Certificate works when added a space to it, why?

Vikas Singhal

6/28/24, 1:30 PM

We have generated a certificate via Letsencrypt and trying to use it via nginx, but we get a weird error:

cannot load certificate "/home/path/site.pem": PEM_read_bio_X509_AUX() failed

The solution we found was to add a space infront of the certificate (notice the space infront of the cert) (also note that i have changed the content of the cert for security).

What is wrong with the cert, why does it work after adding a space?

1 + 3

nginx

openssl

HBruijn

6/28/24, 2:12 PM

The space character is not part of base64 should as a non conforming character be completely ignored in a proper PEM parser (RFC 7468) but that also requires that a generator must wrap a base64 encoded line at 64 characters so a single line certificate looks strange to me

HBruijn

6/28/24, 2:25 PM

A quick search (from my mobile) suggests that `PEM_read_bio_X509_AUX` is a function associated with reading a private key rather than a certificate ; is your configuration reading your certificate where it should be pointing to a private key ?

dave_thompson_085

6/29/24, 2:38 AM

@HBruijn: no, `PEM_read[_bio]_X509_AUX` nominally reads an OpenSSL-modified certificate format labelled 'TRUSTED CERTIFICATE'; it also accepts a standard certificate. It never reads a private key (or a bare public key either). Like all PEM_read routines, it will _skip over_ PEM blocks that aren't the desired type, and some programs put both privatekey and cert in one file, sometimes plus chain cert(s), and then use PEM_read_X509[_AUX] and PEM_read_[type]PrivateKey to read them separately or PEM_X509_INFO_read to read both/all of them.

Score:1

Server

U880D

6/28/24, 2:21 PM

Without further information it looks like a Copy and Paste issue. Shouldn't the certificate look like

-----BEGIN CERTIFICATE-----
MIIF8DCCBNigAwIBAgISA08f2YsQTxMkdjKqHcKSZcDEMA0GCSqGSIb3DQEBCwUA
...
5b3EGib8sGrkDbg9OCCrg6qj6Cf
-----END CERTIFICATE----

with max. 64 characters in a line?

Whereby the first lines looks quite OK using something like

~/test$ Base64encodedString='MIIF8DCCBNigAwIBAgISA08f2YsQTxMkdjKqHcKSZcDEMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD'
~/test$ echo -n ${Base64encodedString} | base64 --decode | hexdump -C
00000000  30 82 05 f0 30 82 04 d8  a0 03 02 01 02 02 12 03  |0...0...........|
00000010  4f 1f d9 8b 10 4f 13 24  76 32 aa 1d c2 92 65 c0  |O....O.$v2....e.|
00000020  c4 30 0d 06 09 2a 86 48  86 f7 0d 01 01 0b 05 00  |.0...*.H........|
00000030  30 32 31 0b 30 09 06 03  55 04 06 13 02 55 53 31  |021.0...U....US1|
00000040  16 30 14 06 03 55 04 0a  13 0d 4c 65 74 27 73 20  |.0...U....Let's |
00000050  45 6e 63 72 79 70 74 31  0b 30 09 06 03 55 04 03  |Encrypt1.0...U..|
00000060  30 32 31 0b 30 09 06 03  55 04 06 13 02 55 53 31  |021.0...U....US1|
00000070  16 30 14 06 03 55 04 0a  13 0d 4c 65 74 27 73 20  |.0...U....Let's |
00000080  45 6e 63 72 79 70 74 31  0b 30 09 06 03 55 04 03  |Encrypt1.0...U..|

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Certificate works when added a space to it, why?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.