Error Reading X509 Key Or Certificate File
communities company blog Stack Exchange Inbox Reputation and Badges sign up log in tour help Tour Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Ask Ubuntu Questions Tags Users Badges Unanswered Ask Question _ Ask Ubuntu is a question and answer site for Ubuntu users and developers. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top trouble getting apt-get to work with https up vote 2 down vote favorite 3 I have a (private) apt repository setup on a server. I'm only allowing access to this repository over SSL, and only with a client certificate. I have tested the connection using curl: $ curl --cacert /opt/CA.crt --cert /opt/user.crt --key /opt/user.key --pass 1234 https://example.com/dists/lucid/main/binary-amd64/Packages.gz The content is downloaded as expected. I've created a file in /etc/apt/apt.conf.d/45example-com with Debug::Acquire::https "true"; Acquire::https::example.com { Verify-Peer "true"; Verify-Host "true"; CaInfo "/opt/CA.crt"; SslCert "/opt/user.crt"; SslKey "/opt/user.key"; }; I've added a file at /etc/apt/sources.list.d/example.com.list with: deb https://example.com/ lucid main There seems to be a problem with the CA cert, when I try an update I get the following: # apt-get update * Connected to example.com (8.0.0.8) port 443 (#0) * found 1 certificates in /opt/CA.crt * error reading X.509 key or certificate file * Closing connection #0 The server logs on example.com show that no request got there, so I guess that apt-get is failing before trying to send the request (which matches what
Sign in Pricing Blog Support Search GitHub This repository Watch 2,917 Star 35,886 Fork 10,557 docker/docker Code Issues 1,812 Pull requests 152 Projects 0 Wiki Pulse Graphs New issue Error reading X509 key pair (...) crypto/tls: private key does not match public key #14317 Closed peter-leonov opened this Issue Jul 1, 2015 · 7 comments Projects None yet Labels version/1.7 Milestone http://askubuntu.com/questions/166215/trouble-getting-apt-get-to-work-with-https No milestone Assignees No one assigned 3 participants peter-leonov commented Jul 1, 2015 Description of problem: Weird error log messages from a running Docker daemon. docker version: Client version: 1.7.0 Client API version: 1.19 Go version (client): go1.4.2 Git commit (client): 0baf609 OS/Arch (client): linux/amd64 Server version: 1.7.0 Server https://github.com/docker/docker/issues/14317 API version: 1.19 Go version (server): go1.4.2 Git commit (server): 0baf609 OS/Arch (server): linux/amd64 docker info: Containers: 6 Images: 175 Storage Driver: aufs Root Dir: /var/lib/docker/aufs Backing Filesystem: extfs Dirs: 187 Dirperm1 Supported: false Execution Driver: native-0.2 Logging Driver: json-file Kernel Version: 3.13.0-52-generic Operating System: Ubuntu 14.04.2 LTS CPUs: 2 Total Memory: 1.955 GiB Name: uk ID: VPTY:47IV:KZWE:JAOO:CVAC:QKX2:FD5K:LJE3:OELB:4HOJ:ID7O:RJR5 WARNING: No swap limit support Labels: provider=digitalocean uname -a: Linux uk 3.13.0-52-generic #85-Ubuntu SMP Wed Apr 29 16:44:17 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux Environment details (AWS, VirtualBox, physical, etc.): A DigitalOcean droplet created and provided by docker-machine v0.2.0 on 22.06.2015 Droplet details: 2GB Ram 30GB SSD Disk Amsterdam 3 Ubuntu 14.04 x64 How reproducible: Stop docker daemon using Upstart with stop docker or wait for the daemon to unexpectedly shutdown itself (a subject to another issue), then check out /var/log/upstart/docker.log Steps to Reproduce: 1. sudo stop docker 2
Next message ] [ Previous message ] [ Next in thread ] [ Replies ] From: Chris Baylis
client certificate instead of a regular token. This proved to be not-so-easy for reasons I hadn’t foreseen… Step 1 - generate a certificate This is well-documented on the Internet, with one caveat: many how-to’s don’t let you protect your key with a passphrase. I think you should. And this exactly turned out to be the unforeseen reason this whole thing was harder than expected…! For documentation reasons, I will add my own method. First create a config file to facilitate experimentation; please change the values in the [ dn ] section and eg. call the file cert.conf: [ req ] default_bits = 2048 prompt = no encrypt_key = yes default_md = sha256 distinguished_name = dn [ dn ] C = Country Name (2 letter code) ST= State or Province Name (full name) L = Locality Name (eg, city) O = Personal emailAddress= you@yourdomain.com 0.CN= Your Name Now generate a key and certificate with passphrase using this config file (I will use th3p@ss as the passphrase throughout this text): openssl req -config cert.conf -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 14 The certificate will only be valid for 14 days - plenty of time to experiment :-) You can now verify the certificate: $ openssl x509 -in cert.pem -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: 11244389068616569346 (0x9c0c1848572d1202) Signature Algorithm: sha256WithRSAEncryption Issuer: C=BE, ST=Vlaams-Brabant, L=Rotselaar, O=Personal/emailAddress=jo.vandeginste@gmail.com, CN=Jo Vandeginste Validity Not Before: Jul 20 13:07:24 2016 GMT Not After : Aug 3 13:07:24 2016 GMT Subject: C=BE, ST=Vlaams-Brabant, L=Rotselaar, O=Personal/emailAddress=jo.vandeginste@gmail.com, CN=Jo Vandeginste Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: [...] Step 2 - connect to the Vault server Now try to contact your Vault server with it: $ curl https://vault.example.com/v1/sys/health --cert cert.pem --key key.pem curl: (35) error reading X.509 key or certificate file: Decryption has failed. What? So this I spent a long time figuring out, until the answer became obvious: the key is encrypted (passphrase), but curl doesn’t prompt for the passphrase. After some digging around, I found out that you need to put the passphrase together with the cert.pem: $ curl https://vault.example.com/v1/sys/health --cert cert.pem:th3p@ss --key key.pem {"initialized":true,"sealed":false,"standby":false,"server_time_utc":1469020614} Okay, better now! (Not really, since I see my