Keywords: Nginx | SSL certificate | CSR | CRT | OpenSSL
Abstract: This article provides an in-depth analysis of common PEM reading errors when configuring SSL certificates in Nginx, with the core issue being the misuse of a Certificate Signing Request (CSR) file as a signed certificate (CRT). Based on Q&A data, it systematically explains SSL certificate principles, the distinction between CSR and CRT, and offers practical methods for verifying certificate file integrity using OpenSSL tools. By step-by-step parsing of error messages, it helps readers understand certificate chain structures, file format requirements, and Nginx configuration best practices to avoid failures due to file confusion.
Problem Background and Error Symptoms
When configuring Nginx for HTTPS, a user received SSL.CSR and SSL.KEY files, processed them with dos2unix for line endings, renamed CSR to mywebsite.crt and KEY to mywebsite.key, and modified nginx.conf to enable SSL. Upon restarting Nginx, an error occurred: nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/mywebsite.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE). After attempting to remove "REQUEST" text from the file, the user encountered more complex ASN1 encoding errors.
Core Issue Analysis
The root cause is file type confusion. The user has a Certificate Signing Request (CSR) rather than a signed certificate (CRT). CSR files typically begin with -----BEGIN CERTIFICATE REQUEST-----, containing public key and subject information for submission to a Certificate Authority (CA). CRT files should start with -----BEGIN CERTIFICATE-----, including the CA-signed full certificate. Nginx expects the latter, leading to PEM format errors when reading a CSR.
SSL Certificate Principles and Configuration Workflow
SSL/TLS certificates are based on Public Key Infrastructure (PKI), involving key pairs: the private key (KEY) is kept secret, while the public key is embedded in the CSR. The correct workflow is: generate a private key and CSR, submit the CSR to a CA, and receive a signed CRT file upon validation. In Nginx configuration, ssl_certificate should point to the CRT, and ssl_certificate_key to the private KEY. The user's mistake of using CSR as CRT caused configuration failure.
Error Handling and Verification Methods
Referencing supplementary answers, use OpenSSL tools for verification: openssl x509 -noout -text -in your.crt checks the CRT, and openssl rsa -noout -text -in your.key validates the private key. If the CRT file lacks correct BEGIN/END markers (e.g., only 4 dashes instead of 5), or does not end with a newline, parsing errors may occur. For certificate chains, ensure the CRT file contains a complete certificate sequence to avoid format corruption during concatenation.
Security Recommendations and Best Practices
The private key (KEY) must be kept strictly confidential and never shared publicly. As noted in the Q&A, the user has exposed the private key content, which should be considered compromised, necessitating regeneration of the key pair. When configuring Nginx, ensure proper file permissions (e.g., KEY file readable only by root) and use nginx -t to test configuration syntax. Regularly update certificates to prevent service disruption due to expiration.
Conclusion
Nginx SSL configuration failures often stem from file confusion or format errors. Understanding the distinction between CSR and CRT is crucial: CSR is a request file, while CRT is a signed certificate. By verifying file integrity with tools and following security practices, common errors can be effectively avoided. This article, based on real-world cases, provides systematic guidance from error diagnosis to solutions, aiding users in achieving secure HTTPS deployment.