[SERVER-10495] Mongo 2.5.1 is unable to read sslkey PEM file (error:no start line) Created: 13/Aug/13  Updated: 20/Oct/20  Resolved: 15/Aug/13

Status: Closed
Project: Core Server
Component/s: Networking, Security
Affects Version/s: 2.5.1
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Dylan Tong Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Amazon Linux EC2, amazon linux build for 2.5.1


Attachments: File openssl.cnf     File pemfiles.tar.gz    
Issue Links:
Related
Operating System: ALL
Participants:

 Description   

I'm currently testing the x.509 authentication feature. I'm unable to start up mongod via

mongod --dpath <path> --logpath <logpath> --fork --sslOnNormalPorts --sslPEMKeyFile <path to sslCertificate and key PEM file> --sslCAFile <path to root CA PEM file>

The error that I'm receiving is as follows:

Tue Aug 13 04:25:10.373 ERROR: cannot read PEM key file: /home/ec2-user/mongodb.pem error:0906D06C:PEM routines:PEM_read_bio:no start line

I've attached the PEM files. The PEM files were generated with the following commands and configurations (openssl.cnf is attached).

Root CA Key/Cert:

sudo openssl req -new -x509 -days 365 -nodes -out mongodbCA.crt -keyout mongodbCA.key

Client Pem:

sudo openssl req -newkey rsa:1024 -nodes -sha1 -keyout mongodb.key -keyform PEM -out mongodb.req -outform PEM

sudo openssl ca -in mongodb.req -out mongodb.pem



 Comments   
Comment by Francesco Manfredi [ 20/Oct/20 ]

I ran into the same problem.

The tools to generate certificates and key files assume you need them in separate files (and there's no way to assume otherwise) but mongodb requires them to be concatenated in a single file (i.e. $ cat file_one.crt file_two.pem > file_to_feed_mongo.pem).

Just having this information in https://docs.mongodb.com/manual/tutorial/configure-ssl/ would have spared me lots of time.

Comment by Dan Dascalescu [ 08/May/19 ]

Thanks Eric. I see now that that error has bitten others too, so perhaps it's worth filing an issue against OpenSSL. Maybe some pressure from MongoDB, Inc. would help.

Comment by Eric Milkie [ 08/May/19 ]

I’m sorry you’re having trouble, Dan; that sounds super frustrating. That particular message comes from OpenSSL itself, and I’m not sure exactly what it means either. We’ve changed our documentation significantly over the past six years, so that’s why the page doesn’t cover PEM files like it used to. I’ll see what I can do to improve the docs in this area.

Comment by Dan Dascalescu [ 08/May/19 ]

I'm running into the same error: "cannot read certificate file: /tmp/privkey1.pem error:0906D06C:PEM routines:PEM_read_bio:no start line"

That page no longer says anything about how to concatenate files.

I obtained my certificate files by running LetsEncrypt's certbot. Since this is the most popular and free way of getting CA-signed certificates, it would be really useful to explain how exactly to use them, and what needs to be concatenated to what, in what order. Not asking for "A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, and Certificate Authority [that would be] beyond the scope of this document." Just that the user should concatenate the privkey.pem and fullchain.pem into one file (the order doesn't matter, I tried both ways), and point the CAFile setting to the fullchain.pem file.

I wasted significnat time trying to figure this out on my own before looking up a tutorial, and I shouldn't have to. This should be covered in the docs, and the error could be more useful. Initially my PEMKeyFile pointed to the private key file (nothing concatenated to it), which started with `---BEGIN PRIVATE KEY----`, so what exactly does "no start line" mean? What should the start line look like? Could that error be more useful instead of spitting out "0906D06C"?

Comment by Eric Milkie [ 14/Aug/13 ]

Hi Dylan.
In your description, you do correctly indicate that --sslPEMKeyFile takes a <path to sslCertificate and key PEM file>.
However, it looks like you did not actually append the private key to the certificate, so your PEM file only contained the SSL certificate. From your example above, the private key is in the mongodb.key file.
On this documentation page, it explains how to concatenate the certificate and the private key into one PEM-format file:
http://docs.mongodb.org/manual/tutorial/configure-ssl/

Comment by Dylan Tong [ 13/Aug/13 ]

Note that I realize this could be related to how I generated my PEM files, but I can't tell from the error or the online instructions what could be missing form my PEM.

Generated at Thu Feb 08 03:23:19 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.