45

I am trying to update a wildcard certificate for EC2 instances on AWS. The service these servers belong to consists of a single server and a set of servers behind AWS ELB.

The certificate has been successfully updated and verified on the single server.

The same is true for an instance pulled up from the image the ELB uses for AutoScaling.

However, when trying to add a new certificate to the load-balancer, I get the above error. I'm sure the certificate is correct and is in PEM format. I first tried via the web console, then using the aws aim command line tools with the same result.

Anyone came across similar issue recently?

marekful
  • 14,986
  • 6
  • 37
  • 59

5 Answers5

96

The AWS CLI requires file:// prefix for local files. For example file://private.key, file://cert_file, etc.

mikemaccana
  • 110,530
  • 99
  • 389
  • 494
  • Care to elaborate at all there? – David van Dugteren Apr 27 '14 at 12:42
  • 6
    Sounds strange, but this suggestion worked for me. Originally was getting the exact error message as the title of this Question, but adding `file://` to each filename made the upload work perfectly. Used the Windows x64 MSI AWS CLI installer, and using `cmd` to execute. Replace `X` with your certificate name. `aws iam upload-server-certificate --server-certificate-name X --certificate-body file://cert.crt --private-key file://key.key --certificate-chain file://chain.crt --path /cloudfront/X/` – Patrick Seymour Apr 30 '14 at 17:22
  • 2
    Same problem on Linux, fixed with the file prefix. Stupid me for not reading the official docs, but rather reading a wonderfully misleading blog post. – Joseph Lust Jun 18 '14 at 03:48
  • 1
    Thank you, I was going absolutely bonkers until I found your answer. – svintus Sep 25 '14 at 17:50
  • 2
    For every Mac user out there. The "file://" prefix should indeed be used before the certificate file name. For some reason, I thought this is necessarily only for Windows. – Tudor Ravoiu Jan 20 '18 at 23:42
80

Just ran into the same exact issue: web console and AWS CLI reporting the same error in not being able to parse the certificate.

The error's root cause turned out to be in the private key -- converting my private key to a "RSA PRIVATE KEY" fixed the issue:

openssl rsa -in server.key -out server.key.rsa

Then, use the server.key.rsa in the private key field and leave the public cert as is.

Vikrum
  • 1,941
  • 14
  • 13
  • 11
    Turned out to be the same issue here. Their error message is, to say, not too informative. Actually is bullshit. The key is valid so it can be parsed and is in the format they require (PEM). But it has been generated with an algorithm they don't accept. – marekful Mar 04 '14 at 10:38
  • im getting `WARNING: can't open config file: /etc/pki/tls/openssl.cnf` – t q Mar 24 '14 at 15:29
  • 3
    It didn't solved it for me, the output file is exactly the same one – Tebam Nov 18 '14 at 15:53
  • This just gives me the error: `140186932995736:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY` – Cerin Mar 27 '19 at 17:43
1

I just spent the last hour struggling with this issue, on the web console. For sake of documenting, I would like to share what fixed the problem for me:

  1. Ensure all keys and certs to be in RSA (as is demonstrated in Vikram's answer)
  2. Ensure the ---- TEXT HERE ---- start and end labels are included in what you are uploading/copy-pasting into the web-console
  3. My issue was: The RapidSSL certificates I'd purchased on Name.com, when copy-pasted into an Evernote, resulted in the conversion of newlines into spaces. I only realized this when I inputted the text into Vim, and the monospaced text wasn't aligned properly. After a series of f, [space], a, [return], I'd fixed the file in Vi and it now seems to be working. AWS' interface should be smart enough to recover from common errors such as this - nevertheless, this fixed the issue for me.

Hope this helps save an hour for somebody else :)

Angad
  • 2,803
  • 3
  • 32
  • 45
1

According to installation steps of ZeroSSL you have to copy all the content of the private.key after opening it in notepad.

The private key must start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----

I did that also with certificate.crt and the problem solved and saved successfully

Youssef Ali Youssef
  • 149
  • 2
  • 7
0

You might get this or a similar error if you get ahead of yourself and paste the CSR (Certificate Signing Request) .pem file into the AWS certificate console where you should be pasting a certificate .pem file.

The CSR file typically includes REQUEST in the first line:

-----BEGIN CERTIFICATE REQUEST-----

The certificate file does not:

-----BEGIN CERTIFICATE-----

David
  • 895
  • 8
  • 12