NGINX HTTPS Server barfing on .crt and .key files

Question

NGINX HTTPS Server barfing on .crt and .key files

1.7k Views Asked by user1390526 At 04 April 2025 at 01:45

Question:

Is there anything special about the way nginx wants its .pem/.crt and .key files formated? I can't get nginx running... it always craps out complaining about the cert/key file.

Ask:

Anyone want to share with me a (sanitized) copy of their .pem/crt and .key file on a (non-production) system that is working fine? Or otherwise tell me what I am doing wrong (see below)

Errors:

After configuring nginx.conf to point to ssltest.cuddletech.com.crt and depositing the .crt (and key) file in /nginx/servers... and then run nginx to start the server, I get the following error:

nginx: [emerg] unexpected end of file, expecting ";" or "}" in /usr/local/etc/nginx/servers/ssltest.cuddletech.com.crt:63

Troubleshooting: `

If I go in and put a ;at the end of the file (right after the second -----END CERTIFICATE-----; (it's a bundle containing both the leaf and the intermediate ca). Now,it no longer complains about the unexpected end, but rather complains:

 nginx: [emerg] unknown directive "-----BEGIN" in /usr/local/etc/nginx/servers/ssltest.cuddletech.com.crt:62

If I then go in and delete the -----BEGIN part, it continues to complain about the unknown directive... this time starting with the first few characters of the encoded cert.

Interestingly, If I change the file type to .pem (keeping the ; at the end, and update nginx.conf to look for the .pem). Now, it does not complain at all about the certificate file, but rather starts complaining the same way about the KEY file:

$ nginx: [emerg] unexpected end of file, expecting ";" or "}" in /usr/local/etc/nginx/servers/ssltest.cuddletech.com.key:28

Putting the ; or } at the end of the .key file makes nginx complain:

nginx: [emerg] unknown directive "-----BEGIN" in /usr/local/etc/nginx/servers/ssltest.cuddletech.com.key:27

Also interesting is that both time it complains about the -----BEGIN it indicates a line number at the end of the file, not at the beginning.

How I Generated The Cert and Key files:

I generated the cert using Hashicorp's Vault PKI backend (per this howto )

I cut and pasted the leaf and intermediate cert into one file and the private key into another file.

They look like this:

Certificate bundle:

-----BEGIN CERTIFICATE-----
MIIE/DCCAuSgAwIBAgIUIKX6kkLIidtRvnx0nafFH9SunaIwDQYJKoZIhvc
NAQELBQAwKTEnMCGA1UEAxMeQ3VkZGxldGVjaCBPcHMgSW50ZXJtZWRpYXRlIENBMB4X
DTE3MDkwOTAwMTgxNVoXDTE3MTAwOTAwMTg0NVowITEfMB0GA1UEAxMWc3NsdGVz
.... 
NW9I2ThBDp0uo7LcIO7hmHhNun6apGSlgf6Gj1L63dp
Fe+hoQpCNOGfoc2P+4uJZenqiax5dFqskiBVkQ7uyVFxf5ydF5pjzwF/QFFcKKok
SkRjCJmrVxD/7V6H8u+hSRJuXGXNIIuhhUmYhWoNZpnZEUyDPOuMWHjxq7ZfPHlO
A039BhLFI0msEBfk+DunhYA+xyBIhK0Lq3pqcc7zH9A=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFpTCCA42gAwIBAgIUbXR6po8/oWmxgTVYuhxHDAM1prUwDQYJKoZIhvcNAQEL
BQAwHTEbMBkGA1UEAxMSQ3VkZGxldGVjaCBSb290IENBMB4XDTE3MDkwODIyNTI0
OFoXDTE4MDkwODIyNTMxOFowKTEnMCUGA1UEAxMeQ3VkZGxldGVjaCBPcHMgSW50
.....
ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwuTe
h9gpV4RcibYNOptsDJHomUZaEkRs3ppGt1asnM5os7L17ExFS8PLSY0SbhB75Vo1
TLlgH2MkDGHbw5bcgY0fYXvKqk1y6JjLFBnmiGHe8mHt9XaWkbnwP/E7CttGr2GC
SaT7RxDN2pHXceTnmLOiz0Dk1ZpssldMVD1MQeSQspuBp9s2sWfXtkrLluPLOZH0
C1WXl+H/7giQggXPmMVLhnxPaaAwU0DNX0IZjzE1fqazBbrx36n7baVdUgRczkD2
Xiht8pnAdbUFdp8byeupDkPJ2vLyMLocvSO6z1m4+drXlgFPBLSgKXGvnw5A8b+S
dqKRe55MBNxpws0E4OjMVwVXlMctcLCogmx6jFYjWSJUQgKLHCi2JVWW6ajlKOfV
Gn/opA11kWKb
-----END CERTIFICATE-----

The Private Key file:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAyWnbF5T5vIlrcVHG82S+u/GESnlhAiX6maUYmpQMVOGsmjWr
XOKFGQbFW796FgENrt1PzXlYT8/aKyT215KomxkC4bWV0daobC5p+fzusVyV51Si
.....
smzFwxewOYa4FU3KGgRlscBooaRumwpXid3IPwfsBzOCdNQ8zXyaqSZeStewxUBq
ZtMEDpD3q7noZQU85cQs4SlbOOscXEUMUaeKQDhC2FWW9qlM5NKU
-----END RSA PRIVATE KEY-----

The HTTPS server section of nginx.conf

# HTTPS server
#
server {
    listen       443 ssl;
    server_name  ssltest.cuddletech.com;

    ssl_certificate      /usr/local/etc/nginx/servers/ssltest.cuddletech.com.pem;
    ssl_certificate_key  /usr/local/etc/nginx/servers/ssltest.cuddletech.com.key;

#    ssl_session_cache    shared:SSL:1m;
#    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
#    ssl_prefer_server_ciphers  on;

    location / {
        root  /user/share/nginx/html;
        index  index.html index.htm;
    }
}
include servers/*;
}

My Set-up:

Mac OS X 10.12.6 nginx version: nginx/1.12.1 built by clang 8.1.0 (clang-802.0.42) built with OpenSSL 1.1.0f 25 May 2017 TLS SNI support enabled

TIA for any advice!!!

Original Q&A

There are 1 best solutions below

**Tarun Lalwani** · Accepted Answer

Your problem us the include servers/*; statement. You are including everything in the servers directory as config. So the certificates also are being loaded as config

Either change it to

include servers/*.conf;

Or remove it if there are no configs you are including

NGINX HTTPS Server barfing on .crt and .key files

There are 1 best solutions below

Related Questions in SSL

Related Questions in NGINX

Related Questions in PEM

Related Questions in PKI

Trending Questions

Popular # Hahtags

Popular Questions