cannot read PEM key file - no start line

[Liz Fall]

All,

 

I am getting the following with my client cert when trying to connect to an SSL-enabled MongoDB:

 

2014-09-03T13:37:56.881-0500 ERROR: cannot read PEM key file: /users/apps/tstlrn/u019807/DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem error:0906D06C:PEM routines:PEM_read_bio:no start line

 

The cert file is the following:

 

• DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem
• WF Enterprise CA 02 certificate, signed by WF Root
• WF Root certificate

 

 

I was told by the support at MongoDB to do the following:

 

§  Copy the certificates into a text editor to ensure there is no whitespace

§  Ensure the beginning and end certificate statements are on there own line and have the same number of '-' at each end.

§  Ensure each line has 64 chars (except the last line)

 

I have checked and verified that there is no whitespace.  Also, the BEGIN and END statements look correct.  However, each line in the cert is 76 chars in length, except for the last line.  Should the lines be 64-characters long?

 

Can someone please help me?

 

Thanks,

Liz

 

---

This email is free from viruses and malware because avast! Antivirus protection is active.

[Jeffrey Walton]

On Sun, Sep 7, 2014 at 10:26 PM, Liz Fall <fa...@sbcglobal.net> wrote:

I am getting the following with my client cert when trying to connect to an SSL-enabled MongoDB:

2014-09-03T13:37:56.881-0500 ERROR: cannot read PEM key file: /users/apps/tstlrn/u019807/DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem error:0906D06C:PEM routines:PEM_read_bio:no start line

 

The cert file is the following:

 

• DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem
• WF Enterprise CA 02 certificate, signed by WF Root
• WF Root certificate

You should probably post the certificate somewhere so others can examine it.
 

I was told by the support at MongoDB to do the following:

 

§  Copy the certificates into a text editor to ensure there is no whitespace

§  Ensure the beginning and end certificate statements are on there own line and have the same number of '-' at each end.

§  Ensure each line has 64 chars (except the last line)

I don't believe OpenSSL has these restrictions.

Are they MongoDB requirements?
 

I have checked and verified that there is no whitespace.  Also, the BEGIN and END statements look correct.  However, each line in the cert is 76 chars in length, except for the last line.  Should the lines be 64-characters long?

The following will tell you if the problem is with the certificate or lies elsewhere.

    openssl x509 -in ...bank.corp_mongo_wells.pem -inform PEM -text -noout

You can also try -inform DER if the certificate is ASN.1/DER encoded. If it is, then convert it from DER to PEM.

If you can dump the certificate, then the certificate is probably OK and the problem likely lies elsewhere.

Jeff

[Viktor Dukhovni]

On Sun, Sep 07, 2014 at 07:26:05PM -0700, Liz Fall wrote:

> I have checked and verified that there is no whitespace. Also, the BEGIN
> and END statements look correct. However, each line in the cert is 76 chars
> in length, except for the last line. Should the lines be 64-characters
> long?

Yes. The OpenSSL base64 decoder limits input lines to 64 characters.

--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

[Michael Sierchio]

On Sun, Sep 7, 2014 at 10:26 PM, Liz Fall <fa...@sbcglobal.net> wrote:

> I am getting the following with my client cert when trying to connect to an SSL-enabled MongoDB:
>
> 2014-09-03T13:37:56.881-0500 ERROR: cannot read PEM key file: /users/apps/tstlrn/u019807/DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem error:0906D06C:PEM routines:PEM_read_bio:no start line
>
> The cert file is the following:

Cert file or key file? The error indicates that the client can't find
the private key.

> free from viruses and malware because avast! Antivirus protection is active.

Thanks for that amusing bit of insight.

- M

[Jeffrey Walton]

On Sun, Sep 7, 2014 at 10:26 PM, Liz Fall <fa...@sbcglobal.net> wrote:

All,

 

I am getting the following with my client cert when trying to connect to an SSL-enabled MongoDB:

 

2014-09-03T13:37:56.881-0500 ERROR: cannot read PEM key file: /users/apps/tstlrn/u019807/DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem error:0906D06C:PEM routines:PEM_read_bio:no start line

I just tried to duplicate with a key (not a certificate) that uses line breaks at 76 characters. I don't have a certificate because my routines don't support certificates. But it should reveal a little about the OpenSSL parser.

Reading the public and private keys were OK when the line size was 76 (see below). So the OpenSSL parser is lenient during a read. This seems very reasonable to me.

Reading an encrypted private key resulted in an error "PEM_read_bio:bad end line:pem_lib.c:802" when the line size was 76 (see below). This kind of surprised me.

Since you are receiving the "no start line" error (and not another error), I would suspect you are reading an ASN.1/DER encoded certificate; and not a PEM encoded certificate. The error occured before anything related to line lengths.

Can you post the X509 certificate for inspection?

