PEM_read_bio: bad end line error error after TLS 1.2 upgrade

Posted byIndraneil SealPosted inUncategorized

Issue Description:

To configure TLS 1.2 with EBS 12.1.3, we would need to generate csr request and request for CA signed SHA2 certificate. Once we received the server certificate and certificate chain files from the CA, we need to merge them to create a certificate file for OPMN using below command:

cat server.crt intermediate.crt ca.crt > opmn.crt

Then the opmn.crt needs to be placed in $INST_TOP/certs/Apache directory along with the files: server.key, new.csr, server.crt, intermediate.crt, ca.crt

After the above step and rest of the TLS configurations steps were performed, we encountered the below issue while starting the EBS services

Starting OPMN managed Oracle HTTP Server (OHS) instance …
sslSecureInit: SSL_CTX_use_certificate_chain_file($INST_TOP/certs/Apache/server.key): failed
4149028608:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:805:
4149028608:error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib:ssl_rsa.c:708:
opmnctl: opmn start failed.
opmnctl: opmn is not running.

On reviewing the log $INST_TOP/logs/appl/admin/log/adopmnctl.txt and each of the individual certificates, I noticed the opmn.crt file had some junk characters like ^M & the separators of the mark certificate were together on the same line like below instead of on separate lines

—-END CERTIFICATE———-BEGIN CERTIFICATE—–

This caused the error while starting opmn.

Resolution:

We need to separate the lines with line breaks like below. That will also take care of the M^ characters.

—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–

So, I manually copied the contents of the certificates(server.crt, intermediate.crt, ca.crt) in a notepad, merged them one after another and copied the merged contents into opmn.crt on the server.

Finally, I was able to start the opmn services without any issue.

Published by Indraneil Seal

I originally hail from Kolkata, India, and I've dedicated a significant portion of my professional journey to both India and the United States before relocating to Canada during the pandemic. I’m a member of MongoDB's esteemed Technical Services team. Before joining this exceptional group, I held the role of Senior Apps DBA at the Government of Ontario. Prior to that, I spent many years honing my technical(DBA/Cloud) and soft skills with TCS, KBACE Technologies(which later got acquired by Cognizant Technology Solutions) and Oracle Corporation. Throughout my career, I was deeply immersed in day-to-day operations and spearheaded significant projects, including the modernization of platforms, Oracle application and database upgrades. In my last stint at the Government of Ontario, I was also responsible for overseeing various automation initiatives including out-of-place patching, automated EBS Application patching. Outside of my professional life, I have a strong passion for reading, blogging, spending quality time with my family, and my feline buddies, Smokey & Louis. I also relish solitary walks and jogging as personal interests. As a proponent of open source technologies, I'm looking forward to sharing my knowledge and expertise as well as contribute as much as possible to the success of the IT fraternity thereby perpetually expanding my skillset.

Leave a comment