SSL Error - unable to read server certificate from file

I've been setting up SSL for my domain today, and have struck another issue - I was hoping someone could shed some light on..

I keep receiving the following error messages:

[error] Init: Unable to read server certificate from file /etc/apache2/domain.com.ssl/domain.com.crt/domain.com.crt
[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

I'm running Apache 2.2.16 and Ubuntu 10.10. My .crt file has the Begin and End tags, and has been copied exactly from the confirmation email I received, very frustrating!

Cheers!

Edit >> When trying to verify the .crt It doesn't seem to work:

>> openssl x509 -noout -text -in domain.com.crt 
unable to load certificate
16851:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

Also >>

>> openssl x509 -text -inform PEM -in domain.com.crt
unable to load certificate
21321:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
>> openssl x509 -text -inform DER -in domain.com.crt
unable to load certificate
21325:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1316:
21325:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509

Edit>> (Cheers for the help by the way)

>> grep '^-----' domain.com.crt
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Just emailed the company providing the Certificate, they responded>

I have checked the CSR file that you have provided and I can assure that this was correctly generated. The error that you are currently encountering is caused because you are using a wrong command line for installing the CSR. You will need to modify this domain.com.crt from your command line with the according name of your domain.

  • currently the crt is set up to mysite.com.crt - I've used domain.com.crt as an example

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

-----BEGIN CERTIFICATE-----^M
MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM^M
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg^M
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x^M

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.


Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.


For anyone arriving at this page with a similar error when trying to read a Certificate Signing Request (CSR) (note that OP is reading a certificate): make sure to use the right OpenSSL command. x509 is for certificates and req is for CSRs:

openssl req -in server.csr -text -noout

vs

openssl x509 -in server.crt -text -noout

>> openssl x509 -noout -text -in domain.com.crt 
unable to load certificate
16851:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

I suspect that you have a problem with the format of the certificate.

Run both of two following commands and give us the output:

openssl x509 -text -inform DER -in domain.com.crt 
openssl x509 -text -inform PEM -in domain.com.crt