Certificate is not a valid PEM certificate

fool · June 22, 2020, 10:58pm

Sounds like Netlify is also hosting your website then - browsers don’t contact GitHub, they contact Netlify, right? There is a competing product called “GitHub Pages” so this isn’t just me playing stupid, it’s a frequent confusion: “I use netlify to BUILD my site, save to GitHub who serves it to browsers” or “GitHub hosts my source code, but Netlify builds it and hosts the website”.

As regards hostname, I was wondering the DNS hostname, rather than the netlify hostname, but I can see that that netlify site has a hostname set.

That hostname is currently hosted entirely at namecheap; you’ll have to turn off the “parking” feature there and follow DNS instructions like these, if you want us to host the site instead:

$ host YOURREALHOSTNAME
YOURREALHOSTNAME is an alias for parkingpage.namecheap.com.
parkingpage.namecheap.com has address 198.54.117.217
parkingpage.namecheap.com has address 198.54.117.210
parkingpage.namecheap.com has address 198.54.117.218
parkingpage.namecheap.com has address 198.54.117.215
parkingpage.namecheap.com has address 198.54.117.212
parkingpage.namecheap.com has address 198.54.117.216
parkingpage.namecheap.com has address 198.54.117.211

Once you decide to turn off parking at Namecheap, let me know if you’d like me to re-examine to try to re-advise!

Berkmann18 · June 22, 2020, 11:40pm

Sounds like Netlify is also hosting your website then - browsers don’t contact GitHub, they contact Netlify, right?

Yeah, apologies for the poorly worded answers.

That hostname is currently hosted entirely at namecheap; you’ll have to turn off the “parking” feature there and follow DNS instructions like these, if you want us to host the site instead

Okay, I’ll look into that.

Berkmann18 · June 28, 2020, 4:23pm

you’ll have to turn off the “parking” feature there and follow DNS instructions like these

I’ve done that, what should be the target? I suppose it would be mberkmann.dev?

fool · June 29, 2020, 5:49pm

Nope, you’ll follow this guidance for best performance:

(apologies - I had meant to link that in my last response!)

wees · February 18, 2021, 1:43am

write please.

rootca
subca

this form

luke · February 18, 2021, 7:41am

Hi, @wees. I’m not sure what you are stating or asking above. Would you please explain in more detail?

Hitesh_Abichandani · May 24, 2021, 5:12am

What did you provide as Private Key while setting custom certificate?

I am facing the exact issue you were. Here is a link to the topic I raised :
https://answers.netlify.com/t/error-dns-probe-finished-nxdomain-for-namecheap-domain/38164

hillary · May 27, 2021, 7:28pm

Thanks for sharing that link, @Hitesh_Abichandani For any future members reading this thread, the above link contains a solution, so check it out!

devopstoday11 · October 16, 2021, 9:27pm

@fool @hillary
I am facing the same issue “Certificate is not a valid PEM certificate”. Nothing seems to work for me.

This is what I did:
Connected Gitlab repo , used custom domain and launched draft version of our website. Default Let’s Encrypt cert was issue for our domain by Netlify.
When I tried to add custom Godaddy ssl cert, I am getting the error mentioned.
I verified the certs provided by Godaddy, all are valid (pem, private key, intermediate).
I did follow this thread and checked/tried diff methods, but nothing solved the issue.
I am lost on how to fix this. Please help.

hrishikesh · October 17, 2021, 11:36am

Hi @devopstoday11,

We’re equally at a loss here as we don’t have or can’t see your certificate to test this ourselves.

But you could help us and yourself reach a conclusion:

How did you verify this? As already mentioned above, this works fine for almost everyone and the complaints that you’ve seen never reached a good conclusion.

A lot of the complaints also seem to be from GoDaddy users only. Could you try to see if you can get some other SSL it works fine?

techit · November 2, 2021, 12:19pm

We had the same issue with Netlify saying “Certificate is not a valid PEM certificate” when we were trying to update our wildcard SSL certificate yesterday.

I ended up giving up and switching to Let’s Encrypt because our certificate was expiring today. Sort of out of luck, the site wasn’t loading with the Let’s Encrypt certificate in the Domain Settings so I went back in and tried to upload our custom certificate again, just like yesterday.

It worked this time!!

So, I have no idea if this will help anyone else, but the next person who runs into this, I would recommend switching to a Let’s Encrypt certificate and then afterward, try your custom certificate again.

Would love to hear if that works for anyone.

hillary · November 2, 2021, 3:50pm

Thanks so much for chiming in and sharing this suggestion with us, @techit. We are glad that this worked for you!

x0Z3ro0x · December 3, 2021, 4:57am

Thank you for sharing this! Unfortunately this didn’t solve my issue and I get the same error message. It a clear issue on Netlify’s end.

hillary · December 3, 2021, 4:12pm

Hey there, @x0Z3ro0x

Sorry to hear the above solutions didn’t help you. Are you looking for further assistance? If so, I would recommend starting with this link, that covers how to create a PEM certificate manually. If that doesn’t help, we will need the following information from you:

tell us how your site is hosted in detail. “code lives on github, I build by X, and webservers contact service Y”.
tell us your actual hostname (no matter who hosts it :)), so we can examine your config.
The first 5 or 6 characters of your certificate and key, preferably in the format that @TwinThread or @Berkmann18 did above. If you are not comfortable sharing this publicly, you can DM it to me. Please note, however, that this may result in a slower response time due to staffing changes over the weekend.

Thanks!

yingchangwu · March 31, 2022, 9:37pm

I got the exactly same problem as @TwinThread .

The fix for me is to change my encrypted private key to RSA private key.

if you have pfx file, you can use openssl to generate your private key

openssl pkcs12 -in x.pfx -nocerts -nodes -passin pass:123456 | openssl rsa -out privkey.pem

open your private key file and you should see

-----BEGIN RSA PRIVATE KEY-----

and paste the RSA private key.

ryanclements · January 12, 2024, 9:14pm

This was super helpful. My problem ended up not realizing my private key was encrypted. In addition, I didn’t realize the root cert also needed to be part of the intermediates.

For others that had issues, I found locally validating the cert and private key before uploading helped out a lot.

For finding the intermediate certs, I printed out the metadata for the cert I wanted to upload, searched for the link to the cert that signed it and repeated this process until I reached a root cert.

openssl x509 -in the.crt -text

After getting the intermediate certs, I concatenated them all in a .pem file in order with the root cert last, then validated that the content in that file was sufficient using the following command. (The .pem file format can be found here https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm)

openssl verify -CAfile intermediates.pem your.crt

Consult this for how to validate a private key: https://www.sectigo.com/faqs/detail/How-do-I-verify-that-a-private-key-matches-a-certificate-OpenSSL-1527076112539/kA01N000000zFTR

Topic		Replies	Views
Domain managment: certificate is not a valid pem certificate Support netlify-dns-https-ssl	12	2071	July 29, 2022
Problems installing certificate (certificate Private key did not match certificate) Support netlify-dns-https-ssl	4	3316	April 21, 2022
Cloudflare Origin CA as custom certificate Support settings-config	3	1255	October 7, 2021
[Support Guide] Tips for bringing your own custom SSL certificates to Netlify Support Guides netlify-dns-https-ssl , support-guide	24	7286	November 28, 2024
How to import SSL certs Support netlify-dns-https-ssl , netlify-newbie	3	1605	July 27, 2020

Certificate is not a valid PEM certificate

Related topics