curl: (58) unable to set private key file: 'dave.pem' type PEM
from my Ansible/Python code, whilst attempting to use a PEM certificate that I'd generated myself: -
Generate Private Key
openssl genrsa -out key.pem 2048
Generate Certificate Service Request
openssl req -subj '/C=GB/O=IBM/CN=davehay' -new -key key.pem -out csr.pem
Generate Personal Certificate
openssl x509 -req -days 9999 -in csr.pem -signkey key.pem -out cert.pem
Having munged the key and certificate into a single PEM file: -
cat key.pem cert.pem > dave.pem
I found that my Python code was then validating the private key within dave.pem : -
cert_pkey.split('-----BEGIN PRIVATE KEY-----')
which meant that it was failing ...
Simple solution, right ?
Yeah, I edited dave.pem to remove the characters RSA from the PEM file: -
sed -i '' 's/RSA //g' dave.pem
Problem solved, right ?
NAH!!
My code, which uses cURL under the covers, then failed with: -
curl: (58) unable to set private key file: 'dave.pem' type PEM
This blog post: -
described how one can validate the private key and its certificate: -
openssl x509 -noout -modulus -in dave.pem | openssl md5
which returns a MD5 checksum: -
0d6b9d546ff1b65284ec32096bea2904
and: -
openssl rsa -noout -modulus -in dave.pem | openssl md5
which SHOULD return a MD5 checksum, but instead returned: -
unable to load Private Key
4686818796:error:0DFFF0A8:asn1 encoding routines:CRYPTO_internal:wrong tag:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.11.1/libressl-2.8/crypto/asn1/tasn_dec.c:1144:
4686818796:error:0DFFF03A:asn1 encoding routines:CRYPTO_internal:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.11.1/libressl-2.8/crypto/asn1/tasn_dec.c:317:Type=X509_ALGOR
4686818796:error:0DFFF03A:asn1 encoding routines:CRYPTO_internal:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.11.1/libressl-2.8/crypto/asn1/tasn_dec.c:646:Field=pkeyalg, Type=PKCS8_PRIV_KEY_INFO
4686818796:error:09FFF00D:PEM routines:CRYPTO_internal:ASN1 lib:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.11.1/libressl-2.8/crypto/pem/pem_pkey.c:143:
d41d8cd98f00b204e9800998ecf8427e
Yeah, you guessed it, I broke my private key by removing RSA :-)
It was relatively easy to fix, it was all down to the way that I was generating my key and certificate. I switched to this: -
openssl req -subj '/C=GB/O=IBM/CN=davehay' -new -newkey rsa:2048 -days 365 -nodes -x509 -sha256 -keyout dave.key -out dave.crt
and, after munging the key and certificate: -
cat dave.key dave.crt > dave.pem
I ended up with a PEM file that I did NOT need to edit i.e. it contained the key (!) string: -
-----BEGIN PRIVATE KEY-----
and, more importantly, it validated without problems: -
openssl x509 -noout -modulus -in dave.pem | openssl md5
1c03038c6be240c22d759bfef58e9db2
openssl rsa -noout -modulus -in dave.pem | openssl md5
1c03038c6be240c22d759bfef58e9db2
and, even more importantly, my code works!!!
Moral of the story ? Don't manually hack your keys, instead check the way that you're generating them in the first place :-)
No comments:
Post a Comment