Jeff

**********

# Line breaks at 76

$ cat rsa-pub-xxx.pem
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDse17vxd2lkVIxwt1gkipo0EZo3NdDhIvPRowZ
6hfRM1n3+8NlS4Qw76PvM1EMR9FXCFTBtv9zzZ7OkNH84LgG6mbNS28PuWeUFmMZumdLbT4KNu2U
pttFup08OUEIlrmkeP1GqMCfaVcbCfl0tScpCMeEhXUpiIvtzUin2kqGHQIDAQAB
-----END PUBLIC KEY-----

# Line breaks at 76
$ cat rsa-priv-xxx.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDse17vxd2lkVIxwt1gkipo0EZo3NdDhIvPRowZ6hfRM1n3+8NlS4Qw76PvM1EM
R9FXCFTBtv9zzZ7OkNH84LgG6mbNS28PuWeUFmMZumdLbT4KNu2UpttFup08OUEIlrmkeP1GqMCf
aVcbCfl0tScpCMeEhXUpiIvtzUin2kqGHQIDAQABAoGBAJqxzZW98tMW8BS7K0O7+eActqJsLKjv
MOIDfSyKlM/17pmo6NX/g1bbvHqCMDd/V3K+cWtTAWJIlOT9mU/51Ib3h29xEQQ6Ql/ubMPAmm/t
f7itQMxn5FVY+ZA2/pL/mDzAdMuLeS/1TcHCqjbpAL8VaZjHTqztHBcVcNzbIQ6BAkEA/e7hE6WV
caAoFEVfoZW0AIjwWpziQdI1bhNAi70fxWEU1kSq2ZZZhqxU4G37IKmVfBnx3CSzCgp5daPqUpEO
oQJBAO5oIOgVf3GqL03fA6N3s2gx9L4VzAaZZynDF6yjhCCAXs8uUSEYKL32a17dFq+0SrQUSS2J
Tylsz2cv+Uk6cf0CQQCV5RLb5BypbB78iE8BNTuCLVOkSYON0yZTCe5KDqPYgYwpR3OK6aODSer4
aDObfj+NeEs65jcBsFkuRkol3xbBAkEAiN+rlNNS2fU1N2YEdsNwcy/LLZ7iBh/ohKeHXgx6/RX2
WMhkt7VhHr7tIgeY0MOX6A+Fe+lLU6Mu6DU4z/wIGQJAQfEGaJbtaq8bLu6m2VYPpGig1NyBx9i8
kF/E+JC9ZSYh//5nhp6+lBbxceDcijPqnKGZlMYS51nPLSHQBRqbog==
-----END RSA PRIVATE KEY-----

# Line breaks at 76, password is "test"
$ cat rsa-enc-priv-xxx.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,8878824B00BA92932DC5AA1E4A9F12E0

klcOjPvZmj/19sUcf031oUckm2YUw7nEp6UtSbs41OKd2TyRfveNl4vv3J8AzOh18AqPPSKR3chM
8lSvKIdcksieh8raqr2s5wMd8ds/mDkguoVWGVnN8f+FKoVTny7OMhXAbQhk2ZXwZMEU5Q8M/Jnj
3ZfrbgcLYH50UoPlkgD6Y0krcNB+TDJEMvErn7G6RedrDPOjQ2gFCmRSE6Yuqtcgl5JaVS+1UT8Z
4l+EMuUjQcBiwuSQNxgfwyGQ3g/2maluLJsEKHDQhAKufe2c7lXlK/0MdHY+q4RbNLmGBigHb97U
A5jTZl5+dBrQgtgPx7V13F/7EHT6m2KrYSDvfoPadcT65sT1ukoZF5rvbdRcN1QtVetVrymwM5XU
8CrlSz6tihleipPx27JUA7WQjIQc/Kk7R0e1dNB0oEkgd0i5+20bg+4/Keh0t5fwkXlyrCwjEItT
zoC0Hm2dvXG6BTm1OUyRL94DxStVmqRpwDbthbEUqxYWrxTgWKu+noGYu3xJFI6plKEHTY+YMxjm
azeyV8CE0HGwRXTBHpj47bekt5dpxMxZasgeIJqHrUI3am+CijdJTHQyHU3Zxk7rdiLha1inpN6M
Z+ImQxqzm22e4/KMnTxcZ7L6hNzCKXgAGZ9gdg2uV+fwwyFRwzLDWMbQFeYH10yHB6Ua6Wg2LZdr
+NTuJlrMykVULD382XszNMLFtJGl46lpJ9XKWTTIX4e5Fg5N1WSHS2gD8YLxtRzd9vM9ewsZOMtw
gqw5uK7GSJUo8FHKtYuLGKY0jnVHFm2VnYo+76RXQxmJyo+ANmALJCJENCZDMm0I0pRGgRVV
-----END RSA PRIVATE KEY-----

