[SERVER-10495] Mongo 2.5.1 is unable to read sslkey PEM file (error:no start line) Created: 13/Aug/13 Updated: 20/Oct/20 Resolved: 15/Aug/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Networking, Security |
| Affects Version/s: | 2.5.1 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Dylan Tong | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Amazon Linux EC2, amazon linux build for 2.5.1 |
||
| Attachments: |
|
||||
| Issue Links: |
|
||||
| Operating System: | ALL | ||||
| Participants: | |||||
| Description |
|
I'm currently testing the x.509 authentication feature. I'm unable to start up mongod via mongod --dpath <path> --logpath <logpath> --fork --sslOnNormalPorts --sslPEMKeyFile <path to sslCertificate and key PEM file> --sslCAFile <path to root CA PEM file> The error that I'm receiving is as follows: Tue Aug 13 04:25:10.373 ERROR: cannot read PEM key file: /home/ec2-user/mongodb.pem error:0906D06C:PEM routines:PEM_read_bio:no start line I've attached the PEM files. The PEM files were generated with the following commands and configurations (openssl.cnf is attached). Root CA Key/Cert: sudo openssl req -new -x509 -days 365 -nodes -out mongodbCA.crt -keyout mongodbCA.key Client Pem: sudo openssl req -newkey rsa:1024 -nodes -sha1 -keyout mongodb.key -keyform PEM -out mongodb.req -outform PEM sudo openssl ca -in mongodb.req -out mongodb.pem |
| Comments |
| Comment by Francesco Manfredi [ 20/Oct/20 ] |
|
I ran into the same problem. The tools to generate certificates and key files assume you need them in separate files (and there's no way to assume otherwise) but mongodb requires them to be concatenated in a single file (i.e. $ cat file_one.crt file_two.pem > file_to_feed_mongo.pem). Just having this information in https://docs.mongodb.com/manual/tutorial/configure-ssl/ would have spared me lots of time. |
| Comment by Dan Dascalescu [ 08/May/19 ] |
|
Thanks Eric. I see now that that error has bitten others too, so perhaps it's worth filing an issue against OpenSSL. Maybe some pressure from MongoDB, Inc. would help. |
| Comment by Eric Milkie [ 08/May/19 ] |
|
I’m sorry you’re having trouble, Dan; that sounds super frustrating. That particular message comes from OpenSSL itself, and I’m not sure exactly what it means either. We’ve changed our documentation significantly over the past six years, so that’s why the page doesn’t cover PEM files like it used to. I’ll see what I can do to improve the docs in this area. |
| Comment by Dan Dascalescu [ 08/May/19 ] |
|
I'm running into the same error: "cannot read certificate file: /tmp/privkey1.pem error:0906D06C:PEM routines:PEM_read_bio:no start line" That page no longer says anything about how to concatenate files. I obtained my certificate files by running LetsEncrypt's certbot. Since this is the most popular and free way of getting CA-signed certificates, it would be really useful to explain how exactly to use them, and what needs to be concatenated to what, in what order. Not asking for "A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, and Certificate Authority [that would be] beyond the scope of this document." Just that the user should concatenate the privkey.pem and fullchain.pem into one file (the order doesn't matter, I tried both ways), and point the CAFile setting to the fullchain.pem file. I wasted significnat time trying to figure this out on my own before looking up a tutorial, and I shouldn't have to. This should be covered in the docs, and the error could be more useful. Initially my PEMKeyFile pointed to the private key file (nothing concatenated to it), which started with `--- |
| Comment by Eric Milkie [ 14/Aug/13 ] |
|
Hi Dylan. |
| Comment by Dylan Tong [ 13/Aug/13 ] |
|
Note that I realize this could be related to how I generated my PEM files, but I can't tell from the error or the online instructions what could be missing form my PEM. |