Certificate is not a valid PEM certificate

Hi

Tried to install my custom SSL certificate. Its a GoDaddy cert
I pasted my cert and private key then downloaded GoDaddy cert chain for intermediate certs.

However I can’t send the form because it says: certificate is not a valid PEM certificate

However if I put my cert to a PEM validator everything seems fine.

Any ideas?

Hard to say without being able to see your certificate. I know that feature works since I just added a test certificate to a test site successfully, but also not sure why you’d use a godaddy certificate instead of ours?

Below you’ll see demonstrated the formats your certificates should have. Note that each should line-wrap at exactly the 64th character for the body of the keys or certificates and have no escape characters before the line breaks:

hc3nnKTe9/oyXiU1vnWJj4AwBHcBBn3GtfooChNteiuoRVlQqRaNHqxwiqeSYea/
kXw5DFfRofOnG1076lJCEWLY39/WaQIDAQABAoICACh4M8hCQv+vShsONHZDaSaW

is an example from the middle of a fake certificate I generated just now. For headers and footers, you should have the following formats for each category:

CA Chain:

-----BEGIN CERTIFICATE-----
MIIFADC[...]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[...]

Cert PEM file:

-----BEGIN CERTIFICATE-----
MIIF[...]
-----END CERTIFICATE-----

Private Key:

-----BEGIN PRIVATE KEY-----
MC[...]
-----END PRIVATE KEY-----

You may need to request a different type of certificate from Godaddy - you’d want something like apache/openssl.

So if my cert not starting like you mentioned it might be a clue that it has the wrong format?
eg: my PEM Cert starts like this: MIIG
private key starts: MI
CA: MIIEADC

Another question: the mentioned error (“Certificate is not a valid PEM certificate”) indicate that specifically my Cert is wrong, or it means that my CERT/Key/CA Chain trio is wrong as a whole?

(btw: I don’t really want to use GoDaddy instead of Netlify’s out of the box solution… I just have to…:slight_smile: )

I am facing the same issue…If you find any solution please let me know also

Hi, @Stynson and @laZZySpiDer, the following guide describes how to make a PEM format certificate file manually:

https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

this mig

You can also check the contents of a PEM file locally using openssl like so:

openssl x509 -text -noout -in /path/to/your/certificate-file.pem

You can also use this to confirm the certificate chain is complete with this:

openssl verify /path/to/your/certificate-file.pem

Would you (both) please try testing the PEM file with openssl verify and let us know if it shows as valid?

Also, if you are interested in using the automatic Let’s Encrypt certificates instead, please let us know and we’ll be happy to assist with getting those working as an alternative if you prefer.

I run openssl verify, it only said ‘OK’ after I added a godaddy intermediate cert as a -CAfile option

openssl verify /path/to/your/certificate-file.pem

Results in: error 20 at 0 depth lookup:unable to get local issuer certificate

openssl verify -CAfile godaddy_intermediate.pem /path/to/your/certificate-file.pem

Results in OK

Hi, @Stynson.

I believe this means that you will need to also include that intermediate SSL certificate in the “Intermediate certs” field when uploading your certificate. That is the third field in the following screenshot.

Are you copying data into all three fields? Again, the intermediate certificate should be in the third field.

If the certificate still doesn’t work when this is done, please let us know.

Yea, I included my CA certificate to the third field, the same one which validated OK with openssl verify…
also tried with and without the begin and end lines for all cases
(-----BEGIN CERTIFICATE----- etc. )

Hello- We are also seeing this issue when trying to import a GoDaddy cert. It is a wildcard cert that was exported from azure. We have been successful importing it to several other services. When following the instructions here we get the error: certificate is not a valid PEM certificate


blocked out keys

I converted this from a PFX to a pem/key using open SSL:

openssl pkcs12 -in our.pfx -nocerts -out our.key
openssl pkcs12 -in our.pfx -clcerts -nokeys -out our.crt

But have had no luck. Any help would be appreciated.

FYI my cert also a GoDaddy wildcard cert exported from azure…

This is a tough one for us to debug, since we can’t see what your certs look like. The functionality does work well for others; it’s used pretty frequently so I don’t think this is a problem with our service. However, I’m not certain that error our API returns ("certificate is not a valid PEM certificate) might not be about any of the fields rather than just the pem file - so my response will consider all of your inputs.

From your screenshot, I can see that the ascii armor looks appropriate (assuming the top one starts with -----BEGIN CERTIFICATE----- where the tooltip is covering).

I assume your CA Chain (aka Intermediate certs) looks like a SERIES of these?

