SSL certification exception- error:0909006C:PEM routines:get_name:no start line

Question

I am using LDAP authentication in Tomcat. But I'm getting the exception

 SEVERE: Failed to initialize end point associated with ProtocolHandler 
 ["http-apr-4001"]
 java.lang.Exception: Unable to load certificate key 
 C:/Usersuser/Documents/SSLcertificate/mycertfilepem.pem 
 (error:0909006C:PEM routines:get_name:no start line)

 SEVERE: Failed to initialize connector [Connector[HTTP/1.1-4001]]
 org.apache.catalina.LifecycleException: Failed to initialize component 
 [Connector[HTTP/1.1-4001]] 
 Caused by: org.apache.catalina.LifecycleException: Protocol handler 
 initialization failed
 Caused by: java.lang.Exception: Unable to load certificate key 
 C:/Users/user/Documents/SSLcertificate/mycertfilepem.pem 
 (error:0909006C:PEM routines:get_name:no start line)

I have no clue what this means despite searching about it. I referred OpenSSL: PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE but the error is a bit different from the one I'm facing. I used the command

 openssl s_client -showcerts -connect server-domain.com:3269 >C:\Users\user\Documents\SSLcertificate\mycertfile.pem

to import ssl certificate from ldap server to my local. When i use this ssl certificate for ldap authentication through Java program it works. But when I use it for ldap authentication through Tomcat I'm getting the exception error:0909006C:PEM routines:get_name:no start line.

The ssl certificate looks something like this

CONNECTED(000002B8)
    ---
    Certificate chain
     0 s:/CN=domain1.corp.regn.net
       i:/DC=net/DC=regn/DC=corp/CN=domain1
    -----BEGIN CERTIFICATE-----
    MIIGfjCCBWagAwIBAgITYgAAIET2TOp0vhL5/wAAAAAgRDANBgkqhkiG9w0BAQsF
    ADBaMRMwEQYKCZImiZPyLGQBGRYDbmV0MRQwEgYKCZImiZPyLGQBGRYEcmVnbjEV
    ...
    YrArO/SbuQwdEFSFGUKT3/QB400arvKDyFPOerw9FgN4wc+ZUu9/CyyJg4z5gQur
    wz249UBs7lh6voouY94vdPOrH2qPWS+WhM7w8dDH6qQjrnQdH9AttWqeLCUnIx1b
    giuBuJLObfjy9pOvY/nmeosgDS3/o7E2C0/oWUNAMt79/A==
    -----END CERTIFICATE-----
     1 s:/DC=net/DC=regn/DC=corp/CN=domain1
       i:/DC=net/DC=regn/CN=domain2
    -----BEGIN CERTIFICATE-----
    MIIHcjCCBVqgAwIBAgITNwAAAAlMh9zQLi9kJwAAAAAACTANBgkqhkiG9w0BAQsF
    ADBDMRMwEQYKCZImiZPyLGQBGRYDbmV0MRQwEgYKCZImiZPyLGQBGRYEcmVnbjEW
    MBQGA1UEAxMNTkFQREEyUEtJUDAzNjAeFw0xOTAxMjMyMDU2NTJaFw0yNDAxMjMy
    ......

    hnTXXvt0puYpZcVbnO6+WwGCQ5qzXmJUXVLUUOeZUvoY4D/l+qXqQpTZSP2MpF21
    9x9VaB6kiBRfNMW5fWCz2t9pdWzbUPMKa8s5K+yXpZCQbDmfUf4=
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/CN=doamin.corp.regn.net
    issuer=/DC=net/DC=regn/DC=legal/CN=domain
    ---
    Acceptable client certificate CA names
    /CN=domain1.corp.regn.net
    /CN=Azure ATP Sensor
    ..
    /DC=com/DC=microsoft/CN=Certificate Authority
    /CN=NT AUTHORITY
    Client Certificate Types: RSA sign, DSA sign, ECDSA sign
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 6467 bytes and written 454 bytes
    ---
    New, TLSv1/SSLv3, Cipher is d23r2r2r
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : #####
        Session-ID: d23e232f
        Session-ID-ctx: 
        Master-Key: ####
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1565104395
        Timeout   : 300 (sec)
        Verify return code: 20 (unable to get local issuer certificate)
    ---

Connector in server.xml file of tomcat is

   <Connector port="4001" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" URIEncoding="UTF-8"
           clientAuth="true"
           SSLEnabled="true"
           secure="true"
           SSLCertificateFile="C:/Users/user/Documents/SSLcertificate/mycertfilepem.pem"
           keystoreFile="C:/Program Files/Java/jdk1.8.0_212/jre/lib/security/cacerts"
           keystorePass="changeit"
           />

@ChristopherSchultz the link goes directly to a page "This has been removed by author". — Patrick Mevzek, Aug 08 '19 at 15:13
"no start line" typically means the file is not formatted as expect, and basically does not contain what it should. `C:/Usersuser/Documents/SSLcertificate/mycertfilepem.pem ` has to start with `-----BEGIN PRIVATE KEY-----` since you use it as a key. But base on its name it is probably more of a certificate. You are probably mixing certificates and keys. — Patrick Mevzek, Aug 08 '19 at 15:14
@PatrickMevzek But when i use this certificate in my java program which uses ldap authentication, it works. I'm getting this error in Tomcat. — Rosily, Aug 08 '19 at 16:16
You are probably missing a `SSLCertificateKeyFile` parameter in your connector. — Patrick Mevzek, Aug 08 '19 at 16:18
@PatrickMevzek I'm pointing out that another user posted the exact same question recently, then deleted it. Looks like someone is playing games with SO users. Both users had 1 reputation. — Christopher Schultz, Aug 09 '19 at 01:22
@PatrickMevzek So in "SSLCertificateFile" I need to give the path of the ssl certificate that I imported from the server and in "SSLCertificateKeyFile" I should be giving the path of a private key? I'm not sure where to get this private key from. But then again why wasn't the key required when I used it in java? For java I just imported the ssl certificate into java keystore, and in my program i gave the path and password of the keystore. And thats it. It worked. — Rosily, Aug 09 '19 at 06:36
@PatrickMevzek I now extracted public key from my ssl certificate by using the command "openssl x509 -pubkey -noout -in C:\User\Documents\SSLcertificate\mycertfilepem.pem > C:\User\Documents\SSLcertificate\mycertfilePUBKEY.pem". But in command prompt when i run "openssl x509 -text -inform DER -in C:\Users\MOHANSAX\Documents\SSLcertificate\mycertfilePUBKEY.pem" it shows :- unable to load certificate 18176:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1220: 18176:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:386:Type=X509 — Rosily, Aug 09 '19 at 10:44
A certificate can not work without its associated private key. It is two linked information. Sometimes both are stored in the same file, sometimes in separate files. The private key file is generated at the same time as the certificate. — Patrick Mevzek, Aug 09 '19 at 14:02
@PatrickMevzek I found out the problem. In order to enable ldap authentication in Tomcat, I do not require Connector port, as my machine is just an ldap client and not server. JNDI realm configuration is enough. Thank you for your time Patrick! — Rosily, Aug 12 '19 at 14:25

SSL certification exception- error:0909006C:PEM routines:get_name:no start line

0 Answers0