Login/Register
PEM routines:PEM_read_bio:bad end line
Asked Answered
opensslx509certificate
P

12

44

I'm trying to parse the developer certificate in embedded.mobileprovision file. Firstly I use

security cms -D -i embedded.mobileprovision

to get the base64 developer certificate string.

Then I split the string every 64 characters and stored in a file named dev.cer.

Finally add -----BEGIN CERTIFICATE----- at the first line and -----END CERTIFICATE----- at the end of file.

On my mac computer, I right click the dev.cer file and the developer informations are all there. However, When I use openssl x509 -in dev.cer -text -noout, error comes out:

unable to load certificate
69721:error:0906D066:PEM routines:PEM_read_bio:bad end line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/crypto/pem/pem_lib.c:747:

The dev.cer file is following:

-----BEGIN CERTIFICATE-----
MIIFljCCBH6gAwIBAgIIIP7GMO9cWzYwDQYJKoZIhvcNAQELBQAwgZYxCzAJBgNV
BAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSwwKgYDVQQLDCNBcHBsZSBXb3Js
ZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9uczFEMEIGA1UEAww7QXBwbGUgV29ybGR3
aWRlIERldmVsb3BlciBSZWxhdGlvbnMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMTcwNDI5MDMzMDA4WhcNMTgwNDI5MDMzMDA4WjCBiTEaMBgGCgmSJomT8ixk
AQEMCk1ENFA0UTg1WlExMzAxBgNVBAMMKmlQaG9uZSBEZXZlbG9wZXI6IGFtbW1p
IGFtbW1pIChXM1BSS1JDVDRRKTETMBEGA1UECwwKVktRNTZVQ0c4ODEUMBIGA1UE
CgwLYW1tbWkgYW1tbWkxCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAwudboPuPnImOssBCw9vISRnnivreVwOuDAu77u47zIU8uTag
bzktX6pF54YToSLQHeOaNNQfZ7idccU2DKVBr3etz/++ca4HNadeUaEm2VWW4kEq
3iKIo1wZZhJJR6bQl4q797U0+f7eEXLKD4fjfidEF+ceAxAsX5YIuokq3K/B+XW3
tKk7D4nCaaCyJ9/+aJkFKT/oOxWRD0NYi5vXpni/3Plj5Qu3kDGrTUQaGCXXjRrA
E3mOVS4M2W5sFoOUpBxcfK7ajs+HUZNp0Gvb04OeD4O0lLTxcNu6omhG3MzOo81F
T+bkdxLM7XkIbNlIjYhyxGRynpgAKmiR9B/oeQIDAQABo4IB8TCCAe0wPwYIKwYB
BQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5hcHBsZS5jb20vb2Nz
cDAzLXd3ZHIwMTAdBgNVHQ4EFgQUF8T1dPnBmZfKfG0+lHtczMuGy9owDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBSIJxcJqbYYYIvs67r2R1nFUlSjtzCCAR0GA1Ud
IASCARQwggEQMIIBDAYJKoZIhvdjZAUBMIH+MIHDBggrBgEFBQcCAjCBtgyBs1Jl
bGlhbmNlIG9uIHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMg
YWNjZXB0YW5jZSBvZiB0aGUgdGhlbiBhcHBsaWNhYmxlIHN0YW5kYXJkIHRlcm1z
IGFuZCBjb25kaXRpb25zIG9mIHVzZSwgY2VydGlmaWNhdGUgcG9saWN5IGFuZCBj
ZXJ0aWZpY2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMDYGCCsGAQUFBwIBFipo
dHRwOi8vd3d3LmFwcGxlLmNvbS9jZXJ0aWZpY2F0ZWF1dGhvcml0eS8wDgYDVR0P
AQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMDMBMGCiqGSIb3Y2QGAQIB
Af8EAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQA1//RUQ+hnCxfzSKO13qtuSb4IUrY5
bjkRKIAUlxN5aYVN5NIzCGxmahlDA/Rjw8MLVA8dWbT0QMSqx5IXC+Ov3JNZlkL0
5+RBuZEtZL7IZp0L3ZrCFtuizaunH9fZWbyFyfLACIYqZqP40N1+wIx1l4Es65Zu
WSeDeQMutda8DpmtCJhrnod9B1vfvDc3FUSmbJbvkLFh2UCgqtE9moLYI8qFMzqe
CQUJdPGdE+2WNv0wM8/cFIG/audSvEADKg1DgO+j6oP+urUe1gLsyzyv10J7/XA4
nmDuP1UNG7O7ADbdEOxhRiB96ZNwgcw9Q0wv9H9jMa+NNti6SxLud2+B
-----END CERTIFICATE----

