Failed to install certificate : Missing or invalid signed SSL certificate : Line 28 does not look like PEM format

Hello,

We have an SSL cert from GeoTrust that we cannot import. Whether we use the option to "paste" the cert and key or "file on server" it always ends up with this error:

"Failed to install certificate : Missing or invalid signed SSL certificate : Line 28 does not look like PEM format"

Line 28 of the ssl.cert is: -----END CERTIFICATE-----

I checked and there are no blank spaces in the file, in fact the files have been copied from a plesk machine where both Nginx and Apache were using happily.

Any ideas?

Lucian

Status: 
Active

Comments

Howdy -- would it be possible to paste in the full SSL Certificate?

It's possible there's another issue with another part of the cert.

Howdy,

Unfortunately due to privacy reasons I would rather not share the certificate.

The thing is Apache loads it quite happily (key, cert and chain) and no issues with any browsers, so it must be "correct".

Could this be related to webmin's perl modules dealing with ssl? Which module should I try to upgrade?

Webmin/Virtualmin does some validation checks on that file to ensure that it appears to be a valid SSL certificate, before installing it.

It's possible that one of those checks isn't working properly, and is generating a false positive. There could also be something else going awry.

We can look into that deeper to ensure that there isn't a bug, but we'd unfortunately need to see the SSL certificate (and later, possibly the SSL key) in order to do that. Otherwise we won't know what's tripping that up.

We'd be happy to mark your request as private if that helps, meaning only the Virtualmin staff can see that.

Could you instead post just the first and last two lines of the cert?

Jamie,

First line:

-----BEGIN CERTIFICATE-----

Last 2 lines:

5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----

The crt file in question contains 3 BEGIN/END sections.

Is there a way to work around this?

"openssl x509 -in ssl.cert -text -noout" doesn't complain about anything, can't this tool be used instead for validation?

The crt file in question contains 3 BEGIN/END sections.

Oh dear, that's the problem... Plesk has bundled the cert and the ca together in one file, that's why Virtualmin was failing on the checks.

I was copy/pasting from the cert files included in the Plesk nginx/apache verbatim.

So it's not a bug, but functionality could perhaps be added to avoid this kind of confusions?

This was a tricky one, especially as Apache loads that up just fine.

Thanks a lot,

Lucian

I got the same error, the solution where cd /home/[domain] mv ssl.* /tmp go to Edit Virtual Server Disable apache ssl feature enable it again virtual min will create new ssl, after that you can go and request let's encrypt SSL

Ilia's picture
Submitted by Ilia on Wed, 11/18/2020 - 08:38

I got the same error, the solution where cd /home/[domain] mv ssl.* /tmp go to Edit Virtual Server Disable apache ssl feature enable it again virtual min will create new ssl, after that you can go and request let's encrypt SSL

Yes, correct. We just discussed it internally with Jamie, and we agreed to work around this.