SSL Certificate error

mcalisterkm · March 23, 2019, 6:26pm

I am receiving the following axigen log errors for a godaddy certificate and its intermediate file.

2019-03-23 17:02:58 +0000 02 bastion2 WEBADMIN:00000060: SSL load certificate error:0906D06C:PEM routines:PEM_read_bio:no start line
2019-03-23 17:02:58 +0000 02 bastion2 WEBADMIN:00000060: SSL load certificate error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:P
EM lib

I am using the web admin interface adding the certificate and intermediate file bundle as shown below.
An error message appears on screen “Invalid path to certificate file or invalid certificate file!”.

The server is running Centos 7 and I generated the Private Key and CSR as follows
Private Kiey
openssl genrsa -aes256 -out .key 2048
Removed the password
openssl rsa -in .key -out -nopass.key

CSR
openssl req –new –key -nopass.key -out .csr

Godaddy processed the pasted in CSR and produced two files the certificate and an intermediate bundle.
Both of these are .crt ending and start with -----BEGIN CERTIFICATE-----

Regards
Keith

indreias · March 23, 2019, 8:51pm

Hello Keith,

Because a certificate is useless without its paired key, the certificate file requested by Axigen should contain, beside the certificate data you’ve received from the CA the private key (you’ve generated) as well.

If I’ll be in your case I’ll run something like:

# cd certs
# cat 54b086edbe3fe3b6.crt out.key > 54b086edbe3fe3b6.pem
# chown axigen:axigen 54b086edbe3fe3b6.pem

And use the generated pem file as the certificate file.
Additionally I’ll add the intermediate certificate you have received into the certificate authorities file.

HTH,
Ioan

mcalisterkm · March 24, 2019, 9:18am

Thanks that worked.
The DH parameters file was the next issue and certificate suites.
I put all the listed suites in but quoted it “” which was a mistake.
I left DH Parameters blank , another mistake and eventually used the axigen_dh.pem file.
And it works!

mcalisterkm · April 14, 2019, 12:37pm

This has been in operation for several months and I thought an update might help others.
We had a number of failed transfer caused by TLS negotiation errors.
When I configured TLS for sending SMTP I disabled the old SSL and early TLS protocols as they are no longer considered secure, and they have virtually disappeared from websites. However it seems SSL and TLS are still around and in use for mail servers, and as our server could not negotiate with servers using older certificates any email was being held on our server.
I relaxed the range of certificates that we will accept and have had no further issues.

Keith
April 2019