By the way, I used online certificate decoder to decode dev.cer, it works well. Here is the url:

https://www.sslshopper.com/certificate-decoder.html

This site recommended to use openssl, but it failed.

Phyllida answered 12/7, 2017 at 5:8 Comment(0)
A
63

I had the same problem as sunnycomes and his comment was correct. I was lacking a '-' at the very end of the last line of the file. Before I had:

-----END CERTIFICATE----

and changing it to:

-----END CERTIFICATE-----

fixed it. I've learnt that I have to be careful when copying certificates text from a terminal.

Alcyone answered 13/9, 2017 at 1:19 Comment(0)
H
60

Extra note: When pem file contains CA and sub-CA chain, be sure that -----END CERTIFICATE---- -----BEGIN CERTIFICATE----- are not on the same line.

Hog answered 30/3, 2018 at 7:18 Comment(2)
THIS! For some reason my cert provider (Sectigo via. Namecheap) changed the output of their system. Last year I could cat them without issue, this year, doing so caused the END and BEGIN to be on the same line, triggering errors!Abstemious
This worked for me. I had the same issue. BEGIN and END in the same line. Separated both in two lines and it worked. Thanks.Admiralty
P
34

tl;dr

Make sure that there are exactly five dashes ----- surrounding the beginning and end tags.

More about PEM certificates

Correct certificate formatting

The official RFC 7468 document about textual encoding of certificates states the following rules:

  • the content of each certificate must be surrounded with BEGIN CERTIFICATE and END CERTIFICATE tags like so:

    -----BEGIN CERTIFICATE-----
bGlhbmNlIG9uIHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3Vt...
-----END CERTIFICATE-----

  • the tags itself must have exactly five dashes ----- in front of them at the beginning of the line and exactly five dashes ----- behind them at the end of the line

Common errors

  • one dash was accidentally omitted at the beginning or at the end of the certificate while copy-pasting

  • there are two encapsulation boundaries on the same line, like so:

    ----END CERTIFICATE----------BEGIN CERTIFICATE-----

    (ending and directly starting a new certificate on the same line won't work because then there would be ten instead of five dashes and the certificate parser would not be able anymore to detect the tags correctly)

  • there is a blank line after the beginning tag or before the end tag

Chaining certificates correctly

Some web servers need all SSL/TLS (root, intermediate and end-user) certificates in one file but CAs normally send you all their certificates separated, so you need to concatenate them manually. But pay attention while concatenating them because their order is important!

The correct order of a chained certificate is:

  1. end-user certificate
  2. all intermediate certificates
  3. root certificate

To concatenate all certificates correctly you can use the following bash command:

cat end-user.crt <(echo) intermediate.pem <(echo) root.crt > bundled.crt

Make sure to replace end-user.crt, intermediate.pem and root.crt with your filenames.

By the way: both .pem and .crt are valid SSL certificate file endings/encodings. You can read more about SSL files here.

Phthalein answered 5/10, 2018 at 12:27 Comment(0)
M
13

Surprisingly I had a case when my chained certificate had such a silly mistake:

-----END CERTIFICATE----------BEGIN CERTIFICATE-----

instead of

-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----

Muggy answered 17/2, 2020 at 13:57 Comment(1)
It's incredible. I launched cat command as well and it made the same error, and I was getting crazy to understand why it was not working! Thank you so much.Permanency
S
7

I had the same problem (same error message) when storing a private key (to sign an email in swiftmailer). It was working and suddenly it stopped working.

What happens is that in the beginning, as I was just testing, I didn't worry about formatting the code. After testing, I opted for put the key in a variable that would be returned in a function. With this, without noticing, I ended up inserting several tab characters in the key content as you see in the image. It is best that you save the content in a separate file, in which there is no unnecessary/extra character

enter image description here.