-----BEGIN CERTIFICATE-----
MI...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MI...
-----END CERTIFICATE-----

Since you have openssl, can you confirm what this returns on your our.crt file?

openssl x509 -in our.crt -text

Also having this issue with a PositiveSSL/ComodoSSL cert via Namecheap.

Tried the command @Stynson suggests:

 openssl verify -CAfile mysite.ca-bundle /path/to/your/mysite.crt
Results in OK

One difference is that my key type is PKCS7 (.p7b file)

-----BEGIN PKCS7-----
MI...
-----END PKCS7-----

My guess is that it the certificates are ok, but that Netlify is having trouble parsing the key format. Perhaps that is leading to some decoding issues during key checking, I’m not sure.

EDIT: For me the issue was quite silly. I was using the pkcs7 file as the key, which I think is actually some kind of alternate encoding for the certificate file(s). I’m not sure if this will be helpful but I will keep it here in case someone else is confused about all the different file types.

3 Likes

awesome! thanks for sharing that nugget of information :smiley:

I also have this problem, the certificate match with the CSR and key file (according to SSL Matcher) and the openssl verify command returns OK.

My CA-bundle file contains with:

-----BEGIN CERTIFICATE-----
MIIGE...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF...
-----END CERTIFICATE-----

My CSR file starts with:

-----BEGIN CERTIFICATE REQUEST-----
MIIC...

My key file starts with:

-----BEGIN PRIVATE KEY-----
MIIE...

In case anyone ask, here’s how I generated the CSR and key:

openssl req -nodes -newkey rsa:2048 -keyout mydomain.key -out mydomain.csr

And the CA bundle is a PositiveSSL/ComodoSSL one provided by Namecheap.

hiya @Berkmann18 and sorry to be slow to get back to you! We don’t need your CSR - we need your certificate, from a vendor like Comodo. We are not an SSL provider! Your options to use SSL at Netlify are:

  1. let us get a certificate for you. we generate a CSR, and use the ACME protocol with Let’s Encrypt to get you a cert. We don’t need anything from you except to configure DNS to point to us, and then we’ll get a certificate assuming that you haven’t blocked it with things like DNS CAA records or misconfiguration (e.g. what is described in this thread about Cloudflare).

  2. bring your own certificate. You generate a CSR and key file, send to a vendor like comodo, they send you a certificate, which you upload. We never see your CSR; just your CA Chain, private key, and the certificate in PEM format.

You seem to be most of the way to #2 but I think you think we are going to make the cert for you, but in that case, we do not. You can abandon and let us generate instead for you, no harm no foul :slight_smile:

1 Like

As you noticed, I went with option 2 (since that seems to be the only way for domain names not served by Netlify).
I do have the certificate which I received alongside the CA-bundle file; I guess I should have mentioned the certificate header instead of the CSR’s one, I’m new to this.

Wouldn’t option 1 (if I understand what the alerts says on the Domain management section), be only available for domain names owned by Netlify (so not like ones managed by Namecheap, GoDaddy, …)?

Edit: I tried again and it finally worked (it seemed that the .crt file was a slightly outdated one).

oh, yes, apologies for not starting here: we do not intend to do anything with SSL for any hostnames whose website we don’t host.

Our SSL usage is entirely for websites we host; if you need SSL for another service we shouldn’t be involved :slight_smile:

To answer your question about option 1: no - let’s encrypt can verify in 2 ways that we use:

  • http: DNS points to us from any provider, lets encrypt connects via http, and provides a certificate as long as no blocking CAA record or other misconfiguration exists.
  • DNS: in case we manage DNS (whether you bought domain through us or not), we use DNS-based verification, which lets us get wildcard certificates: HTTPS (SSL) | Netlify Docs

Only the second one requires us to host your DNS.

So if I understood you properly, websites hosted on GitHub with a Namecheap domain name and PositiveSSL certificate can still be delivered via Netlify as long as it’s not set to manage the DNS and SSL?

No, one of us misunderstood something:

websites hosted on GitHub will be hosted by GitHub, not Netlify. We wouldn’t be involved in DNS, SSL, or serving your site.

To resolve this confusion, maybe we should stop talking in the abstract here and move to your real world situation:

  1. tell us how your site is hosted in detail. “code lives on github, I build by X, and webservers contact service Y”. You could at this point mention how Netlify could be involved in a site that is “hosted on” GitHub as you say.
  2. tell us your actual hostname (no matter who hosts it :)), so we can examine your actual config.

Thanks in advance for your help in troubleshooting!

Sure.

  1. The code lives on GitHub, built by Netlify and it should then reflect on the Namecheap domain I have (which has the PositiveSSL certificate provided via their 3rd party).
    Netlify is then used as the CD platform (where Identity receives the forms).

  2. The hostname is mberkmann.