$ openssl rsa -in rsa-pub-xxx.pem -pubin -text -noout
Public-Key: (1024 bit)
Modulus:
    00:ec:7b:5e:ef:c5:dd:a5:91:52:31:c2:dd:60:92:
    2a:68:d0:46:68:dc:d7:43:84:8b:cf:46:8c:19:ea:
    17:d1:33:59:f7:fb:c3:65:4b:84:30:ef:a3:ef:33:
    51:0c:47:d1:57:08:54:c1:b6:ff:73:cd:9e:ce:90:
    d1:fc:e0:b8:06:ea:66:cd:4b:6f:0f:b9:67:94:16:
    63:19:ba:67:4b:6d:3e:0a:36:ed:94:a6:db:45:ba:
    9d:3c:39:41:08:96:b9:a4:78:fd:46:a8:c0:9f:69:
    57:1b:09:f9:74:b5:27:29:08:c7:84:85:75:29:88:
    8b:ed:cd:48:a7:da:4a:86:1d
Exponent: 65537 (0x10001)

$ openssl rsa -in rsa-priv-xxx.pem -text -noout
Private-Key: (1024 bit)
modulus:
    00:ec:7b:5e:ef:c5:dd:a5:91:52:31:c2:dd:60:92:
    2a:68:d0:46:68:dc:d7:43:84:8b:cf:46:8c:19:ea:
    17:d1:33:59:f7:fb:c3:65:4b:84:30:ef:a3:ef:33:
    51:0c:47:d1:57:08:54:c1:b6:ff:73:cd:9e:ce:90:
    d1:fc:e0:b8:06:ea:66:cd:4b:6f:0f:b9:67:94:16:
    63:19:ba:67:4b:6d:3e:0a:36:ed:94:a6:db:45:ba:
    9d:3c:39:41:08:96:b9:a4:78:fd:46:a8:c0:9f:69:
    57:1b:09:f9:74:b5:27:29:08:c7:84:85:75:29:88:
    8b:ed:cd:48:a7:da:4a:86:1d
publicExponent: 65537 (0x10001)
privateExponent:
    00:9a:b1:cd:95:bd:f2:d3:16:f0:14:bb:2b:43:bb:
    f9:e0:1c:b6:a2:6c:2c:a8:ef:30:e2:03:7d:2c:8a:
    94:cf:f5:ee:99:a8:e8:d5:ff:83:56:db:bc:7a:82:
    30:37:7f:57:72:be:71:6b:53:01:62:48:94:e4:fd:
    99:4f:f9:d4:86:f7:87:6f:71:11:04:3a:42:5f:ee:
    6c:c3:c0:9a:6f:ed:7f:b8:ad:40:cc:67:e4:55:58:
    f9:90:36:fe:92:ff:98:3c:c0:74:cb:8b:79:2f:f5:
    4d:c1:c2:aa:36:e9:00:bf:15:69:98:c7:4e:ac:ed:
    1c:17:15:70:dc:db:21:0e:81
prime1:
    00:fd:ee:e1:13:a5:95:71:a0:28:14:45:5f:a1:95:
    b4:00:88:f0:5a:9c:e2:41:d2:35:6e:13:40:8b:bd:
    1f:c5:61:14:d6:44:aa:d9:96:59:86:ac:54:e0:6d:
    fb:20:a9:95:7c:19:f1:dc:24:b3:0a:0a:79:75:a3:
    ea:52:91:0e:a1
prime2:
    00:ee:68:20:e8:15:7f:71:aa:2f:4d:df:03:a3:77:
    b3:68:31:f4:be:15:cc:06:99:67:29:c3:17:ac:a3:
    84:20:80:5e:cf:2e:51:21:18:28:bd:f6:6b:5e:dd:
    16:af:b4:4a:b4:14:49:2d:89:4f:29:6c:cf:67:2f:
    f9:49:3a:71:fd
exponent1:
    00:95:e5:12:db:e4:1c:a9:6c:1e:fc:88:4f:01:35:
    3b:82:2d:53:a4:49:83:8d:d3:26:53:09:ee:4a:0e:
    a3:d8:81:8c:29:47:73:8a:e9:a3:83:49:ea:f8:68:
    33:9b:7e:3f:8d:78:4b:3a:e6:37:01:b0:59:2e:46:
    4a:25:df:16:c1
exponent2:
    00:88:df:ab:94:d3:52:d9:f5:35:37:66:04:76:c3:
    70:73:2f:cb:2d:9e:e2:06:1f:e8:84:a7:87:5e:0c:
    7a:fd:15:f6:58:c8:64:b7:b5:61:1e:be:ed:22:07:
    98:d0:c3:97:e8:0f:85:7b:e9:4b:53:a3:2e:e8:35:
    38:cf:fc:08:19
coefficient:
    41:f1:06:68:96:ed:6a:af:1b:2e:ee:a6:d9:56:0f:
    a4:68:a0:d4:dc:81:c7:d8:bc:90:5f:c4:f8:90:bd:
    65:26:21:ff:fe:67:86:9e:be:94:16:f1:71:e0:dc:
    8a:33:ea:9c:a1:99:94:c6:12:e7:59:cf:2d:21:d0:
    05:1a:9b:a2

$ openssl rsa -in rsa-enc-priv-xxx.pem -passin pass:test -text -noout
unable to load Private Key
140735192314332:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:802: