SSL Error - unable to read server certificate from file

Solution 1:

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

-----BEGIN CERTIFICATE-----^M
MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM^M
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg^M
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x^M

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.

Solution 2:

For anyone arriving at this page with a similar error when trying to read a Certificate Signing Request (CSR) (note that OP is reading a certificate): make sure to use the right OpenSSL command. x509 is for certificates and req is for CSRs:

openssl req -in server.csr -text -noout

vs

openssl x509 -in server.crt -text -noout

Solution 3:

>> openssl x509 -noout -text -in domain.com.crt 
unable to load certificate
16851:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

I suspect that you have a problem with the format of the certificate.

Run both of two following commands and give us the output:

openssl x509 -text -inform DER -in domain.com.crt 
openssl x509 -text -inform PEM -in domain.com.crt

Solution 4:

Just went round and round in circles on this, and it turned out I had the certificates around the wrong way - e.g.

SSLCertificateFile    /etc/apache2/ssl/server.key
SSLCertificateKeyFile /etc/apache2/ssl/server.crt

instead of:

SSLCertificateFile    /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

Something to check if you're getting this error.

Solution 5:

In my case, I found my certificate had different "-" characters. Must have been a copy/paste issue from the admin that placed the cert onto the server, with the text editor replacing -- with a special unicode character along the way.

This took hours to diagnose, and in the end I just guessed at it, and edited the cert in vi and deleted the existing "-" characters, and retyped them.

Hope this helps someone.

Tags:

Ssl

Ssl Certificate

Recent Posts