Forum OpenACS Q&A: nsssl error

Collapse
Posted by Benjamin Brink on
Hi,

I've been using a self-signed certificate with nsssl with no issues.

However, am getting an error when trying a CA signed certificate:

Error: nsssl: private key load error [error:0906D06C:PEM routines:PEM_read_bio:no start line]

I'm trying letsencrypt.org's certificate with its acme standard certificate renewal process. (Pretty neat concept.)

letsencrypt provides a cert.pem, chain.pem fullchain.pem and privkey.pem.

fullchain.pem contains cert.pem and chain.pem

So in nsd's config.tcl section for nssl:
ns_param certificate ${serverroot}/etc/certs/or97.net/fullchain.pem

Searching around, the issue might be related to openssl not tolerating a cert file saved in double-byte Unicode.

Does nsssl have this limitation?

Any suggestions on how to fix?

Collapse
2: Re: nsssl error (response to 1)
Posted by Benjamin Brink on
The following iconv didn't change the symptoms or appear to change the file, diff was identical and same file size.

iconv -f UTF-8 -t iso8859-1 fullchain.pem-orig > fullchain.pem
Collapse
3: Re: nsssl error (response to 1)
Posted by Benjamin Brink on
To rule out any permissions issue, the fullchain.pem was tried in the same name, location and with same permissions as the self-signed certificate. The error has not changed.

The self signed certificate contiues to work.

Collapse
4: Re: nsssl error (response to 1)
Posted by Benjamin Brink on
Eh, privkey.pem has to be appended to fullchain.pem.

Thank you for your time reading this.
new years cheers!
Ben

Collapse
5: Re: nsssl error (response to 1)
Posted by Andrew Piskorski on
Benjamin, thanks for posting that. With your explanation, plus this hint on StackOverflow that certificate order matters, I got nsssl working for me. In one file, I put my certificate, my private key, and then my vendor's CA cert, in that order. Initially I had the CA cert first, which broke things.
Collapse
6: Re: nsssl error (response to 1)
Posted by Benjamin Brink on
Thank you, Andrew. I'm glad you found it useful. StackOverflow is one of my favorite sources for diagnostics.
cheers,
Ben