Steato answered 23/7, 2019 at 6:35 Comment(1)
It seems like a really bad idea to have your private key embedded inside your code btw.Thoroughpaced
D
5

friends please!

DO NOT USE "cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > /tmp/commercial_ca.crt..

this create WRONG .crt files..

just.

1 as root Copy and paste the certificate into a text file (save as commercial.crt) using Vi, nano or Notepad. Place this file in the following directory /opt/zimbra/ssl/zimbra/commercial/

2 as root Open the CAbundle that you received on a ZIP file using a text editor nano or Vi and save it as (commercial_ca.crt). Place this file in the following directory /opt/zimbra/ssl/zimbra/commercial/

verify as Zimbra user in /opt/zimbra/ssl/zimbra/commercial/

/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt

deploy as Zimbra user in /tmp/

/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

and

zmcontrol restart

Get fun! from https://ssl.comodo.com/support/certificate-installation---zimbra-server.php

  • in case you got permissions errors verify that you own the *.crt files with.

chown zimbra.zimbra /opt/zimbra/ssl/zimbra/commercial/*.crt (as root)

chmod 700 /opt/zimbra/ssl/zimbra/commercial/*.crt (as zimbra user)

Dufresne answered 9/5, 2018 at 21:39 Comment(2)
What is zimbra, is it necessary?Absorptance
It looks like it's just his user-name on that machine.Downstairs
Q
4

I was reading the key from a .env file. Surrounding the key with double quotes fixed the issue.

Gives error:

KEY=-----BEGIN PRIVATE KEY-----\nMIIJQgIB.....\n-----END PRIVATE KEY-----\n

Works:

KEY="-----BEGIN PRIVATE KEY-----\nMIIJQgIB.....\n-----END PRIVATE KEY-----\n"
Quennie answered 24/12, 2019 at 11:14 Comment(2)
I can see some newline chars in there, is that intentional? Does this also work when not keeping the key on a single line?Intuitive
I was reading from .env with the key written across across multiple lines. For me the error was caused by not having a trailing newline at the end of the quoted string. I used a script in my build step to add one automatically [[ $KEY != *$'\n' ]] && KEY="${KEY}\n"Kubiak
M
3

It works as the following: tls.crt

-----BEGIN CERTIFICATE-----
the content of certificate.crt
the content of ca_bundle.crt
-----END CERTIFICATE-----
Marvelous answered 2/7, 2018 at 8:1 Comment(0)
W
2

If you generate crt file through below command, this will generate the wrong output.

cat yourdomain.crt yourdomain.ca-bundle >> cert_chain.crt

What you have to do, copy those file contents and paste it manually. 

-----BEGIN CERTIFICATE-----
the content of yourdomain.crt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
the content of yourdomain.ca_bundle.crt
-----END CERTIFICATE-----

Once you complete, test it by the following command

openssl x509 -text -noout -in cert_chain.crt
Wollongong answered 10/10, 2019 at 2:30 Comment(0)
S
1

Another variation that can cause this error is having a blank line after the header or before the footer. For example:

-----BEGIN PRIVATE KEY-----

base64-encoded-stuff-here

-----END PRIVATE KEY-----

To resolve, remove the blank lines:

-----BEGIN PRIVATE KEY-----
base64-encoded-stuff-here
-----END PRIVATE KEY-----
Stethoscope answered 23/10, 2020 at 16:4 Comment(0)
F
0

I also had a similar issue when copying certificates from a Windows machine to RHEL 7. It seems that the intermediate and root certificates have a "^M" at the end of every line, which is only visible when viewing the certificate in vim.

Workaround I found was to edit the certificates and in vim run:

:%s/^M$//

This will delete all the ^M at the end of each line.

(to get ^M you will need to hold Ctrl+Shift and then v and m consecutively)

Faggoting answered 17/5, 2019 at 14:48 Comment(0)
W
0

When pem/crt file contains CA and sub-CA chain, be sure that -----END CERTIFICATE---- -----BEGIN CERTIFICATE----- are not on the same line.

Winterkill answered 6/9, 2023 at 16:4 Comment(1)
Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.Vadavaden

© 2022 - 2024 — McMap. All rights reserved.