Certificate is not a valid PEM certificate

Hi, @Stynson.

I believe this means that you will need to also include that intermediate SSL certificate in the “Intermediate certs” field when uploading your certificate. That is the third field in the following screenshot.

Are you copying data into all three fields? Again, the intermediate certificate should be in the third field.

If the certificate still doesn’t work when this is done, please let us know.

Yea, I included my CA certificate to the third field, the same one which validated OK with openssl verify…
also tried with and without the begin and end lines for all cases
(-----BEGIN CERTIFICATE----- etc. )

Hello- We are also seeing this issue when trying to import a GoDaddy cert. It is a wildcard cert that was exported from azure. We have been successful importing it to several other services. When following the instructions here we get the error: certificate is not a valid PEM certificate


blocked out keys

I converted this from a PFX to a pem/key using open SSL:

openssl pkcs12 -in our.pfx -nocerts -out our.key
openssl pkcs12 -in our.pfx -clcerts -nokeys -out our.crt

But have had no luck. Any help would be appreciated.

FYI my cert also a GoDaddy wildcard cert exported from azure…

This is a tough one for us to debug, since we can’t see what your certs look like. The functionality does work well for others; it’s used pretty frequently so I don’t think this is a problem with our service. However, I’m not certain that error our API returns ("certificate is not a valid PEM certificate) might not be about any of the fields rather than just the pem file - so my response will consider all of your inputs.

From your screenshot, I can see that the ascii armor looks appropriate (assuming the top one starts with -----BEGIN CERTIFICATE----- where the tooltip is covering).

I assume your CA Chain (aka Intermediate certs) looks like a SERIES of these?

-----BEGIN CERTIFICATE-----
MI...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MI...
-----END CERTIFICATE-----

Since you have openssl, can you confirm what this returns on your our.crt file?

openssl x509 -in our.crt -text

Also having this issue with a PositiveSSL/ComodoSSL cert via Namecheap.

Tried the command @Stynson suggests:

 openssl verify -CAfile mysite.ca-bundle /path/to/your/mysite.crt
Results in OK

One difference is that my key type is PKCS7 (.p7b file)

-----BEGIN PKCS7-----
MI...
-----END PKCS7-----

My guess is that it the certificates are ok, but that Netlify is having trouble parsing the key format. Perhaps that is leading to some decoding issues during key checking, I’m not sure.

EDIT: For me the issue was quite silly. I was using the pkcs7 file as the key, which I think is actually some kind of alternate encoding for the certificate file(s). I’m not sure if this will be helpful but I will keep it here in case someone else is confused about all the different file types.

3 Likes

awesome! thanks for sharing that nugget of information :smiley:

I also have this problem, the certificate match with the CSR and key file (according to SSL Matcher) and the openssl verify command returns OK.

My CA-bundle file contains with:

-----BEGIN CERTIFICATE-----
MIIGE...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF...
-----END CERTIFICATE-----

My CSR file starts with:

-----BEGIN CERTIFICATE REQUEST-----
MIIC...

My key file starts with:

-----BEGIN PRIVATE KEY-----
MIIE...

In case anyone ask, here’s how I generated the CSR and key:

openssl req -nodes -newkey rsa:2048 -keyout mydomain.key -out mydomain.csr

And the CA bundle is a PositiveSSL/ComodoSSL one provided by Namecheap.

hiya @Berkmann18 and sorry to be slow to get back to you! We don’t need your CSR - we need your certificate, from a vendor like Comodo. We are not an SSL provider! Your options to use SSL at Netlify are:

  1. let us get a certificate for you. we generate a CSR, and use the ACME protocol with Let’s Encrypt to get you a cert. We don’t need anything from you except to configure DNS to point to us, and then we’ll get a certificate assuming that you haven’t blocked it with things like DNS CAA records or misconfiguration (e.g. what is described in this thread about Cloudflare).

  2. bring your own certificate. You generate a CSR and key file, send to a vendor like comodo, they send you a certificate, which you upload. We never see your CSR; just your CA Chain, private key, and the certificate in PEM format.

