Node.js https pem error: error:0906D06C:PEM routines:PEM_read_bio:no start line

Question

I got these files from the Certificate Authority:

• domain.com.p7b
• domain.com.crt
• domain.com.ca-bundle

And I tried this little code:

var express = require('express');
var app = express();
var fs = require("fs");
var https = require('https');

var privateKey = fs.readFileSync('domain.com.p7b').toString();
var certificate = fs.readFileSync('domain.com.crt').toString();
var ca_bundle = fs.readFileSync('domain.com.ca-bundle').toString();

var credentials = { key: privateKey, 
                    ca : ca_bundle,
                    cert: certificate};
                                    

https.createServer(credentials,app).listen(8080, function () {
    console.log('Example app listening on port 8080!');
});

After start script, I get the following error:

(err):     at Object.createSecureContext (_tls_common.js:87:19)
(err):     at Server (_tls_wrap.js:721:25)
(err):     at new Server (https.js:17:14)
(err):     at Object.exports.createServer (https.js:37:10)
(err):     at Object.<anonymous> (/utec_temp/https/web.js:27:7)
(err):     at Module._compile (module.js:435:26)
(err):     at Object.Module._extensions..js (module.js:442:10)
(err):     at Module.load (module.js:356:32)
(err):     at Function.Module._load (module.js:311:12)
(err): Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
(err):     at Error (native)
(err):     at Object.createSecureContext (_tls_common.js:87:19)
(err):     at Server (_tls_wrap.js:721:25)
(err):     at new Server (https.js:17:14)
(err):     at Object.exports.createServer (https.js:37:10)
(err):     at Object.<anonymous> (/utec_temp/https/web.js:27:7)
(err):     at Module._compile (module.js:435:26)
(err):     at Object.Module._extensions..js (module.js:442:10)
(err):     at Module.load (module.js:356:32)
(err):     at Function.Module._load (module.js:311:12)

All the examples on google uses self-signed certificates , but what happen when I need to work in a real environment?

My little code works in development with self signed keys , following this example:

• https://stackoverflow.com/a/24283204/3957754

I researched and I found this:

• https://www.namecheap.com/support/knowledgebase/article.aspx/9705/0/nodejs
• http://www.backwardcompatible.net/155-Setting-up-real-SSL-Nodejs-Express
• Node.js https pem error: routines:PEM_read_bio:no start line

but I could not correct the error.

Also I reduced to one file :

var credentials = {cert: certificate};      

And the error is the same. So I thought that maybe is a format error when I move these certificates from windows to unix. I used dos2unix tool and the error is the same.

My node version is 4.4.7

Any help is appreciated.

Thanks in advance!

Answer 1

Explanation

I little late but I hope this helps.

If someone have work with these files : pb7, crt,ca-bundle and have this error:

error:0906D06C:PEM routines:PEM_read_bio:no start line

This would mean that these files are wrong, corrupt or was requested for another environments (windows for example) as this post says:https://serverfault.com/a/317038

So the solution in my case was request for a new certificates and in the specifications , I put the following:

• Linux compatibility

Also is important save the private key with which the csr was created and sent to the certificator provider(I called initial.key).

Example http://www.backwardcompatible.net/155-Setting-up-real-SSL-Nodejs-Express

Finally , your provider will send you a zip with several files. You only need a .crt file for your node app:

var privateKey = fs.readFileSync('/some/folder/initial.key').toString();
var certificate = fs.readFileSync('/some/folder/certificate.crt').toString();
var credentials = {key: privateKey, cert: certificate};

Note : certificate.ca-bundle and certificate.crt files must be sent by certificator provider.

Advice

When you are working with https certificates, domains or subdomains, you should not use or configure the app directly with certificates.

Node.js, java, python and other languages has libraries to publish secure endpoint with https. This is achieved loading manually your purchased or self-signed certificates. This works, but this should be the last option to do it.

For example : Development team will have problems to star up the application, because the source code needs directly the certificates and other configurations. Deployment on testing will need specific certificates, etc

For a clean, maintainable and scalable architecture, and following the pattern separation of concerns (SoC) DONT MODIFY YOUR SOURCE CODE and leave this work or complexity to apache , nginx, haproxy, aws elb or some load balancer.

Here some samples of how enable https in another layer, not in the application:

apache 2.2 example

SSLCertificateFile /some/folder/certificate.crt
SSLCertificateKeyFile /some/folder/initial.key
SSLCertificateChainFile /some/folder/certificate.ca-bundle

nginx example

server {

  listen   443;

  ssl    on;
  ssl_certificate       /etc/ssl/your_domain_name.pem; (or bundle.crt)
  ssl_certificate_key   /etc/ssl/your_domain_name.key;

  server_name your.domain.com;
  ...

}

This kind of complexity must be transparent for the development team and should be managed by sysadmin,infrastructure or another teams related to networks of your company.