domain.com.crt -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
Just emailed the company providing the Certificate, they responded>
I have checked the CSR file that you have provided and I can assure that this was correctly generated. The error that you are currently encountering is caused because you are using a wrong command line for installing the CSR. You will need to modify this domain.com.crt from your command line with the according name of your domain.
- currently the crt is set up to mysite.com.crt - I've used domain.com.crt as an example
Is it possible that the lines are m-terminated? This is a potential problem when moving files from windows to unix systems One easy way to check is to use
vi in "show me the binary" mode, with
vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt .
If each line ends with a control-M, like this
-----BEGIN CERTIFICATE-----^M MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM^M MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg^M THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x^M
you've got a file in Windows line-terminated format, and apache doesn't love those.
Your options include moving the file over again, taking more care; or using the
dos2unix command to strip those out; you can also remove them inside vi, if you're careful.
Edit : thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. The apacheopenssl are now tolerant of m-terminated lines so they don't cause problems Other formatting errors several different examples of which appear in the comments can still cause problems if the certificate has been moved across systems