You seem to be most of the way to #2 but I think you think we are going to make the cert for you, but in that case, we do not. You can abandon and let us generate instead for you, no harm no foul :slight_smile:

1 Like

As you noticed, I went with option 2 (since that seems to be the only way for domain names not served by Netlify).
I do have the certificate which I received alongside the CA-bundle file; I guess I should have mentioned the certificate header instead of the CSR’s one, I’m new to this.

Wouldn’t option 1 (if I understand what the alerts says on the Domain management section), be only available for domain names owned by Netlify (so not like ones managed by Namecheap, GoDaddy, …)?

Edit: I tried again and it finally worked (it seemed that the .crt file was a slightly outdated one).

oh, yes, apologies for not starting here: we do not intend to do anything with SSL for any hostnames whose website we don’t host.

Our SSL usage is entirely for websites we host; if you need SSL for another service we shouldn’t be involved :slight_smile:

To answer your question about option 1: no - let’s encrypt can verify in 2 ways that we use:

  • http: DNS points to us from any provider, lets encrypt connects via http, and provides a certificate as long as no blocking CAA record or other misconfiguration exists.
  • DNS: in case we manage DNS (whether you bought domain through us or not), we use DNS-based verification, which lets us get wildcard certificates: HTTPS (SSL) | Netlify Docs

Only the second one requires us to host your DNS.

So if I understood you properly, websites hosted on GitHub with a Namecheap domain name and PositiveSSL certificate can still be delivered via Netlify as long as it’s not set to manage the DNS and SSL?

No, one of us misunderstood something:

websites hosted on GitHub will be hosted by GitHub, not Netlify. We wouldn’t be involved in DNS, SSL, or serving your site.

To resolve this confusion, maybe we should stop talking in the abstract here and move to your real world situation:

  1. tell us how your site is hosted in detail. “code lives on github, I build by X, and webservers contact service Y”. You could at this point mention how Netlify could be involved in a site that is “hosted on” GitHub as you say.
  2. tell us your actual hostname (no matter who hosts it :)), so we can examine your actual config.

Thanks in advance for your help in troubleshooting!

Sure.

  1. The code lives on GitHub, built by Netlify and it should then reflect on the Namecheap domain I have (which has the PositiveSSL certificate provided via their 3rd party).
    Netlify is then used as the CD platform (where Identity receives the forms).

  2. The hostname is mberkmann.

Sounds like Netlify is also hosting your website then - browsers don’t contact GitHub, they contact Netlify, right? There is a competing product called “GitHub Pages” so this isn’t just me playing stupid, it’s a frequent confusion: “I use netlify to BUILD my site, save to GitHub who serves it to browsers” or “GitHub hosts my source code, but Netlify builds it and hosts the website”.

As regards hostname, I was wondering the DNS hostname, rather than the netlify hostname, but I can see that that netlify site has a hostname set.

That hostname is currently hosted entirely at namecheap; you’ll have to turn off the “parking” feature there and follow DNS instructions like these, if you want us to host the site instead:

$ host YOURREALHOSTNAME
YOURREALHOSTNAME is an alias for parkingpage.namecheap.com.
parkingpage.namecheap.com has address 198.54.117.217
parkingpage.namecheap.com has address 198.54.117.210
parkingpage.namecheap.com has address 198.54.117.218
parkingpage.namecheap.com has address 198.54.117.215
parkingpage.namecheap.com has address 198.54.117.212
parkingpage.namecheap.com has address 198.54.117.216
parkingpage.namecheap.com has address 198.54.117.211

Once you decide to turn off parking at Namecheap, let me know if you’d like me to re-examine to try to re-advise!

Sounds like Netlify is also hosting your website then - browsers don’t contact GitHub, they contact Netlify, right?

Yeah, apologies for the poorly worded answers.

That hostname is currently hosted entirely at namecheap; you’ll have to turn off the “parking” feature there and follow DNS instructions like these, if you want us to host the site instead

Okay, I’ll look into that.

you’ll have to turn off the “parking” feature there and follow DNS instructions like these

I’ve done that, what should be the target? I suppose it would be mberkmann.dev?

Nope, you’ll follow this guidance for best performance:

(apologies - I had meant to link that in my last response!)

write please.

rootca
subca

this form

Hi, @wees. I’m not sure what you are stating or asking above. Would you please explain in more detail?