Failed to install certificate : Missing or invalid signed SSL certificate : Line 28 does not look like PEM format

Hello,

We have an SSL cert from GeoTrust that we cannot import. Whether we use the option to "paste" the cert and key or "file on server" it always ends up with this error:

"Failed to install certificate : Missing or invalid signed SSL certificate : Line 28 does not look like PEM format"

Line 28 of the ssl.cert is: -----END CERTIFICATE-----

I checked and there are no blank spaces in the file, in fact the files have been copied from a plesk machine where both Nginx and Apache were using happily.

Any ideas?

Lucian

Status: 
Active

Comments

Howdy -- would it be possible to paste in the full SSL Certificate?

It's possible there's another issue with another part of the cert.

Howdy,

Unfortunately due to privacy reasons I would rather not share the certificate.

The thing is Apache loads it quite happily (key, cert and chain) and no issues with any browsers, so it must be "correct".

Could this be related to webmin's perl modules dealing with ssl? Which module should I try to upgrade?

Webmin/Virtualmin does some validation checks on that file to ensure that it appears to be a valid SSL certificate, before installing it.

It's possible that one of those checks isn't working properly, and is generating a false positive. There could also be something else going awry.

We can look into that deeper to ensure that there isn't a bug, but we'd unfortunately need to see the SSL certificate (and later, possibly the SSL key) in order to do that. Otherwise we won't know what's tripping that up.

We'd be happy to mark your request as private if that helps, meaning only the Virtualmin staff can see that.

Could you instead post just the first and last two lines of the cert?

Jamie,

First line:

-----BEGIN CERTIFICATE-----

Last 2 lines:

5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----

The crt file in question contains 3 BEGIN/END sections.

Is there a way to work around this?

"openssl x509 -in ssl.cert -text -noout" doesn't complain about anything, can't this tool be used instead for validation?

The crt file in question contains 3 BEGIN/END sections.

Oh dear, that's the problem... Plesk has bundled the cert and the ca together in one file, that's why Virtualmin was failing on the checks.

I was copy/pasting from the cert files included in the Plesk nginx/apache verbatim.

So it's not a bug, but functionality could perhaps be added to avoid this kind of confusions?

This was a tricky one, especially as Apache loads that up just fine.

Thanks a lot,

Lucian

I got the same error, the solution where

cd /home/[domain]
mv ssl.* /tmp

.. go to Edit Virtual Server Disable apache ssl feature enable it again virtual min will create new ssl, after that you can go and request let's encrypt SSL

Ilia's picture
Submitted by Ilia on Wed, 11/18/2020 - 08:38

I got the same error, the solution where cd /home/[domain] mv ssl.* /tmp go to Edit Virtual Server Disable apache ssl feature enable it again virtual min will create new ssl, after that you can go and request let's encrypt SSL

Yes, correct. We just discussed it internally with Jamie, and we agreed to work around this.

steinner's picture
Submitted by steinner on Fri, 01/29/2021 - 08:19 Pro Licensee

Hello all,

Just have same problem:

I tried to actualise Let's encrypt cert, and it didn't work. So i tryed to stop and restart as :"Apache SSL website enabled?" and not working, it return :

""Adding new SSL virtual website .. .. certificate file is not valid : Line 33 does not look like PEM format""

Don't know what can i do ? Many thanks :/

steinner's picture
Submitted by steinner on Fri, 01/29/2021 - 09:51 Pro Licensee

Ok Illia , sorry for my dummy experience on ssh... but, whan i enter: "root@s58462:~# cd /home/audio.agape.press mv ssl.* /tmp" It return: " -bash: cd: too many arguments " aï Aï aï :/

Ilia's picture
Submitted by Ilia on Fri, 01/29/2021 - 09:59

Try:

cd /home/audio.agape.press
mv ssl.* /home/audio.agape.press/tmp

or

cd /home/audio.agape.press && mv ssl.* /home/audio.agape.press/tmp
steinner's picture
Submitted by steinner on Fri, 01/29/2021 - 10:01 Pro Licensee

Yeees, i did it, understoof the mv app hihi sorry thanks again to you and @doonfrs ;)

jimr's picture
Submitted by jimr on Fri, 01/29/2021 - 10:03 Pro Licensee

 cd /home/audio.agape.press     press your enter key        mv ssl.* /tmp  press your  enter key
steinner's picture
Submitted by steinner on Fri, 01/29/2021 - 10:09 Pro Licensee

Maybe last question here i hope...

the apache ssl service came back, but... when i Request new let's encrypt Certificate it return: ""request failed : Web-based validation failed : Failed to request certificate : Traceback (most recent call last): File "/usr/share/webmin/webmin/acme_tiny.py", line 198, in main(sys.argv[1:]) File "/usr/share/webmin/webmin/acme_tiny.py", line 194, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact) File "/usr/share/webmin/webmin/acme_tiny.py", line 149, in get_crt raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization)) ValueError: Challenge did not pass for audio.agape.press: {'identifier': {'type': 'dns', 'value': 'audio.agape.press'}, 'status': 'invalid', 'expires': '2021-02-05T16:03:26Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': 'Invalid response from https://audio.agape.press/.well-known/acme-challenge/8q_7DAcotQ7WCtDtuCH... [212.32.255.6]: "\n\n \n \n\n <title class=\"dst\""', 'status': 403}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/10451305730/35z_JA', 'token': '8q_7DAcotQ7WCtDtuCHMIUAs_D5-OL7Ake7WdjuVcUQ', 'validationRecord': [{'url': 'http://audio.agape.press/.well-known/acme-challenge/8q_7DAcotQ7WCtDtuCHM...', 'hostname': 'audio.agape.press', 'port': '80', 'addressesResolved': ['212.32.255.6'], 'addressUsed': '212.32.255.6'}, {'url': 'https://audio.agape.press/.well-known/acme-challenge/8q_7DAcotQ7WCtDtuCH...', 'hostname': 'audio.agape.press', 'port': '443', 'addressesResolved': ['212.32.255.6'], 'addressUsed': '212.32.255.6'}]}]} ""

I supose you know that as your ... heuu "foot" ? ;)

Ilia's picture
Submitted by Ilia on Fri, 01/29/2021 - 10:15

I supose you know that as your ... heuu "foot" ? ;)

Install certbot package please:

Debain/Ubuntu:

apt-get install certbot

CentOS/RHEL

dnf install certbot
steinner's picture
Submitted by steinner on Fri, 01/29/2021 - 10:38 Pro Licensee

Howdy, Ok @Illia, @Jimr and @doonfrs,

You are wonderfull, present when we need, and intelligent as.. we are not hihi ;) anyway, with " mv ssl.* " and " certbot " the bigest problem of ssl complexities are fuckef wiiiith ?? VIRTUALMIN and Staff!!!! YEEAAHHHHHH 6à website just be saved from you guyy. I m sure to have a big 20 21 with you HPN Stef

steinner's picture
Submitted by steinner on Fri, 01/29/2021 - 10:45 Pro Licensee

Congratulations to @Illia, @jimr & @doonfrs, aaand... Virtualmin of course!

PERFECT, with "mv ssl.*" and "certbot" the biggest complexities of ssl config was fucked. I'am becoming and feeling in security with this amazing staff. ( 60 Websites on Virtualmin ) Is the first time since 2016 a feelin that. So Many, many & many thanks, my 2021 will be great. Have nice new year to all of you Stef.